int global_init(void) { if (!OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG, NULL)) return 0; return 1; }
SSL_SESSION *SSL_SESSION_new(void) { SSL_SESSION *ss; if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) return NULL; ss = OPENSSL_zalloc(sizeof(*ss)); if (ss == NULL) { SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); return NULL; } ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ ss->references = 1; ss->timeout = 60 * 5 + 4; /* 5 minute timeout by default */ ss->time = (unsigned long)time(NULL); ss->lock = CRYPTO_THREAD_lock_new(); if (ss->lock == NULL) { SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); OPENSSL_free(ss); return NULL; } if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data)) { CRYPTO_THREAD_lock_free(ss->lock); OPENSSL_free(ss); return NULL; } return ss; }
CSSLInitializer::CSSLInitializer() { #if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0 sm_iLockNum = CRYPTO_num_locks(); if(sm_iLockNum > 0) sm_pcsLocks = new CSimpleRWLock[sm_iLockNum]; /* #ifdef _DEBUG CRYPTO_malloc_debug_init(); CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #endif */ CRYPTO_set_locking_callback (&ssl_lock_callback); CRYPTO_set_dynlock_create_callback (&ssl_lock_dyn_create_callback); CRYPTO_set_dynlock_destroy_callback (&ssl_lock_dyn_destroy_callback); CRYPTO_set_dynlock_lock_callback (&ssl_lock_dyn_callback); SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); #else OPENSSL_init_ssl(OPENSSL_INIT_SSL_DEFAULT, nullptr); #endif }
/* * Initialize TLS subsystem. Should be called only once. */ static int tlso_init( void ) { struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT(); #ifdef HAVE_EBCDIC { char *file = LDAP_STRDUP( lo->ldo_tls_randfile ); if ( file ) __atoe( file ); (void) tlso_seed_PRNG( file ); LDAP_FREE( file ); } #else (void) tlso_seed_PRNG( lo->ldo_tls_randfile ); #endif #if OPENSSL_VERSION_NUMBER < 0x10100000 SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_digests(); #else OPENSSL_init_ssl(0, NULL); #endif /* FIXME: mod_ssl does this */ X509V3_add_standard_extensions(); return 0; }
gboolean irssi_ssl_init(void) { int success; #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) if (!OPENSSL_init_ssl(OPENSSL_INIT_SSL_DEFAULT, NULL)) { g_error("Could not initialize OpenSSL"); return FALSE; } #else SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); #endif store = X509_STORE_new(); if (store == NULL) { g_error("Could not initialize OpenSSL: X509_STORE_new() failed"); return FALSE; } success = X509_STORE_set_default_paths(store); if (success == 0) { g_warning("Could not load default certificates"); X509_STORE_free(store); store = NULL; /* Don't return an error; the user might have their own cafile/capath. */ } ssl_inited = TRUE; return TRUE; }
static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVOID* context) { DWORD flags = param ? *(PDWORD)param : WINPR_SSL_INIT_DEFAULT; if (flags & WINPR_SSL_INIT_ALREADY_INITIALIZED) { return TRUE; } #ifdef WINPR_OPENSSL_LOCKING_REQUIRED if (flags & WINPR_SSL_INIT_ENABLE_LOCKING) { if (!_winpr_openssl_initialize_locking()) { return FALSE; } } #endif /* SSL_load_error_strings() is void */ #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) SSL_load_error_strings(); /* SSL_library_init() always returns "1" */ SSL_library_init(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); #else if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL) != 1) return FALSE; #endif g_winpr_openssl_initialized_by_winpr = TRUE; if (flags & WINPR_SSL_INIT_ENABLE_FIPS) { #if (OPENSSL_VERSION_NUMBER < 0x10001000L) WLog_ERR(TAG, "Openssl fips mode ENable not available on openssl versions less than 1.0.1!"); #else WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled"); if (FIPS_mode() != 1) { if (FIPS_mode_set(1)) WLog_INFO(TAG, "Openssl fips mode ENabled!"); else WLog_ERR(TAG, "Openssl fips mode ENable failed!"); } #endif } return TRUE; }
int git_openssl_stream_global_init(void) { #ifdef GIT_OPENSSL long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; const char *ciphers = git_libgit2__ssl_ciphers(); /* Older OpenSSL and MacOS OpenSSL doesn't have this */ #ifdef SSL_OP_NO_COMPRESSION ssl_opts |= SSL_OP_NO_COMPRESSION; #endif #if OPENSSL_VERSION_NUMBER < 0x10100000L || \ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); #else OPENSSL_init_ssl(0, NULL); #endif /* * Load SSLv{2,3} and TLSv1 so that we can talk with servers * which use the SSL hellos, which are often used for * compatibility. We then disable SSL so we only allow OpenSSL * to speak TLSv1 to perform the encryption itself. */ git__ssl_ctx = SSL_CTX_new(SSLv23_method()); SSL_CTX_set_options(git__ssl_ctx, ssl_opts); SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL); if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) { SSL_CTX_free(git__ssl_ctx); git__ssl_ctx = NULL; return -1; } if (!ciphers) { ciphers = GIT_SSL_DEFAULT_CIPHERS; } if(!SSL_CTX_set_cipher_list(git__ssl_ctx, ciphers)) { SSL_CTX_free(git__ssl_ctx); git__ssl_ctx = NULL; return -1; } if (init_bio_method() < 0) { SSL_CTX_free(git__ssl_ctx); git__ssl_ctx = NULL; return -1; } #endif git__on_shutdown(shutdown_ssl); return 0; }
void tls_initialize(void) { #if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_library_init(); SSL_load_error_strings(); #else OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); #endif }
/* Initializes SSL and allocate global context SSL_context SYNOPSIS my_ssl_start mysql connection handle RETURN VALUES 0 success 1 error */ int ma_tls_start(char *errmsg, size_t errmsg_len) { int rc= 1; if (ma_tls_initialized) return 0; /* lock mutex to prevent multiple initialization */ pthread_mutex_init(&LOCK_openssl_config,MY_MUTEX_INIT_FAST); pthread_mutex_lock(&LOCK_openssl_config); #if OPENSSL_VERSION_NUMBER >= 0x10100000L OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); #else if (ssl_thread_init()) { strncpy(errmsg, "Not enough memory", errmsg_len); goto end; } SSL_library_init(); #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif #endif /* load errors */ SSL_load_error_strings(); /* digests and ciphers */ OpenSSL_add_all_algorithms(); #if OPENSSL_VERSION_NUMBER >= 0x10100000L if (!(SSL_context= SSL_CTX_new(TLS_client_method()))) #else if (!(SSL_context= SSL_CTX_new(SSLv23_client_method()))) #endif { ma_tls_get_error(errmsg, errmsg_len); goto end; } #ifdef HAVE_TLS_SESSION_CACHE SSL_CTX_set_session_cache_mode(SSL_context, SSL_SESS_CACHE_CLIENT); ma_tls_sessions= (MA_SSL_SESSION *)calloc(1, sizeof(struct st_ma_tls_session) * ma_tls_session_cache_size); SSL_CTX_sess_set_new_cb(SSL_context, ma_tls_session_cb); SSL_CTX_sess_set_remove_cb(SSL_context, ma_tls_remove_session_cb); #endif disable_sigpipe(); #if OPENSSL_USE_BIOMETHOD memcpy(&ma_BIO_method, BIO_s_socket(), sizeof(BIO_METHOD)); ma_BIO_method.bread= ma_bio_read; ma_BIO_method.bwrite= ma_bio_write; #endif rc= 0; ma_tls_initialized= TRUE; end: pthread_mutex_unlock(&LOCK_openssl_config); return rc; }
//-------------------------------------------------------------------------------------------------- le_result_t secSocket_Init ( secSocket_Ctx_t** ctxPtr ///< [INOUT] Secure socket context pointer ) { // Check input parameter if (!ctxPtr) { LE_ERROR("Null pointer provided"); return LE_BAD_PARAMETER; } // Initialize the socket context pool if (!SocketCtxPoolRef) { SocketCtxPoolRef = le_mem_InitStaticPool(SocketCtxPool, MAX_SOCKET_NB, sizeof(OpensslCtx_t)); } // Check if the socket is already initialized OpensslCtx_t* contextPtr = GetContext(*ctxPtr); if ((contextPtr) && (contextPtr->isInit)) { LE_ERROR("Socket context already initialized"); return LE_FAULT; } // Alloc memory from pool contextPtr = le_mem_TryAlloc(SocketCtxPoolRef); if (NULL == contextPtr) { LE_ERROR("Unable to allocate a socket context from pool"); return LE_FAULT; } // Set the magic number contextPtr->magicNb = OPENSSL_MAGIC_NUMBER; // Initialize OpenSSL library and setup SSL pointers #if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_library_init(); contextPtr->sslCtxPtr = SSL_CTX_new(TLSv1_client_method()); #else OPENSSL_init_ssl(0, NULL); contextPtr->sslCtxPtr = SSL_CTX_new(TLS_client_method()); #endif contextPtr->isInit = true; *ctxPtr = (secSocket_Ctx_t*)contextPtr; return LE_OK; }
static int apps_startup(void) { #ifdef SIGPIPE signal(SIGPIPE, SIG_IGN); #endif /* Set non-default library initialisation settings */ if (!OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG, NULL)) return 0; setup_ui_method(); return 1; }
int FuzzerInitialize(int *argc, char ***argv) { STACK_OF(SSL_COMP) *comp_methods; OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ASYNC, NULL); OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); ERR_get_state(); CRYPTO_free_ex_index(0, -1); idx = SSL_get_ex_data_X509_STORE_CTX_idx(); FuzzerSetRand(); comp_methods = SSL_COMP_get_compression_methods(); if (comp_methods != NULL) sk_SSL_COMP_sort(comp_methods); return 1; }
int errstr_main(int argc, char **argv) { OPTION_CHOICE o; char buf[256], *prog; int ret = 1; unsigned long l; prog = opt_init(argc, argv, errstr_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { case OPT_EOF: case OPT_ERR: BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); goto end; case OPT_HELP: opt_help(errstr_options); ret = 0; goto end; case OPT_STATS: lh_ERR_STRING_DATA_node_stats_bio(ERR_get_string_table(), bio_out); lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(), bio_out); lh_ERR_STRING_DATA_node_usage_stats_bio(ERR_get_string_table(), bio_out); ret = 0; goto end; } } ret = 0; for (argv = opt_rest(); *argv; argv++) { if (sscanf(*argv, "%lx", &l) == 0) ret++; else { /* We're not really an SSL application so this won't auto-init, but * we're still interested in SSL error strings */ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); ERR_error_string_n(l, buf, sizeof buf); BIO_printf(bio_out, "%s\n", buf); } } end: return (ret); }
int lws_context_init_ssl_library(const struct lws_context_creation_info *info) { #ifdef USE_WOLFSSL #ifdef USE_OLD_CYASSL lwsl_info(" Compiled with CyaSSL support\n"); #else lwsl_info(" Compiled with wolfSSL support\n"); #endif #else #if defined(LWS_WITH_BORINGSSL) lwsl_info(" Compiled with BoringSSL support\n"); #else lwsl_info(" Compiled with OpenSSL support\n"); #endif #endif if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT)) { lwsl_info(" SSL disabled: no " "LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT\n"); return 0; } /* basic openssl init */ lwsl_info("Doing SSL library init\n"); #if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_library_init(); OpenSSL_add_all_algorithms(); SSL_load_error_strings(); #else OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); #endif #if defined(LWS_WITH_NETWORK) openssl_websocket_private_data_index = SSL_get_ex_new_index(0, "lws", NULL, NULL, NULL); openssl_SSL_CTX_private_data_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); #endif return 0; }
/* Initializes SSL and allocate global context SSL_context SYNOPSIS my_ssl_start mysql connection handle RETURN VALUES 0 success 1 error */ int my_ssl_start(MYSQL *mysql) { int rc= 0; DBUG_ENTER("my_ssl_start"); /* lock mutex to prevent multiple initialization */ pthread_mutex_lock(&LOCK_ssl_config); if (!my_ssl_initialized) { #if OPENSSL_VERSION_NUMBER < 0x10100000 if (ssl_crypto_init()) goto end; #endif #if OPENSSL_VERSION_NUMBER >= 0x10100000L OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); #else SSL_library_init(); #if SSLEAY_VERSION_NUMBER >= 0x00907000L OPENSSL_config(NULL); #endif #endif /* load errors */ SSL_load_error_strings(); /* digests and ciphers */ OpenSSL_add_all_algorithms(); #if OPENSSL_VERSION_NUMBER >= 0x10100000L if (!(SSL_context= SSL_CTX_new(TLS_client_method()))) #else if (!(SSL_context= SSL_CTX_new(TLSv1_client_method()))) #endif { my_SSL_error(mysql); rc= 1; goto end; } my_ssl_initialized= TRUE; } end: pthread_mutex_unlock(&LOCK_ssl_config); DBUG_RETURN(rc); }
static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVOID* context) { DWORD flags = param ? *(PDWORD)param : WINPR_SSL_INIT_DEFAULT; if (flags & WINPR_SSL_INIT_ALREADY_INITIALIZED) { return TRUE; } #ifdef WINPR_OPENSSL_LOCKING_REQUIRED if (flags & WINPR_SSL_INIT_ENABLE_LOCKING) { if (!_winpr_openssl_initialize_locking()) { return FALSE; } } #endif /* SSL_load_error_strings() is void */ #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) SSL_load_error_strings(); /* SSL_library_init() always returns "1" */ SSL_library_init(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); #else if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL) != 1) return FALSE; #endif g_winpr_openssl_initialized_by_winpr = TRUE; return winpr_enable_fips(flags); }
SSL_SESSION * SSL_SESSION_new(void) { SSL_SESSION *ss; if (!OPENSSL_init_ssl(0, NULL)) { SSLerrorx(SSL_R_LIBRARY_BUG); return(NULL); } if ((ss = calloc(1, sizeof(*ss))) == NULL) { SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } if ((ss->internal = calloc(1, sizeof(*ss->internal))) == NULL) { free(ss); SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ ss->references = 1; ss->timeout=60*5+4; /* 5 minute timeout by default */ ss->time = time(NULL); ss->internal->prev = NULL; ss->internal->next = NULL; ss->tlsext_hostname = NULL; ss->internal->tlsext_ecpointformatlist_length = 0; ss->internal->tlsext_ecpointformatlist = NULL; ss->internal->tlsext_supportedgroups_length = 0; ss->internal->tlsext_supportedgroups = NULL; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->internal->ex_data); return (ss); }
int tls_init_library(void) { tls_cnx = NULL; tls_data_cnx = NULL; tls_ctx = NULL; # if (OPENSSL_VERSION_NUMBER < 0x10100000L) || !defined(OPENSSL_INIT_LOAD_SSL_STRINGS) SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); # else OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG, NULL); # endif tls_init_rnd(); tls_create_new_context(cert_file, key_file); tls_cnx_handshook = 0; tls_data_cnx_handshook = 0; return 0; }
/* * OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the * OpenSSL[https://www.openssl.org/] library. * * = Examples * * All examples assume you have loaded OpenSSL with: * * require 'openssl' * * These examples build atop each other. For example the key created in the * next is used in throughout these examples. * * == Keys * * === Creating a Key * * This example creates a 2048 bit RSA keypair and writes it to the current * directory. * * key = OpenSSL::PKey::RSA.new 2048 * * open 'private_key.pem', 'w' do |io| io.write key.to_pem end * open 'public_key.pem', 'w' do |io| io.write key.public_key.to_pem end * * === Exporting a Key * * Keys saved to disk without encryption are not secure as anyone who gets * ahold of the key may use it unless it is encrypted. In order to securely * export a key you may export it with a pass phrase. * * cipher = OpenSSL::Cipher.new 'AES-128-CBC' * pass_phrase = 'my secure pass phrase goes here' * * key_secure = key.export cipher, pass_phrase * * open 'private.secure.pem', 'w' do |io| * io.write key_secure * end * * OpenSSL::Cipher.ciphers returns a list of available ciphers. * * === Loading a Key * * A key can also be loaded from a file. * * key2 = OpenSSL::PKey::RSA.new File.read 'private_key.pem' * key2.public? # => true * key2.private? # => true * * or * * key3 = OpenSSL::PKey::RSA.new File.read 'public_key.pem' * key3.public? # => true * key3.private? # => false * * === Loading an Encrypted Key * * OpenSSL will prompt you for your pass phrase when loading an encrypted key. * If you will not be able to type in the pass phrase you may provide it when * loading the key: * * key4_pem = File.read 'private.secure.pem' * pass_phrase = 'my secure pass phrase goes here' * key4 = OpenSSL::PKey::RSA.new key4_pem, pass_phrase * * == RSA Encryption * * RSA provides encryption and decryption using the public and private keys. * You can use a variety of padding methods depending upon the intended use of * encrypted data. * * === Encryption & Decryption * * Asymmetric public/private key encryption is slow and victim to attack in * cases where it is used without padding or directly to encrypt larger chunks * of data. Typical use cases for RSA encryption involve "wrapping" a symmetric * key with the public key of the recipient who would "unwrap" that symmetric * key again using their private key. * The following illustrates a simplified example of such a key transport * scheme. It shouldn't be used in practice, though, standardized protocols * should always be preferred. * * wrapped_key = key.public_encrypt key * * A symmetric key encrypted with the public key can only be decrypted with * the corresponding private key of the recipient. * * original_key = key.private_decrypt wrapped_key * * By default PKCS#1 padding will be used, but it is also possible to use * other forms of padding, see PKey::RSA for further details. * * === Signatures * * Using "private_encrypt" to encrypt some data with the private key is * equivalent to applying a digital signature to the data. A verifying * party may validate the signature by comparing the result of decrypting * the signature with "public_decrypt" to the original data. However, * OpenSSL::PKey already has methods "sign" and "verify" that handle * digital signatures in a standardized way - "private_encrypt" and * "public_decrypt" shouldn't be used in practice. * * To sign a document, a cryptographically secure hash of the document is * computed first, which is then signed using the private key. * * digest = OpenSSL::Digest::SHA256.new * signature = key.sign digest, document * * To validate the signature, again a hash of the document is computed and * the signature is decrypted using the public key. The result is then * compared to the hash just computed, if they are equal the signature was * valid. * * digest = OpenSSL::Digest::SHA256.new * if key.verify digest, signature, document * puts 'Valid' * else * puts 'Invalid' * end * * == PBKDF2 Password-based Encryption * * If supported by the underlying OpenSSL version used, Password-based * Encryption should use the features of PKCS5. If not supported or if * required by legacy applications, the older, less secure methods specified * in RFC 2898 are also supported (see below). * * PKCS5 supports PBKDF2 as it was specified in PKCS#5 * v2.0[http://www.rsa.com/rsalabs/node.asp?id=2127]. It still uses a * password, a salt, and additionally a number of iterations that will * slow the key derivation process down. The slower this is, the more work * it requires being able to brute-force the resulting key. * * === Encryption * * The strategy is to first instantiate a Cipher for encryption, and * then to generate a random IV plus a key derived from the password * using PBKDF2. PKCS #5 v2.0 recommends at least 8 bytes for the salt, * the number of iterations largely depends on the hardware being used. * * cipher = OpenSSL::Cipher.new 'AES-128-CBC' * cipher.encrypt * iv = cipher.random_iv * * pwd = 'some hopefully not to easily guessable password' * salt = OpenSSL::Random.random_bytes 16 * iter = 20000 * key_len = cipher.key_len * digest = OpenSSL::Digest::SHA256.new * * key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest) * cipher.key = key * * Now encrypt the data: * * encrypted = cipher.update document * encrypted << cipher.final * * === Decryption * * Use the same steps as before to derive the symmetric AES key, this time * setting the Cipher up for decryption. * * cipher = OpenSSL::Cipher.new 'AES-128-CBC' * cipher.decrypt * cipher.iv = iv # the one generated with #random_iv * * pwd = 'some hopefully not to easily guessable password' * salt = ... # the one generated above * iter = 20000 * key_len = cipher.key_len * digest = OpenSSL::Digest::SHA256.new * * key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest) * cipher.key = key * * Now decrypt the data: * * decrypted = cipher.update encrypted * decrypted << cipher.final * * == PKCS #5 Password-based Encryption * * PKCS #5 is a password-based encryption standard documented at * RFC2898[http://www.ietf.org/rfc/rfc2898.txt]. It allows a short password or * passphrase to be used to create a secure encryption key. If possible, PBKDF2 * as described above should be used if the circumstances allow it. * * PKCS #5 uses a Cipher, a pass phrase and a salt to generate an encryption * key. * * pass_phrase = 'my secure pass phrase goes here' * salt = '8 octets' * * === Encryption * * First set up the cipher for encryption * * encryptor = OpenSSL::Cipher.new 'AES-128-CBC' * encryptor.encrypt * encryptor.pkcs5_keyivgen pass_phrase, salt * * Then pass the data you want to encrypt through * * encrypted = encryptor.update 'top secret document' * encrypted << encryptor.final * * === Decryption * * Use a new Cipher instance set up for decryption * * decryptor = OpenSSL::Cipher.new 'AES-128-CBC' * decryptor.decrypt * decryptor.pkcs5_keyivgen pass_phrase, salt * * Then pass the data you want to decrypt through * * plain = decryptor.update encrypted * plain << decryptor.final * * == X509 Certificates * * === Creating a Certificate * * This example creates a self-signed certificate using an RSA key and a SHA1 * signature. * * key = OpenSSL::PKey::RSA.new 2048 * name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example' * * cert = OpenSSL::X509::Certificate.new * cert.version = 2 * cert.serial = 0 * cert.not_before = Time.now * cert.not_after = Time.now + 3600 * * cert.public_key = key.public_key * cert.subject = name * * === Certificate Extensions * * You can add extensions to the certificate with * OpenSSL::SSL::ExtensionFactory to indicate the purpose of the certificate. * * extension_factory = OpenSSL::X509::ExtensionFactory.new nil, cert * * cert.add_extension \ * extension_factory.create_extension('basicConstraints', 'CA:FALSE', true) * * cert.add_extension \ * extension_factory.create_extension( * 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature') * * cert.add_extension \ * extension_factory.create_extension('subjectKeyIdentifier', 'hash') * * The list of supported extensions (and in some cases their possible values) * can be derived from the "objects.h" file in the OpenSSL source code. * * === Signing a Certificate * * To sign a certificate set the issuer and use OpenSSL::X509::Certificate#sign * with a digest algorithm. This creates a self-signed cert because we're using * the same name and key to sign the certificate as was used to create the * certificate. * * cert.issuer = name * cert.sign key, OpenSSL::Digest::SHA1.new * * open 'certificate.pem', 'w' do |io| io.write cert.to_pem end * * === Loading a Certificate * * Like a key, a cert can also be loaded from a file. * * cert2 = OpenSSL::X509::Certificate.new File.read 'certificate.pem' * * === Verifying a Certificate * * Certificate#verify will return true when a certificate was signed with the * given public key. * * raise 'certificate can not be verified' unless cert2.verify key * * == Certificate Authority * * A certificate authority (CA) is a trusted third party that allows you to * verify the ownership of unknown certificates. The CA issues key signatures * that indicate it trusts the user of that key. A user encountering the key * can verify the signature by using the CA's public key. * * === CA Key * * CA keys are valuable, so we encrypt and save it to disk and make sure it is * not readable by other users. * * ca_key = OpenSSL::PKey::RSA.new 2048 * pass_phrase = 'my secure pass phrase goes here' * * cipher = OpenSSL::Cipher.new 'AES-128-CBC' * * open 'ca_key.pem', 'w', 0400 do |io| * io.write ca_key.export(cipher, pass_phrase) * end * * === CA Certificate * * A CA certificate is created the same way we created a certificate above, but * with different extensions. * * ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example' * * ca_cert = OpenSSL::X509::Certificate.new * ca_cert.serial = 0 * ca_cert.version = 2 * ca_cert.not_before = Time.now * ca_cert.not_after = Time.now + 86400 * * ca_cert.public_key = ca_key.public_key * ca_cert.subject = ca_name * ca_cert.issuer = ca_name * * extension_factory = OpenSSL::X509::ExtensionFactory.new * extension_factory.subject_certificate = ca_cert * extension_factory.issuer_certificate = ca_cert * * ca_cert.add_extension \ * extension_factory.create_extension('subjectKeyIdentifier', 'hash') * * This extension indicates the CA's key may be used as a CA. * * ca_cert.add_extension \ * extension_factory.create_extension('basicConstraints', 'CA:TRUE', true) * * This extension indicates the CA's key may be used to verify signatures on * both certificates and certificate revocations. * * ca_cert.add_extension \ * extension_factory.create_extension( * 'keyUsage', 'cRLSign,keyCertSign', true) * * Root CA certificates are self-signed. * * ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new * * The CA certificate is saved to disk so it may be distributed to all the * users of the keys this CA will sign. * * open 'ca_cert.pem', 'w' do |io| * io.write ca_cert.to_pem * end * * === Certificate Signing Request * * The CA signs keys through a Certificate Signing Request (CSR). The CSR * contains the information necessary to identify the key. * * csr = OpenSSL::X509::Request.new * csr.version = 0 * csr.subject = name * csr.public_key = key.public_key * csr.sign key, OpenSSL::Digest::SHA1.new * * A CSR is saved to disk and sent to the CA for signing. * * open 'csr.pem', 'w' do |io| * io.write csr.to_pem * end * * === Creating a Certificate from a CSR * * Upon receiving a CSR the CA will verify it before signing it. A minimal * verification would be to check the CSR's signature. * * csr = OpenSSL::X509::Request.new File.read 'csr.pem' * * raise 'CSR can not be verified' unless csr.verify csr.public_key * * After verification a certificate is created, marked for various usages, * signed with the CA key and returned to the requester. * * csr_cert = OpenSSL::X509::Certificate.new * csr_cert.serial = 0 * csr_cert.version = 2 * csr_cert.not_before = Time.now * csr_cert.not_after = Time.now + 600 * * csr_cert.subject = csr.subject * csr_cert.public_key = csr.public_key * csr_cert.issuer = ca_cert.subject * * extension_factory = OpenSSL::X509::ExtensionFactory.new * extension_factory.subject_certificate = csr_cert * extension_factory.issuer_certificate = ca_cert * * csr_cert.add_extension \ * extension_factory.create_extension('basicConstraints', 'CA:FALSE') * * csr_cert.add_extension \ * extension_factory.create_extension( * 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature') * * csr_cert.add_extension \ * extension_factory.create_extension('subjectKeyIdentifier', 'hash') * * csr_cert.sign ca_key, OpenSSL::Digest::SHA1.new * * open 'csr_cert.pem', 'w' do |io| * io.write csr_cert.to_pem * end * * == SSL and TLS Connections * * Using our created key and certificate we can create an SSL or TLS connection. * An SSLContext is used to set up an SSL session. * * context = OpenSSL::SSL::SSLContext.new * * === SSL Server * * An SSL server requires the certificate and private key to communicate * securely with its clients: * * context.cert = cert * context.key = key * * Then create an SSLServer with a TCP server socket and the context. Use the * SSLServer like an ordinary TCP server. * * require 'socket' * * tcp_server = TCPServer.new 5000 * ssl_server = OpenSSL::SSL::SSLServer.new tcp_server, context * * loop do * ssl_connection = ssl_server.accept * * data = connection.gets * * response = "I got #{data.dump}" * puts response * * connection.puts "I got #{data.dump}" * connection.close * end * * === SSL client * * An SSL client is created with a TCP socket and the context. * SSLSocket#connect must be called to initiate the SSL handshake and start * encryption. A key and certificate are not required for the client socket. * * Note that SSLSocket#close doesn't close the underlying socket by default. Set * SSLSocket#sync_close to true if you want. * * require 'socket' * * tcp_socket = TCPSocket.new 'localhost', 5000 * ssl_client = OpenSSL::SSL::SSLSocket.new tcp_socket, context * ssl_client.sync_close = true * ssl_client.connect * * ssl_client.puts "hello server!" * puts ssl_client.gets * * ssl_client.close # shutdown the TLS connection and close tcp_socket * * === Peer Verification * * An unverified SSL connection does not provide much security. For enhanced * security the client or server can verify the certificate of its peer. * * The client can be modified to verify the server's certificate against the * certificate authority's certificate: * * context.ca_file = 'ca_cert.pem' * context.verify_mode = OpenSSL::SSL::VERIFY_PEER * * require 'socket' * * tcp_socket = TCPSocket.new 'localhost', 5000 * ssl_client = OpenSSL::SSL::SSLSocket.new tcp_socket, context * ssl_client.connect * * ssl_client.puts "hello server!" * puts ssl_client.gets * * If the server certificate is invalid or <tt>context.ca_file</tt> is not set * when verifying peers an OpenSSL::SSL::SSLError will be raised. * */ void Init_openssl(void) { /* * Init timezone info */ #if 0 tzset(); #endif /* * Init all digests, ciphers */ #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000 if (!OPENSSL_init_ssl(0, NULL)) rb_raise(rb_eRuntimeError, "OPENSSL_init_ssl"); #else OpenSSL_add_ssl_algorithms(); OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); SSL_load_error_strings(); #endif /* * Init main module */ mOSSL = rb_define_module("OpenSSL"); rb_global_variable(&mOSSL); /* * OpenSSL ruby extension version */ rb_define_const(mOSSL, "VERSION", rb_str_new2(OSSL_VERSION)); /* * Version of OpenSSL the ruby OpenSSL extension was built with */ rb_define_const(mOSSL, "OPENSSL_VERSION", rb_str_new2(OPENSSL_VERSION_TEXT)); /* * Version of OpenSSL the ruby OpenSSL extension is running with */ #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000 rb_define_const(mOSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(OpenSSL_version(OPENSSL_VERSION))); #else rb_define_const(mOSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(SSLeay_version(SSLEAY_VERSION))); #endif /* * Version number of OpenSSL the ruby OpenSSL extension was built with * (base 16) */ rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER)); /* * Boolean indicating whether OpenSSL is FIPS-capable or not */ rb_define_const(mOSSL, "OPENSSL_FIPS", #ifdef OPENSSL_FIPS Qtrue #else Qfalse #endif ); rb_define_module_function(mOSSL, "fips_mode", ossl_fips_mode_get, 0); rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1); /* * Generic error, * common for all classes under OpenSSL module */ eOSSLError = rb_define_class_under(mOSSL,"OpenSSLError",rb_eStandardError); rb_global_variable(&eOSSLError); /* * Init debug core */ dOSSL = Qfalse; rb_global_variable(&dOSSL); rb_define_module_function(mOSSL, "debug", ossl_debug_get, 0); rb_define_module_function(mOSSL, "debug=", ossl_debug_set, 1); rb_define_module_function(mOSSL, "errors", ossl_get_errors, 0); /* * Get ID of to_der */ ossl_s_to_der = rb_intern("to_der"); #if !defined(HAVE_OPENSSL_110_THREADING_API) Init_ossl_locks(); #endif /* * Init components */ Init_ossl_bn(); Init_ossl_cipher(); Init_ossl_config(); Init_ossl_digest(); Init_ossl_hmac(); Init_ossl_ns_spki(); Init_ossl_pkcs12(); Init_ossl_pkcs7(); Init_ossl_pkey(); Init_ossl_rand(); Init_ossl_ssl(); Init_ossl_x509(); Init_ossl_ocsp(); Init_ossl_engine(); Init_ossl_asn1(); Init_ossl_kdf(); #if defined(OSSL_DEBUG) /* * For debugging Ruby/OpenSSL. Enable only when built with --enable-debug */ #if !defined(LIBRESSL_VERSION_NUMBER) && \ (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \ defined(CRYPTO_malloc_debug_init)) rb_define_module_function(mOSSL, "mem_check_start", mem_check_start, 0); rb_define_module_function(mOSSL, "print_mem_leaks", print_mem_leaks, 0); #if defined(CRYPTO_malloc_debug_init) /* <= 1.0.2 */ CRYPTO_malloc_debug_init(); #endif #if defined(V_CRYPTO_MDEBUG_ALL) /* <= 1.0.2 */ CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); #endif #if OPENSSL_VERSION_NUMBER < 0x10100000 /* <= 1.0.2 */ { int i; /* * See crypto/ex_data.c; call def_get_class() immediately to avoid * allocations. 15 is the maximum number that is used as the class index * in OpenSSL 1.0.2. */ for (i = 0; i <= 15; i++) { if (CRYPTO_get_ex_new_index(i, 0, (void *)"ossl-mdebug-dummy", 0, 0, 0) < 0) rb_raise(rb_eRuntimeError, "CRYPTO_get_ex_new_index for " "class index %d failed", i); } } #endif #endif #endif }
/** Main routine for unbound-control */ int main(int argc, char* argv[]) { int c, ret; int quiet = 0; const char* cfgfile = CONFIGFILE; char* svr = NULL; #ifdef USE_WINSOCK int r; WSADATA wsa_data; #endif #ifdef USE_THREAD_DEBUG /* stop the file output from unbound-control, overwrites the servers */ extern int check_locking_order; check_locking_order = 0; #endif /* USE_THREAD_DEBUG */ log_ident_set("unbound-control"); log_init(NULL, 0, NULL); checklock_start(); #ifdef USE_WINSOCK /* use registry config file in preference to compiletime location */ if(!(cfgfile=w_lookup_reg_str("Software\\Unbound", "ConfigFile"))) cfgfile = CONFIGFILE; #endif /* parse the options */ while( (c=getopt(argc, argv, "c:s:qh")) != -1) { switch(c) { case 'c': cfgfile = optarg; break; case 's': svr = optarg; break; case 'q': quiet = 1; break; case '?': case 'h': default: usage(); } } argc -= optind; argv += optind; if(argc == 0) usage(); if(argc >= 1 && strcmp(argv[0], "start")==0) { if(execlp("unbound", "unbound", "-c", cfgfile, (char*)NULL) < 0) { fatal_exit("could not exec unbound: %s", strerror(errno)); } } if(argc >= 1 && strcmp(argv[0], "stats_shm")==0) { print_stats_shm(cfgfile); return 0; } #ifdef USE_WINSOCK if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) fatal_exit("WSAStartup failed: %s", wsa_strerror(r)); #endif #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS ERR_load_crypto_strings(); #endif #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) ERR_load_SSL_strings(); #endif #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO) OpenSSL_add_all_algorithms(); #else OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); #endif #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) (void)SSL_library_init(); #else (void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); #endif if(!RAND_status()) { /* try to seed it */ unsigned char buf[256]; unsigned int seed=(unsigned)time(NULL) ^ (unsigned)getpid(); unsigned int v = seed; size_t i; for(i=0; i<256/sizeof(v); i++) { memmove(buf+i*sizeof(v), &v, sizeof(v)); v = v*seed + (unsigned int)i; } RAND_seed(buf, 256); log_warn("no entropy, seeding openssl PRNG with time\n"); } ret = go(cfgfile, svr, quiet, argc, argv); #ifdef USE_WINSOCK WSACleanup(); #endif checklock_stop(); return ret; }
Result<SslFd> SslFd::init(SocketFd fd, CSlice host, CSlice cert_file, VerifyPeer verify_peer) { #if TD_WINDOWS return Status::Error("TODO"); #else static bool init_openssl = [] { #if OPENSSL_VERSION_NUMBER >= 0x10100000L return OPENSSL_init_ssl(0, nullptr) != 0; #else OpenSSL_add_all_algorithms(); SSL_load_error_strings(); return OpenSSL_add_ssl_algorithms() != 0; #endif }(); CHECK(init_openssl); openssl_clear_errors("Before SslFd::init"); CHECK(!fd.empty()); auto ssl_method = #if OPENSSL_VERSION_NUMBER >= 0x10100000L TLS_client_method(); #else SSLv23_client_method(); #endif if (ssl_method == nullptr) { return create_openssl_error(-6, "Failed to create an SSL client method"); } auto ssl_ctx = SSL_CTX_new(ssl_method); if (ssl_ctx == nullptr) { return create_openssl_error(-7, "Failed to create an SSL context"); } auto ssl_ctx_guard = ScopeExit() + [&]() { SSL_CTX_free(ssl_ctx); }; long options = 0; #ifdef SSL_OP_NO_SSLv2 options |= SSL_OP_NO_SSLv2; #endif #ifdef SSL_OP_NO_SSLv3 options |= SSL_OP_NO_SSLv3; #endif SSL_CTX_set_options(ssl_ctx, options); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); if (cert_file.empty()) { SSL_CTX_set_default_verify_paths(ssl_ctx); } else { if (SSL_CTX_load_verify_locations(ssl_ctx, cert_file.c_str(), nullptr) == 0) { return create_openssl_error(-8, "Failed to set custom cert file"); } } if (VERIFY_PEER && verify_peer == VerifyPeer::On) { SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, verify_callback); if (VERIFY_DEPTH != -1) { SSL_CTX_set_verify_depth(ssl_ctx, VERIFY_DEPTH); } } else { SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, nullptr); } // TODO(now): cipher list string cipher_list; if (SSL_CTX_set_cipher_list(ssl_ctx, cipher_list.empty() ? "DEFAULT" : cipher_list.c_str()) == 0) { return create_openssl_error(-9, PSLICE("Failed to set cipher list \"%s\"", cipher_list.c_str())); } auto ssl_handle = SSL_new(ssl_ctx); if (ssl_handle == nullptr) { return create_openssl_error(-13, "Failed to create an SSL handle"); } auto ssl_handle_guard = ScopeExit() + [&]() { do_ssl_shutdown(ssl_handle); SSL_free(ssl_handle); }; #if OPENSSL_VERSION_NUMBER >= 0x10002000L X509_VERIFY_PARAM *param = SSL_get0_param(ssl_handle); /* Enable automatic hostname checks */ // TODO: X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS X509_VERIFY_PARAM_set_hostflags(param, 0); X509_VERIFY_PARAM_set1_host(param, host.c_str(), 0); #else #warning DANGEROUS! HTTPS HOST WILL NOT BE CHECKED. INSTALL OPENSSL >= 1.0.2 OR IMPLEMENT HTTPS HOST CHECK MANUALLY #endif if (!SSL_set_fd(ssl_handle, fd.get_fd().get_native_fd())) { return create_openssl_error(-14, "Failed to set fd"); } #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) auto host_str = host.str(); SSL_set_tlsext_host_name(ssl_handle, MutableCSlice(host_str).begin()); #endif SSL_set_connect_state(ssl_handle); ssl_ctx_guard.dismiss(); ssl_handle_guard.dismiss(); return SslFd(std::move(fd), ssl_handle, ssl_ctx); #endif }
int be_tls_init(bool isServerStart) { STACK_OF(X509_NAME) *root_cert_list = NULL; SSL_CTX *context; /* This stuff need be done only once. */ if (!SSL_initialized) { #ifdef HAVE_OPENSSL_INIT_SSL OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); #else OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); #endif SSL_initialized = true; } /* * We use SSLv23_method() because it can negotiate use of the highest * mutually supported protocol version, while alternatives like * TLSv1_2_method() permit only one specific version. Note that we don't * actually allow SSL v2 or v3, only TLS protocols (see below). */ context = SSL_CTX_new(SSLv23_method()); if (!context) { ereport(isServerStart ? FATAL : LOG, (errmsg("could not create SSL context: %s", SSLerrmessage(ERR_get_error())))); goto error; } /* * Disable OpenSSL's moving-write-buffer sanity check, because it causes * unnecessary failures in nonblocking send cases. */ SSL_CTX_set_mode(context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); /* * Set password callback */ if (isServerStart) { if (ssl_passphrase_command[0]) SSL_CTX_set_default_passwd_cb(context, ssl_external_passwd_cb); } else { if (ssl_passphrase_command[0] && ssl_passphrase_command_supports_reload) SSL_CTX_set_default_passwd_cb(context, ssl_external_passwd_cb); else /* * If reloading and no external command is configured, override * OpenSSL's default handling of passphrase-protected files, * because we don't want to prompt for a passphrase in an * already-running server. */ SSL_CTX_set_default_passwd_cb(context, dummy_ssl_passwd_cb); } /* used by the callback */ ssl_is_server_start = isServerStart; /* * Load and verify server's certificate and private key */ if (SSL_CTX_use_certificate_chain_file(context, ssl_cert_file) != 1) { ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("could not load server certificate file \"%s\": %s", ssl_cert_file, SSLerrmessage(ERR_get_error())))); goto error; } if (!check_ssl_key_file_permissions(ssl_key_file, isServerStart)) goto error; /* * OK, try to load the private key file. */ dummy_ssl_passwd_cb_called = false; if (SSL_CTX_use_PrivateKey_file(context, ssl_key_file, SSL_FILETYPE_PEM) != 1) { if (dummy_ssl_passwd_cb_called) ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("private key file \"%s\" cannot be reloaded because it requires a passphrase", ssl_key_file))); else ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("could not load private key file \"%s\": %s", ssl_key_file, SSLerrmessage(ERR_get_error())))); goto error; } if (SSL_CTX_check_private_key(context) != 1) { ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("check of private key failed: %s", SSLerrmessage(ERR_get_error())))); goto error; } if (ssl_min_protocol_version) SSL_CTX_set_min_proto_version(context, ssl_protocol_version_to_openssl(ssl_min_protocol_version, "ssl_min_protocol_version")); if (ssl_max_protocol_version) SSL_CTX_set_max_proto_version(context, ssl_protocol_version_to_openssl(ssl_max_protocol_version, "ssl_max_protocol_version")); /* disallow SSL session tickets */ #ifdef SSL_OP_NO_TICKET /* added in OpenSSL 0.9.8f */ SSL_CTX_set_options(context, SSL_OP_NO_TICKET); #endif /* disallow SSL session caching, too */ SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF); /* set up ephemeral DH and ECDH keys */ if (!initialize_dh(context, isServerStart)) goto error; if (!initialize_ecdh(context, isServerStart)) goto error; /* set up the allowed cipher list */ if (SSL_CTX_set_cipher_list(context, SSLCipherSuites) != 1) { ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("could not set the cipher list (no valid ciphers available)"))); goto error; } /* Let server choose order */ if (SSLPreferServerCiphers) SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE); /* * Load CA store, so we can verify client certificates if needed. */ if (ssl_ca_file[0]) { if (SSL_CTX_load_verify_locations(context, ssl_ca_file, NULL) != 1 || (root_cert_list = SSL_load_client_CA_file(ssl_ca_file)) == NULL) { ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("could not load root certificate file \"%s\": %s", ssl_ca_file, SSLerrmessage(ERR_get_error())))); goto error; } } /*---------- * Load the Certificate Revocation List (CRL). * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html *---------- */ if (ssl_crl_file[0]) { X509_STORE *cvstore = SSL_CTX_get_cert_store(context); if (cvstore) { /* Set the flags to check against the complete CRL chain */ if (X509_STORE_load_locations(cvstore, ssl_crl_file, NULL) == 1) { /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ #ifdef X509_V_FLAG_CRL_CHECK X509_STORE_set_flags(cvstore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); #else ereport(LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("SSL certificate revocation list file \"%s\" ignored", ssl_crl_file), errdetail("SSL library does not support certificate revocation lists."))); #endif } else { ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("could not load SSL certificate revocation list file \"%s\": %s", ssl_crl_file, SSLerrmessage(ERR_get_error())))); goto error; } } } if (ssl_ca_file[0]) { /* * Always ask for SSL client cert, but don't fail if it's not * presented. We might fail such connections later, depending on what * we find in pg_hba.conf. */ SSL_CTX_set_verify(context, (SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE), verify_cb); /* * Tell OpenSSL to send the list of root certs we trust to clients in * CertificateRequests. This lets a client with a keystore select the * appropriate client certificate to send to us. */ SSL_CTX_set_client_CA_list(context, root_cert_list); } /* * Success! Replace any existing SSL_context. */ if (SSL_context) SSL_CTX_free(SSL_context); SSL_context = context; /* * Set flag to remember whether CA store has been loaded into SSL_context. */ if (ssl_ca_file[0]) ssl_loaded_verify_locations = true; else ssl_loaded_verify_locations = false; return 0; error: if (context) SSL_CTX_free(context); return -1; }
struct daemon* daemon_init(void) { struct daemon* daemon = (struct daemon*)calloc(1, sizeof(struct daemon)); #ifdef USE_WINSOCK int r; WSADATA wsa_data; #endif if(!daemon) return NULL; #ifdef USE_WINSOCK r = WSAStartup(MAKEWORD(2,2), &wsa_data); if(r != 0) { fatal_exit("could not init winsock. WSAStartup: %s", wsa_strerror(r)); } #endif /* USE_WINSOCK */ signal_handling_record(); checklock_start(); #ifdef HAVE_SSL # ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS ERR_load_crypto_strings(); # endif #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) ERR_load_SSL_strings(); #endif # ifdef USE_GOST (void)sldns_key_EVP_load_gost_id(); # endif # if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO) OpenSSL_add_all_algorithms(); # else OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); # endif # if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS /* grab the COMP method ptr because openssl leaks it */ comp_meth = (void*)SSL_COMP_get_compression_methods(); # endif # if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) (void)SSL_library_init(); # else (void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); # endif # if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) if(!ub_openssl_lock_init()) fatal_exit("could not init openssl locks"); # endif #elif defined(HAVE_NSS) if(NSS_NoDB_Init(NULL) != SECSuccess) fatal_exit("could not init NSS"); #endif /* HAVE_SSL or HAVE_NSS */ #ifdef HAVE_TZSET /* init timezone info while we are not chrooted yet */ tzset(); #endif /* open /dev/random if needed */ ub_systemseed((unsigned)time(NULL)^(unsigned)getpid()^0xe67); daemon->need_to_exit = 0; modstack_init(&daemon->mods); if(!(daemon->env = (struct module_env*)calloc(1, sizeof(*daemon->env)))) { free(daemon); return NULL; } /* init edns_known_options */ if(!edns_known_options_init(daemon->env)) { free(daemon->env); free(daemon); return NULL; } alloc_init(&daemon->superalloc, NULL, 0); daemon->acl = acl_list_create(); if(!daemon->acl) { edns_known_options_delete(daemon->env); free(daemon->env); free(daemon); return NULL; } if(gettimeofday(&daemon->time_boot, NULL) < 0) log_err("gettimeofday: %s", strerror(errno)); daemon->time_last_stat = daemon->time_boot; if((daemon->env->auth_zones = auth_zones_create()) == 0) { acl_list_delete(daemon->acl); edns_known_options_delete(daemon->env); free(daemon->env); free(daemon); return NULL; } return daemon; }
/* * Initialize global SSL context. */ void be_tls_init(void) { struct stat buf; STACK_OF(X509_NAME) *root_cert_list = NULL; if (!SSL_context) { #ifdef HAVE_OPENSSL_INIT_SSL OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); #else #if OPENSSL_VERSION_NUMBER >= 0x0907000L OPENSSL_config(NULL); #endif SSL_library_init(); SSL_load_error_strings(); #endif /* * We use SSLv23_method() because it can negotiate use of the highest * mutually supported protocol version, while alternatives like * TLSv1_2_method() permit only one specific version. Note that we * don't actually allow SSL v2 or v3, only TLS protocols (see below). */ SSL_context = SSL_CTX_new(SSLv23_method()); if (!SSL_context) ereport(FATAL, (errmsg("could not create SSL context: %s", SSLerrmessage(ERR_get_error())))); /* * Disable OpenSSL's moving-write-buffer sanity check, because it * causes unnecessary failures in nonblocking send cases. */ SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); /* * Load and verify server's certificate and private key */ if (SSL_CTX_use_certificate_chain_file(SSL_context, ssl_cert_file) != 1) ereport(FATAL, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("could not load server certificate file \"%s\": %s", ssl_cert_file, SSLerrmessage(ERR_get_error())))); if (stat(ssl_key_file, &buf) != 0) ereport(FATAL, (errcode_for_file_access(), errmsg("could not access private key file \"%s\": %m", ssl_key_file))); if (!S_ISREG(buf.st_mode)) ereport(FATAL, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("private key file \"%s\" is not a regular file", ssl_key_file))); /* * Refuse to load files owned by users other than us or root. * * XXX surely we can check this on Windows somehow, too. */ #if !defined(WIN32) && !defined(__CYGWIN__) if (buf.st_uid != geteuid() && buf.st_uid != 0) ereport(FATAL, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("private key file \"%s\" must be owned by the database user or root", ssl_key_file))); #endif /* * Require no public access to key file. If the file is owned by us, * require mode 0600 or less. If owned by root, require 0640 or less * to allow read access through our gid, or a supplementary gid that * allows to read system-wide certificates. * * XXX temporarily suppress check when on Windows, because there may * not be proper support for Unix-y file permissions. Need to think * of a reasonable check to apply on Windows. (See also the data * directory permission check in postmaster.c) */ #if !defined(WIN32) && !defined(__CYGWIN__) if ((buf.st_uid == geteuid() && buf.st_mode & (S_IRWXG | S_IRWXO)) || (buf.st_uid == 0 && buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO))) ereport(FATAL, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("private key file \"%s\" has group or world access", ssl_key_file), errdetail("File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root."))); #endif if (SSL_CTX_use_PrivateKey_file(SSL_context, ssl_key_file, SSL_FILETYPE_PEM) != 1) ereport(FATAL, (errmsg("could not load private key file \"%s\": %s", ssl_key_file, SSLerrmessage(ERR_get_error())))); if (SSL_CTX_check_private_key(SSL_context) != 1) ereport(FATAL, (errmsg("check of private key failed: %s", SSLerrmessage(ERR_get_error())))); } /* set up ephemeral DH keys, and disallow SSL v2/v3 while at it */ SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb); SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); /* set up ephemeral ECDH keys */ initialize_ecdh(); /* set up the allowed cipher list */ if (SSL_CTX_set_cipher_list(SSL_context, SSLCipherSuites) != 1) elog(FATAL, "could not set the cipher list (no valid ciphers available)"); /* Let server choose order */ if (SSLPreferServerCiphers) SSL_CTX_set_options(SSL_context, SSL_OP_CIPHER_SERVER_PREFERENCE); /* * Load CA store, so we can verify client certificates if needed. */ if (ssl_ca_file[0]) { if (SSL_CTX_load_verify_locations(SSL_context, ssl_ca_file, NULL) != 1 || (root_cert_list = SSL_load_client_CA_file(ssl_ca_file)) == NULL) ereport(FATAL, (errmsg("could not load root certificate file \"%s\": %s", ssl_ca_file, SSLerrmessage(ERR_get_error())))); } /*---------- * Load the Certificate Revocation List (CRL). * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html *---------- */ if (ssl_crl_file[0]) { X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context); if (cvstore) { /* Set the flags to check against the complete CRL chain */ if (X509_STORE_load_locations(cvstore, ssl_crl_file, NULL) == 1) { /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ #ifdef X509_V_FLAG_CRL_CHECK X509_STORE_set_flags(cvstore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); #else ereport(LOG, (errmsg("SSL certificate revocation list file \"%s\" ignored", ssl_crl_file), errdetail("SSL library does not support certificate revocation lists."))); #endif } else ereport(FATAL, (errmsg("could not load SSL certificate revocation list file \"%s\": %s", ssl_crl_file, SSLerrmessage(ERR_get_error())))); } } if (ssl_ca_file[0]) { /* * Always ask for SSL client cert, but don't fail if it's not * presented. We might fail such connections later, depending on what * we find in pg_hba.conf. */ SSL_CTX_set_verify(SSL_context, (SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE), verify_cb); /* Set flag to remember CA store is successfully loaded */ ssl_loaded_verify_locations = true; /* * Tell OpenSSL to send the list of root certs we trust to clients in * CertificateRequests. This lets a client with a keystore select the * appropriate client certificate to send to us. */ SSL_CTX_set_client_CA_list(SSL_context, root_cert_list); } }
/** Main routine for petal */ int main(int argc, char* argv[]) { int c; int port = 443; char* addr = "127.0.0.1", *key = "petal.key", *cert = "petal.pem"; #ifdef USE_WINSOCK WSADATA wsa_data; if((c=WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) { printf("WSAStartup failed\n"); exit(1); } atexit((void (*)(void))WSACleanup); #endif /* parse the options */ while( (c=getopt(argc, argv, "a:c:k:hp:v")) != -1) { switch(c) { case 'a': addr = optarg; break; case 'c': cert = optarg; break; case 'k': key = optarg; break; case 'p': port = atoi(optarg); break; case 'v': verb++; break; case '?': case 'h': default: usage(); } } argc -= optind; argv += optind; if(argc != 0) usage(); #ifdef SIGPIPE (void)signal(SIGPIPE, SIG_IGN); #endif #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS ERR_load_crypto_strings(); #endif ERR_load_SSL_strings(); #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO) OpenSSL_add_all_algorithms(); #else OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); #endif #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) (void)SSL_library_init(); #else (void)OPENSSL_init_ssl(0, NULL); #endif do_service(addr, port, key, cert); #ifdef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA CRYPTO_cleanup_all_ex_data(); #endif #ifdef HAVE_ERR_FREE_STRINGS ERR_free_strings(); #endif return 0; }
/** Main routine for nsd-control */ int main(int argc, char* argv[]) { int c; const char* cfgfile = CONFIGFILE; char* svr = NULL; #ifdef USE_WINSOCK int r; WSADATA wsa_data; #endif log_init("nsd-control"); #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS ERR_load_crypto_strings(); #endif ERR_load_SSL_strings(); #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO) OpenSSL_add_all_algorithms(); #else OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); #endif #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) (void)SSL_library_init(); #else OPENSSL_init_ssl(0, NULL); #endif if(!RAND_status()) { /* try to seed it */ unsigned char buf[256]; unsigned int v, seed=(unsigned)time(NULL) ^ (unsigned)getpid(); size_t i; v = seed; for(i=0; i<256/sizeof(v); i++) { memmove(buf+i*sizeof(v), &v, sizeof(v)); v = v*seed + (unsigned int)i; } RAND_seed(buf, 256); fprintf(stderr, "warning: no entropy, seeding openssl PRNG with time\n"); } /* parse the options */ while( (c=getopt(argc, argv, "c:s:h")) != -1) { switch(c) { case 'c': cfgfile = optarg; break; case 's': svr = optarg; break; case '?': case 'h': default: usage(); } } argc -= optind; argv += optind; if(argc == 0) usage(); if(argc >= 1 && strcmp(argv[0], "start")==0) { if(execl(NSD_START_PATH, "nsd", "-c", cfgfile, (char*)NULL) < 0) { fprintf(stderr, "could not exec %s: %s\n", NSD_START_PATH, strerror(errno)); exit(1); } } return go(cfgfile, svr, argc, argv); }