Example #1
0
ClientSocket *SSLSocketIO::Accept(ListenSocket *s)
{
	if (s->io == &NormalSocketIO)
		throw SocketException("Attempting to accept on uninitialized socket with SSL");

	sockaddrs conaddr;

	socklen_t size = sizeof(conaddr);
	int newsock = accept(s->GetFD(), &conaddr.sa, &size);

#ifndef INVALID_SOCKET
	const int INVALID_SOCKET = -1;
#endif

	if (newsock < 0 || newsock == INVALID_SOCKET)
		throw SocketException("Unable to accept connection: " + Anope::LastError());

	ClientSocket *newsocket = s->OnAccept(newsock, conaddr);
	me->service.Init(newsocket);
	SSLSocketIO *io = anope_dynamic_static_cast<SSLSocketIO *>(newsocket->io);

	io->sslsock = SSL_new(server_ctx);
	if (!io->sslsock)
		throw SocketException("Unable to initialize SSL socket");

	SSL_set_accept_state(io->sslsock);

	if (!SSL_set_fd(io->sslsock, newsocket->GetFD()))
		throw SocketException("Unable to set SSL fd");

	newsocket->flags[SF_ACCEPTING] = true;
	this->FinishAccept(newsocket);

	return newsocket;
}
Example #2
0
static ioa_socket_handle dtls_server_input_handler(dtls_listener_relay_server_type* server,
				ioa_socket_handle s,
				ioa_network_buffer_handle nbh)
{
	FUNCSTART;

	if (!server || !nbh) {
		return NULL;
	}

	SSL* connecting_ssl = NULL;

	BIO *wbio = NULL;
	struct timeval timeout;

	/* Create BIO */
	wbio = BIO_new_dgram(s->fd, BIO_NOCLOSE);
	(void)BIO_dgram_set_peer(wbio, (struct sockaddr*) &(server->sm.m.sm.nd.src_addr));

	/* Set and activate timeouts */
	timeout.tv_sec = DTLS_MAX_RECV_TIMEOUT;
	timeout.tv_usec = 0;
	BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);

#if DTLSv1_2_SUPPORTED
	if(get_dtls_version(ioa_network_buffer_data(nbh),
							(int)ioa_network_buffer_get_size(nbh)) == 1) {
		connecting_ssl = SSL_NEW(server->dtls_ctx_v1_2);
	} else {
		connecting_ssl = SSL_NEW(server->dtls_ctx);
	}
#else
	{
		connecting_ssl = SSL_NEW(server->dtls_ctx);
	}
#endif

	SSL_set_accept_state(connecting_ssl);

	SSL_set_bio(connecting_ssl, NULL, wbio);
	SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE);

	SSL_set_max_cert_list(connecting_ssl, 655350);

	ioa_socket_handle rc = dtls_accept_client_connection(server, s, connecting_ssl,
					&(server->sm.m.sm.nd.src_addr),
					&(server->addr),
					nbh);

	if (!rc) {
		if (!(SSL_get_shutdown(connecting_ssl) & SSL_SENT_SHUTDOWN)) {
			SSL_set_shutdown(connecting_ssl, SSL_RECEIVED_SHUTDOWN);
			SSL_shutdown(connecting_ssl);
		}
		SSL_FREE(connecting_ssl);
	}

	return rc;
}
Example #3
0
/* prepare connection for interacting over a SSL connection
 */
void connection_uses_ssl (connection_t *con)
{
#ifdef HAVE_OPENSSL
    con->ssl = SSL_new (ssl_ctx);
    SSL_set_accept_state (con->ssl);
    SSL_set_fd (con->ssl, con->sock);
#endif
}
Example #4
0
VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
  VALUE obj;
  SSL_CTX* ctx;
  SSL* ssl;

  ms_conn* conn = engine_alloc(self, &obj);

  ID sym_key = rb_intern("key");
  VALUE key = rb_funcall(mini_ssl_ctx, sym_key, 0);

  ID sym_cert = rb_intern("cert");
  VALUE cert = rb_funcall(mini_ssl_ctx, sym_cert, 0);

  ID sym_ca = rb_intern("ca");
  VALUE ca = rb_funcall(mini_ssl_ctx, sym_ca, 0);

  ID sym_verify_mode = rb_intern("verify_mode");
  VALUE verify_mode = rb_funcall(mini_ssl_ctx, sym_verify_mode, 0);

  ctx = SSL_CTX_new(SSLv23_server_method());
  conn->ctx = ctx;

  SSL_CTX_use_certificate_file(ctx, RSTRING_PTR(cert), SSL_FILETYPE_PEM);
  SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM);

  if (!NIL_P(ca)) {
    SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL);
  }
  
  SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE);
  SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);

  SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");

  DH *dh = get_dh1024();
  SSL_CTX_set_tmp_dh(ctx, dh);

  EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_secp521r1);
  if (ecdh) {
    SSL_CTX_set_tmp_ecdh(ctx, ecdh);
    EC_KEY_free(ecdh);
  }

  ssl = SSL_new(ctx);
  conn->ssl = ssl;
  SSL_set_app_data(ssl, NULL);

  if (NIL_P(verify_mode)) {
    /* SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); */
  } else {
    SSL_set_verify(ssl, NUM2INT(verify_mode), engine_verify_callback);
  }

  SSL_set_bio(ssl, conn->read, conn->write);

  SSL_set_accept_state(ssl);
  return obj;
}
Example #5
0
/* //////////////////////////////////////////////////////////////////////////////////////
 * implementation
 */
tb_ssl_ref_t tb_ssl_init(tb_bool_t bserver)
{
    // done
    tb_bool_t   ok = tb_false;
    tb_ssl_t*   ssl = tb_null;
    do
    {
        // load openssl library
        if (!tb_ssl_library_load()) break;

        // make ssl
        ssl = tb_malloc0_type(tb_ssl_t);
        tb_assert_and_check_break(ssl);

        // init timeout, 30s
        ssl->timeout = 30000;

        // init ctx
        ssl->ctx = SSL_CTX_new(SSLv3_method());
        tb_assert_and_check_break(ssl->ctx);
        
        // make ssl
        ssl->ssl = SSL_new(ssl->ctx);
        tb_assert_and_check_break(ssl->ssl);

        // init endpoint 
        if (bserver) SSL_set_accept_state(ssl->ssl);
        else SSL_set_connect_state(ssl->ssl);

        // init verify
        SSL_set_verify(ssl->ssl, 0, tb_ssl_verify);

        // init bio
        ssl->bio = BIO_new(&g_ssl_bio_method);
        tb_assert_and_check_break(ssl->bio);

        // set bio to ssl
        ssl->bio->ptr = ssl;
        SSL_set_bio(ssl->ssl, ssl->bio, ssl->bio);

        // init state
        ssl->state = TB_STATE_OK;

        // ok
        ok = tb_true;

    } while (0);

    // failed? exit it
    if (!ok)
    {
        if (ssl) tb_ssl_exit((tb_ssl_ref_t)ssl);
        ssl = tb_null;
    }

    // ok?
    return (tb_ssl_ref_t)ssl;
}
Example #6
0
/* 准备接受状态
 */
int32 ssl_io::init_accept( int32 fd )
{
    if ( init_ssl_ctx( fd ) < 0 ) return -1;

    _fd = fd;
    SSL_set_accept_state( X_SSL( _ssl_ctx ) );

    return do_handshake();
}
Example #7
0
/** Given an accepted connection on the listening socket, resume SSL.
 * \param sock an accepted socket (returned by accept())
 * \param state pointer to place to return connection state.
 * \return an SSL object to associate with the listen end of this connection.
 */
SSL *
ssl_resume(int sock, int *state)
{
  SSL *ssl;

  ssl = ssl_setup_socket(sock);
  SSL_set_accept_state(ssl);
  *state = ssl_handshake(ssl);
  return ssl;
}
Example #8
0
connection *connection_accepted(server *srv, server_socket *srv_socket, sock_addr *cnt_addr, int cnt) {
		connection *con;

		srv->cur_fds++;

		/* ok, we have the connection, register it */
#if 0
		log_error_write(srv, __FILE__, __LINE__, "sd",
				"appected()", cnt);
#endif
		srv->con_opened++;

		con = connections_get_new_connection(srv);

		con->fd = cnt;
		con->fde_ndx = -1;
		fdevent_register(srv->ev, con->fd, connection_handle_fdevent, con);

		connection_set_state(srv, con, CON_STATE_REQUEST_START);

		con->connection_start = srv->cur_ts;
		con->dst_addr = *cnt_addr;
		buffer_copy_string(con->dst_addr_buf, inet_ntop_cache_get_ip(srv, &(con->dst_addr)));
		con->srv_socket = srv_socket;

		if (-1 == fdevent_fcntl_set_nb_cloexec_sock(srv->ev, con->fd)) {
			log_error_write(srv, __FILE__, __LINE__, "ss", "fcntl failed: ", strerror(errno));
			connection_close(srv, con);
			return NULL;
		}
#ifdef USE_OPENSSL
		/* connect FD to SSL */
		if (srv_socket->is_ssl) {
			if (NULL == (con->ssl = SSL_new(srv_socket->ssl_ctx))) {
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
						ERR_error_string(ERR_get_error(), NULL));

				connection_close(srv, con);
				return NULL;
			}

			con->renegotiations = 0;
			SSL_set_app_data(con->ssl, con);
			SSL_set_accept_state(con->ssl);

			if (1 != (SSL_set_fd(con->ssl, cnt))) {
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
						ERR_error_string(ERR_get_error(), NULL));
				connection_close(srv, con);
				return NULL;
			}
		}
#endif
		return con;
}
SecuredServerSession::SecuredServerSession(SessionsEventLoop *eventLoop, int sock, const sockaddr_storage &sockAddr)
    : ServerSession(eventLoop, sock, sockAddr)
{
    if (!(m_SSL = SSL_new(Server::instance()->sslContext())))
        throw std::runtime_error(ERR_error_string(ERR_get_error(), nullptr));

    if (!SSL_set_fd(m_SSL, sock))
        throw std::runtime_error(ERR_error_string(SSL_get_error(m_SSL, 0), nullptr));

    SSL_set_accept_state(m_SSL);
}
Example #10
0
static int openssl_ssl_ctx_new_ssl(lua_State*L)
{
  SSL_CTX* ctx = CHECK_OBJECT(1, SSL_CTX, "openssl.ssl_ctx");
  int server = 0;
  int mode_idx = 2;
  SSL *ssl = SSL_new(ctx);
  int ret = 1;
  BIO* bio = NULL;

  if (auxiliar_isclass(L, "openssl.bio", 2))
  {
    BIO *bi = CHECK_OBJECT(2, BIO, "openssl.bio");
    BIO *bo = bi;
    CRYPTO_add(&bi->references, 1, CRYPTO_LOCK_BIO);
    if (auxiliar_isclass(L, "openssl.bio", 3))
    {
      bo = CHECK_OBJECT(3, BIO, "openssl.bio");
      CRYPTO_add(&bo->references, 1, CRYPTO_LOCK_BIO);
      mode_idx = 4;
    }
    else
      mode_idx = 3;

    SSL_set_bio(ssl, bi, bo);
    ret = 1;
  }
  else if (lua_isnumber(L, 2))
  {
    ret = SSL_set_fd(ssl, luaL_checkint(L, 2));
    mode_idx = 3;
  }

  if (ret == 1 && !lua_isnoneornil(L, mode_idx))
  {
    server = auxiliar_checkboolean(L, mode_idx);
  }

  if (ret == 1)
  {
    if (server)
      SSL_set_accept_state(ssl);
    else
      SSL_set_connect_state(ssl);

    PUSH_OBJECT(ssl, "openssl.ssl");
    openssl_newvalue(L, ssl);
  }
  else
  {
    SSL_free(ssl);
    return openssl_pushresult(L, ret);
  }
  return 1;
}
Example #11
0
File: stud.c Project: gyepisam/stud
/* libev read handler for the bound socket.  Socket is accepted,
 * the proxystate is allocated and initalized, and we're off the races
 * connecting to the backend */
static void handle_accept(struct ev_loop *loop, ev_io *w, int revents) {
    (void) revents;
    struct sockaddr_storage addr;
    socklen_t sl = sizeof(addr);
    int client = accept(w->fd, (struct sockaddr *) &addr, &sl);
    if (client == -1) {
        assert(errno == EINTR || errno == EWOULDBLOCK || errno == EAGAIN);
        return;
    }

    setnonblocking(client);
    int back = create_back_socket();

    if (back == -1) {
        close(client);
        perror("{backend-connect}");
        return;
    }

    SSL_CTX * ctx = (SSL_CTX *)w->data;
    SSL *ssl = SSL_new(ctx);
    SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
    SSL_set_accept_state(ssl);
    SSL_set_fd(ssl, client);

    proxystate *ps = (proxystate *)malloc(sizeof(proxystate));

    ps->fd_up = client;
    ps->fd_down = back;
    ps->ssl = ssl;
    ps->want_shutdown = 0;
    ps->remote_ip = addr;
    ringbuffer_init(&ps->ring_up);
    ringbuffer_init(&ps->ring_down);

    /* set up events */
    ev_io_init(&ps->ev_r_up, client_read, client, EV_READ);
    ev_io_init(&ps->ev_w_up, client_write, client, EV_WRITE);

    ev_io_init(&ps->ev_r_handshake, client_handshake, client, EV_READ);
    ev_io_init(&ps->ev_w_handshake, client_handshake, client, EV_WRITE);

    ev_io_init(&ps->ev_w_down, handle_connect, back, EV_WRITE);

    ev_io_start(loop, &ps->ev_w_down);

    ps->ev_r_up.data = ps;
    ps->ev_w_up.data = ps;
    ps->ev_r_down.data = ps;
    ps->ev_w_down.data = ps;
    ps->ev_r_handshake.data = ps;
    ps->ev_w_handshake.data = ps;

}
Example #12
0
void hr_setup_ssl(struct http_session *hr, struct uwsgi_gateway_socket *ugs) {
 	hr->ssl = SSL_new(ugs->ctx);
        SSL_set_fd(hr->ssl, hr->session.main_peer->fd);
        SSL_set_accept_state(hr->ssl);
#ifdef UWSGI_SPDY
        SSL_set_ex_data(hr->ssl, uhttp.spdy_index, hr);
#endif
        uwsgi_cr_set_hooks(hr->session.main_peer, hr_ssl_read, NULL);
        hr->session.close = hr_session_ssl_close;
	hr->func_write = hr_ssl_write;
}
Example #13
0
	Engine::Engine(ContextWrapper & ctx, engine_enum kind)
	: ssl( SSL_new(ctx.getCtx()) )
	, bioIn( BIO_new(BIO_s_mem()) )
	, bioOut( BIO_new(BIO_s_mem()) )
	, checked_peer_certificate(false)
	{
		SSL_set_bio(ssl, bioIn, bioOut);
		if( kind == CLIENT )
			SSL_set_connect_state(ssl);
		else
			SSL_set_accept_state(ssl);
	}
Example #14
0
@return: None\n\
";
static PyObject *
ssl_Connection_set_accept_state(ssl_ConnectionObj *self, PyObject *args)
{
    if (!PyArg_ParseTuple(args, ":set_accept_state"))
        return NULL;

    SSL_set_accept_state(self->ssl);

    Py_INCREF(Py_None);
    return Py_None;
}
Example #15
0
bool KSSLSocket::bind_fd()
{
	assert(ssl==NULL);
	ssl = SSL_new(ctx);
	if (ssl==NULL) {
		return false;
	}
	if (SSL_set_fd(ssl, sockfd)!=1) {
		return false;
	}
	SSL_set_accept_state(ssl);
	return true;
}
Example #16
0
/** setup SSL connection to the client */
static SSL*
setup_ssl(int s, SSL_CTX* ctx)
{
	SSL* ssl = SSL_new(ctx);
	if(!ssl) return NULL;
	SSL_set_accept_state(ssl);
	(void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
	if(!SSL_set_fd(ssl, s)) {
		SSL_free(ssl);
		return NULL;
	}
	return ssl;
}
Example #17
0
PyObject* set_psk_server_callback(PyObject* self, PyObject* args) {
  PyObject* sock;
  if (!PyArg_ParseTuple(args, "O", &sock))
    return NULL;
  SSL* ssl = ((PySSLObject*)sock)->ssl;
  SSL_set_accept_state(ssl);
  SSL_set_psk_server_callback(ssl, psk_server_cb);
  if(!SSL_use_psk_identity_hint(ssl, psk_identity)) {
    PyErr_SetString(Error, "use_psk_identity_hint failed");
    return NULL;
  }
  return Py_BuildValue("l", (long)ssl);
}
Example #18
0
	void DtlsTransport::Run(Role localRole)
	{
		MS_TRACE();

		MS_ASSERT(localRole == Role::CLIENT || localRole == Role::SERVER, "local DTLS role must be 'client' or 'server'");

		Role previousLocalRole = this->localRole;

		if (localRole == previousLocalRole)
		{
			MS_ERROR("same local DTLS role provided, doing nothing");

			return;
		}

		// If the previous local DTLS role was 'client' or 'server' do reset.
		if (previousLocalRole == Role::CLIENT || previousLocalRole == Role::SERVER)
		{
			MS_DEBUG("resetting DTLS due to local role change");

			Reset();
		}

		// Update local role.
		this->localRole = localRole;

		// Set state and notify the listener.
		this->state = DtlsState::CONNECTING;
		this->listener->onDtlsConnecting(this);

		switch (this->localRole)
		{
			case Role::CLIENT:
				MS_DEBUG("running [role:client]");

				SSL_set_connect_state(this->ssl);
				SSL_do_handshake(this->ssl);
				SendPendingOutgoingDtlsData();
				SetTimeout();
				break;
			case Role::SERVER:
				MS_DEBUG("running [role:server]");

				SSL_set_accept_state(this->ssl);
				SSL_do_handshake(this->ssl);
				break;
			default:
				MS_ABORT("invalid local DTLS role");
				break;
		}
	}
Example #19
0
lwp_sslclient lwp_sslclient_new (SSL_CTX * server_context, lw_stream socket,
                                 lwp_sslclient_on_handshook on_handshook,
                                 void * tag)
{
   lwp_sslclient ctx = calloc (sizeof (*ctx), 1);

   if (!ctx)
      return 0;

   ctx->write_condition = -1;

   #ifdef _lacewing_npn
      *ctx->npn = 0;
   #endif

   ctx->server_context = server_context;
   ctx->ssl = SSL_new (server_context);

   ctx->on_handshook = on_handshook;
   ctx->tag = tag;

   /* TODO : I'm not really happy with the extra layer of buffering
    * that BIO pairs introduce.  Is there a better way to do this?
    */

   BIO_new_bio_pair (&ctx->bio_internal, 0, &ctx->bio_external, 0);
   SSL_set_bio (ctx->ssl, ctx->bio_internal, ctx->bio_internal);

   SSL_set_accept_state (ctx->ssl);

   lwp_stream_init (&ctx->upstream, &def_upstream, 0);
   lwp_stream_init (&ctx->downstream, &def_downstream, 0);

   /* Retain our streams indefinitely, since we'll be in charge of releasing
    * their memory.  This doesn't stop stream_delete from working.
    */
   lwp_retain (&ctx->upstream);
   lwp_retain (&ctx->downstream);

   lw_stream_add_filter_upstream
      (socket, &ctx->upstream, lw_false, lw_false);

   lw_stream_add_filter_downstream
      (socket, &ctx->downstream, lw_false, lw_false);

   pump (ctx);

   assert (! (ctx->flags & lwp_sslclient_flag_dead));

   return ctx;
}
Example #20
0
  void OpensslStream::handshake(const OpensslServer& server)
  {
    log_debug("tcp-connection established - build ssltunnel");

    log_debug("SSL_new(" << server.getSslContext().getPointer() << ')');
    _ssl = SSL_new( server.getSslContext().getPointer() );
    checkSslError();

    log_debug("SSL_set_fd(" << _ssl << ", " << getFd() << ')');
    SSL_set_fd(_ssl, getFd());

    log_debug("SSL_set_accept_state(" << _ssl << ')');
    SSL_set_accept_state(_ssl);
  }
Example #21
0
dsk_boolean
dsk_ssl_stream_new         (DskSslStreamOptions   *options,
                            DskSslStream         **stream_out,
                            DskOctetSource       **source_out,
                            DskOctetSink         **sink_out,
                            DskError             **error)
{
  DskSslStream *stream;
  DskSslSink *sink;
  DskSslSource *source;

  if (sink_out == NULL || source_out == NULL)
    {
      dsk_set_error (error, "dsk_ssl_stream_new: sink/source");
      return DSK_FALSE;
    }

  sink = dsk_object_new (&dsk_ssl_sink_class);
  source = dsk_object_new (&dsk_ssl_source_class);
  stream = dsk_object_new (&dsk_ssl_stream_class);

  BIO *bio;
  bio = BIO_new (&bio_method__ssl_underlying_stream);
  bio->ptr = stream;
  bio->init = 1;		/// HMM...
  stream->ssl = SSL_new (options->context->ctx);
  stream->context = dsk_object_ref (options->context);
  SSL_set_bio (stream->ssl, bio, bio);
  stream->base_instance.sink = DSK_OCTET_SINK (sink);        /* does not own */
  stream->base_instance.source = DSK_OCTET_SOURCE (source); /* does not own */
  stream->is_client = options->is_client ? 1 : 0;
  stream->handshaking = DSK_TRUE;
  sink->base_instance.stream = dsk_object_ref (stream);
  source->base_instance.stream = dsk_object_ref (stream);

  if (stream->is_client)
    SSL_set_connect_state (stream->ssl);
  else
    SSL_set_accept_state (stream->ssl);

  *sink_out = DSK_OCTET_SINK (sink);
  *source_out = DSK_OCTET_SOURCE (source);

  if (stream_out != NULL)
    *stream_out = stream;
  else
    dsk_object_unref (stream);
  return DSK_TRUE;
}
Example #22
0
int tls_init_data_session(const int fd, const int passive)
{
    const SSL_CIPHER *cipher;
    int ret;
    int ret_;

    (void) passive;
    if (tls_ctx == NULL) {
        logfile(LOG_ERR, MSG_TLS_NO_CTX);
        tls_error(__LINE__, 0);
    }
    if (tls_data_cnx != NULL) {
        tls_close_session(&tls_data_cnx);
    } else if ((tls_data_cnx = SSL_new(tls_ctx)) == NULL) {
        tls_error(__LINE__, 0);
    }
    if (SSL_set_fd(tls_data_cnx, fd) != 1) {
        tls_error(__LINE__, 0);
    }
    SSL_set_accept_state(tls_data_cnx);
    for (;;) {
        ret = SSL_accept(tls_data_cnx);
        if (ret <= 0) {
            ret_ = SSL_get_error(tls_data_cnx, ret);
            if (ret == -1 && (ret_ == SSL_ERROR_WANT_READ ||
                              ret_ == SSL_ERROR_WANT_WRITE)) {
                continue;
            }
            logfile(LOG_INFO, MSG_LOGOUT);
            _EXIT(EXIT_FAILURE);
        }
        break;
    }
# if ONLY_ACCEPT_REUSED_SSL_SESSIONS
    if (broken_client_compat == 0 && SSL_session_reused(tls_data_cnx) == 0) {
        tls_error(__LINE__, 0);
    }
# endif
    if ((cipher = SSL_get_current_cipher(tls_data_cnx)) != NULL) {
        int strength_bits = SSL_CIPHER_get_bits(cipher, NULL);

        logfile(LOG_INFO, MSG_TLS_INFO, SSL_CIPHER_get_version(cipher),
                SSL_CIPHER_get_name(cipher), strength_bits);
        if (strength_bits < MINIMAL_CIPHER_STRENGTH_BITS) {
            die(534, LOG_ERR, MSG_TLS_WEAK);
        }
    }
    return 0;
}
Example #23
0
void SSLAdapter::initServer() //(SSL* ssl)
{
    TraceS(this) << "Init server" << endl;
    assert(_socket);
    if (!_socket->context())
        _socket->useContext(SSLManager::instance().defaultServerContext());
    assert(_socket->context()->isForServerUse());

    _ssl = SSL_new(_socket->context()->sslContext());
    _readBIO = BIO_new(BIO_s_mem());
    _writeBIO = BIO_new(BIO_s_mem());
    SSL_set_bio(_ssl, _readBIO, _writeBIO);
    SSL_set_accept_state(_ssl);
    SSL_do_handshake(_ssl);
}
Example #24
0
void* get_ssl_fd(void *fd)
{
	SSL *ssl;
	int new_fd = *(int *)fd;
	ssl = SSL_new(ctx);
	SSL_set_fd(ssl, new_fd);
	SSL_set_accept_state(ssl);
	if(SSL_accept(ssl) < 0)
	{
		perror("accept");
		close(new_fd);
		return NULL;
	}
	return ssl;
}
Example #25
0
void* incoming_ssl_fd(void* sslctx, int fd)
{
	SSL* ssl = SSL_new((SSL_CTX*)sslctx);
	if(!ssl) {
		log_crypto_err("could not SSL_new");
		return NULL;
	}
	SSL_set_accept_state(ssl);
	(void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
	if(!SSL_set_fd(ssl, fd)) {
		log_crypto_err("could not SSL_set_fd");
		SSL_free(ssl);
		return NULL;
	}
	return ssl;
}
Example #26
0
  bool Parser::init() {

    if (!ssl) {
      printf("Error: dtls::Parser::init() failed because the `ssl` member hasn't been set yet.\n");
      return false;
    }

    /* in bio */
    {
      in_bio = BIO_new(BIO_s_mem());
      if (!in_bio) {
        printf("Error: dtls::Parser::init() failed because we can't create our in_bio.\n");
        return false;
      }

      BIO_set_mem_eof_return(in_bio, -1); /* see: https://www.openssl.org/docs/crypto/BIO_s_mem.html */
    }

    /* out bio */
    {
      out_bio = BIO_new(BIO_s_mem());
      if (!out_bio) {
        printf("Error: dtls::Parser::init() failed because can't create out out_bio.\n");
        /* @todo cleanup. */
        return false;
      }

      BIO_set_mem_eof_return(out_bio, -1); /* see: https://www.openssl.org/docs/crypto/BIO_s_mem.html */
    }

    /* set info callback */
    SSL_set_info_callback(ssl, dtls_parse_ssl_info_callback);

    /* set in and output bios. */
    SSL_set_bio(ssl, in_bio, out_bio);

    if (mode == DTLS_MODE_SERVER) { 
      SSL_set_accept_state(ssl); /* in case we're a server */
    }
    else if(mode == DTLS_MODE_CLIENT) {
      //SSL_set_connect_state(ssl); /* in case we're a client */
      printf("dtls::Parser - error: not yet handling client state for dtls::Parser().\n");
      exit(1);
    }
    
    return true;
  }
Example #27
0
bool CySocket::initAsSSL(void)
{
	isSSLSocket = true;
	if (NULL == (ssl = SSL_new(CySocket::SSL_ctx))) // create SSL-socket
	{
		aprintf("ySocket:SSL Error: Create SSL_new : %s\n", ERR_error_string(ERR_get_error(), NULL) );
		return false;
	}
	SSL_set_accept_state(ssl); // accept connection
	if(1 != (SSL_set_fd(ssl, sock))) // associate socket descriptor
	if (NULL == (ssl = SSL_new(CySocket::SSL_ctx)))
	{
		aprintf("ySocket:SSL Error: Create SSL_new : %s\n", ERR_error_string(ERR_get_error(), NULL) );
		return false;
	}
	return true;
}
static ioa_socket_handle dtls_server_input_handler(dtls_listener_relay_server_type* server, u08bits *buf, int len)
{
	FUNCSTART;

	if (!server || !buf || len<1) {
		return NULL;
	}

	SSL* connecting_ssl = NULL;

	BIO *wbio = NULL;
	struct timeval timeout;

	/* Create BIO */
	wbio = BIO_new_dgram(server->udp_listen_s->fd, BIO_NOCLOSE);
	(void)BIO_dgram_set_peer(wbio, (struct sockaddr*) &(server->sm.m.sm.nd.src_addr));

	/* Set and activate timeouts */
	timeout.tv_sec = DTLS_MAX_RECV_TIMEOUT;
	timeout.tv_usec = 0;
	BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);

	connecting_ssl = SSL_new(server->dtls_ctx);

	SSL_set_accept_state(connecting_ssl);

	SSL_set_bio(connecting_ssl, NULL, wbio);
	SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE);

	SSL_set_max_cert_list(connecting_ssl, 655350);

	ioa_socket_handle rc = dtls_accept_client_connection(server, connecting_ssl,
					&(server->sm.m.sm.nd.src_addr),
					&(server->addr),
					buf, len);

	if (!rc) {
		if (!(SSL_get_shutdown(connecting_ssl) & SSL_SENT_SHUTDOWN)) {
			SSL_set_shutdown(connecting_ssl, SSL_RECEIVED_SHUTDOWN);
			SSL_shutdown(connecting_ssl);
		}
		SSL_free(connecting_ssl);
	}

	return rc;
}
Example #29
0
/**
 * Create a new TLS/SSL object and mark it as new.
 */
static int meth_create(lua_State *L)
{
  p_ssl ssl;
  int mode = lsec_getmode(L, 1);
  SSL_CTX *ctx = lsec_checkcontext(L, 1);

  if (mode == LSEC_MODE_INVALID) {
    lua_pushnil(L);
    lua_pushstring(L, "invalid mode");
    return 2;
  }
  ssl = (p_ssl)lua_newuserdata(L, sizeof(t_ssl));
  if (!ssl) {
    lua_pushnil(L);
    lua_pushstring(L, "error creating SSL object");
    return 2;
  }
  ssl->ssl = SSL_new(ctx);
  if (!ssl->ssl) {
    lua_pushnil(L);
    lua_pushfstring(L, "error creating SSL object (%s)",
      ERR_reason_error_string(ERR_get_error()));
    return 2;
  }
  ssl->state = LSEC_STATE_NEW;
  SSL_set_fd(ssl->ssl, (int)SOCKET_INVALID);
  SSL_set_mode(ssl->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE | 
    SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#if defined(SSL_MODE_RELEASE_BUFFERS)
  SSL_set_mode(ssl->ssl, SSL_MODE_RELEASE_BUFFERS);
#endif
  if (mode == LSEC_MODE_SERVER)
    SSL_set_accept_state(ssl->ssl);
  else
    SSL_set_connect_state(ssl->ssl);

  io_init(&ssl->io, (p_send)ssl_send, (p_recv)ssl_recv, 
    (p_error) ssl_ioerror, ssl);
  timeout_init(&ssl->tm, -1, -1);
  buffer_init(&ssl->buf, &ssl->io, &ssl->tm);

  luaL_getmetatable(L, "SSL:Connection");
  lua_setmetatable(L, -2);
  return 1;
}
Example #30
0
  void TLSEncryptionSocketServer::init(const char* certificate_buf, int socket, ConnectionStateListener* listener) 
  { 
        m_ctx = SSL_CTX_new(TLSv1_server_method());      
          
        if (!load_certificate(certificate_buf)) {
                if (listener) listener->OnError(ConnectionStateListener::SSL_CERTIFICATE_LOAD_ERR);
                return;
        }       
                                                                                                              
        m_ssl = SSL_new(m_ctx);                  
        SSL_set_fd(m_ssl, socket);              
        
#ifdef SSL_LIB_OPENSSL        
        SSL_set_accept_state(m_ssl);      
#endif   

        //if (m_ctx != NULL && m_ssl != NULL) printf("TLSEncryptionSocketServer setup done\n");            
  }