static int execute_test(SSL_TEST_FIXTURE fixture) { int ret = 0; SSL_CTX *server_ctx = NULL, *server2_ctx = NULL, *client_ctx = NULL; SSL_TEST_CTX *test_ctx = NULL; HANDSHAKE_RESULT result; test_ctx = SSL_TEST_CTX_create(conf, fixture.test_app); if (test_ctx == NULL) goto err; #ifndef OPENSSL_NO_DTLS if (test_ctx->method == SSL_TEST_METHOD_DTLS) { server_ctx = SSL_CTX_new(DTLS_server_method()); if (test_ctx->servername_callback != SSL_TEST_SERVERNAME_CB_NONE) { server2_ctx = SSL_CTX_new(DTLS_server_method()); OPENSSL_assert(server2_ctx != NULL); } client_ctx = SSL_CTX_new(DTLS_client_method()); } #endif if (test_ctx->method == SSL_TEST_METHOD_TLS) { server_ctx = SSL_CTX_new(TLS_server_method()); if (test_ctx->servername_callback != SSL_TEST_SERVERNAME_CB_NONE) { server2_ctx = SSL_CTX_new(TLS_server_method()); OPENSSL_assert(server2_ctx != NULL); } client_ctx = SSL_CTX_new(TLS_client_method()); } OPENSSL_assert(server_ctx != NULL && client_ctx != NULL); OPENSSL_assert(CONF_modules_load(conf, fixture.test_app, 0) > 0); if (!SSL_CTX_config(server_ctx, "server") || !SSL_CTX_config(client_ctx, "client")) { goto err; } if (server2_ctx != NULL && !SSL_CTX_config(server2_ctx, "server2")) goto err; result = do_handshake(server_ctx, server2_ctx, client_ctx, test_ctx); ret = check_test(result, test_ctx); err: CONF_modules_unload(0); SSL_CTX_free(server_ctx); SSL_CTX_free(server2_ctx); SSL_CTX_free(client_ctx); SSL_TEST_CTX_free(test_ctx); if (ret != 1) ERR_print_errors_fp(stderr); return ret; }
static int server_setup_sni(void) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL))) goto end; /* set SNI at server side */ SSL_set_tlsext_host_name(serverssl, host); if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) goto end; if (!TEST_ptr_null(SSL_get_servername(serverssl, TLSEXT_NAMETYPE_host_name))) { /* SNI should have been cleared during handshake */ goto end; } testresult = 1; end: SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(sctx); SSL_CTX_free(cctx); return testresult; }
static CIPHERLIST_TEST_FIXTURE set_up(const char *const test_case_name) { CIPHERLIST_TEST_FIXTURE fixture; fixture.test_case_name = test_case_name; fixture.server = SSL_CTX_new(TLS_server_method()); fixture.client = SSL_CTX_new(TLS_client_method()); OPENSSL_assert(fixture.client != NULL && fixture.server != NULL); return fixture; }
int setup_tests(void) { if (!TEST_ptr(ctx = SSL_CTX_new(TLS_server_method())) || !TEST_ptr(s = SSL_new(ctx))) return 0; ADD_TEST(test_empty); ADD_TEST(test_unsupported); ADD_TEST(test_v2); ADD_TEST(test_v3); return 1; }
static CIPHERLIST_TEST_FIXTURE *set_up(const char *const test_case_name) { CIPHERLIST_TEST_FIXTURE *fixture; if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) return NULL; fixture->test_case_name = test_case_name; if (!TEST_ptr(fixture->server = SSL_CTX_new(TLS_server_method())) || !TEST_ptr(fixture->client = SSL_CTX_new(TLS_client_method()))) { tear_down(fixture); return NULL; } return fixture; }
static const SSL_METHOD *tls1_get_server_method(int ver) { if (ver == TLS_ANY_VERSION) return TLS_server_method(); if (ver == TLS1_2_VERSION) return TLSv1_2_server_method(); if (ver == TLS1_1_VERSION) return TLSv1_1_server_method(); if (ver == TLS1_VERSION) return TLSv1_server_method(); #ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return (SSLv3_server_method()); #endif return NULL; }
noPollPtr ssl_context_creator (noPollCtx * ctx, noPollConn * conn, noPollConnOpts * opts, nopoll_bool is_client, noPollPtr user_data) { SSL_CTX * ssl_ctx; noPollConn * listener; /* very basic context creation using default settings provided * by OpenSSL */ if (is_client) { #if OPENSSL_VERSION_NUMBER < 0x10100000L return SSL_CTX_new (TLSv1_client_method ()); #else return SSL_CTX_new (TLS_client_method ()); #endif } /* end if */ /* get the ssl context */ #if OPENSSL_VERSION_NUMBER < 0x10100000L ssl_ctx = SSL_CTX_new (TLSv1_server_method ()); #else ssl_ctx = SSL_CTX_new (TLS_server_method ()); #endif /* get a reference to the listener */ listener = nopoll_conn_get_listener (conn); if (nopoll_cmp ("1239", nopoll_conn_port (listener))) { printf ("ACCEPTED ssl connection on port: %s (for conn %p)\n", nopoll_conn_port (listener), conn); /* ok, especiall case where we require a certain * certificate from renote side */ if (SSL_CTX_load_verify_locations (ssl_ctx, "client-side-cert-auth-cacert.crt", NULL) != 1) { printf ("ERROR: unable to add ca certificate...\n"); } /* make server to ask for a certificate to the client * .... and verify it */ SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); } /* end if */ printf ("RETURNING: ssl context reference %p\n", ssl_ctx); return ssl_ctx; }
int lws_tls_server_vhost_backend_init(struct lws_context_creation_info *info, struct lws_vhost *vhost, struct lws *wsi) { const SSL_METHOD *method = TLS_server_method(); uint8_t *p; lws_filepos_t flen; vhost->ssl_ctx = SSL_CTX_new(method); /* create context */ if (!vhost->ssl_ctx) { lwsl_err("problem creating ssl context\n"); return 1; } if (!vhost->use_ssl || !info->ssl_cert_filepath) return 0; if (info->ssl_ca_filepath) { lwsl_notice("%s: vh %s: loading CA filepath %s\n", __func__, vhost->name, info->ssl_ca_filepath); if (lws_tls_alloc_pem_to_der_file(vhost->context, info->ssl_ca_filepath, NULL, 0, &p, &flen)) { lwsl_err("couldn't find client CA file %s\n", info->ssl_ca_filepath); return 1; } if (SSL_CTX_add_client_CA_ASN1(vhost->ssl_ctx, (int)flen, p) != 1) { lwsl_err("%s: SSL_CTX_add_client_CA_ASN1 unhappy\n", __func__); free(p); return 1; } free(p); } return lws_tls_server_certs_load(vhost, wsi, info->ssl_cert_filepath, info->ssl_private_key_filepath, NULL, 0, NULL, 0); }
static int tls_create_new_context(const char *cert_file, const char *key_file) { # ifdef HAVE_TLS_SERVER_METHOD if ((tls_ctx = SSL_CTX_new(TLS_server_method())) == NULL) { tls_error(__LINE__, 0); } # else if ((tls_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { tls_error(__LINE__, 0); } # endif tls_init_options(); tls_init_cache(); tls_load_cert_file(cert_file, key_file); if (ssl_verify_client_cert) { tls_init_client_cert_verification(cert_file); } tls_init_ecdh_curve(); tls_init_dhparams(); return 0; }
const SSL_METHOD * hb_ssl_method_id_to_ptr( int n ) { const SSL_METHOD * p; switch( n ) { #if OPENSSL_VERSION_NUMBER >= 0x10100000L case HB_SSL_CTX_NEW_METHOD_TLS: p = TLS_method(); break; case HB_SSL_CTX_NEW_METHOD_TLS_SERVER: p = TLS_server_method(); break; case HB_SSL_CTX_NEW_METHOD_TLS_CLIENT: p = TLS_client_method(); break; #else case HB_SSL_CTX_NEW_METHOD_TLSV1: p = TLSv1_method(); break; case HB_SSL_CTX_NEW_METHOD_TLSV1_SERVER: p = TLSv1_server_method(); break; case HB_SSL_CTX_NEW_METHOD_TLSV1_CLIENT: p = TLSv1_client_method(); break; case HB_SSL_CTX_NEW_METHOD_TLS: p = SSLv23_method(); break; case HB_SSL_CTX_NEW_METHOD_TLS_SERVER: p = SSLv23_server_method(); break; case HB_SSL_CTX_NEW_METHOD_TLS_CLIENT: p = SSLv23_client_method(); break; #endif default: p = SSLv23_method(); } return p; }
static int test_large_message_tls(void) { return execute_test_large_message(TLS_server_method(), TLS_client_method(), 0); }
int main(int argc, char *argv[]) { char *port = "*:4433"; BIO *in = NULL; BIO *ssl_bio, *tmp; SSL_CTX *ctx; SSL_CONF_CTX *cctx = NULL; CONF *conf = NULL; STACK_OF(CONF_VALUE) *sect = NULL; CONF_VALUE *cnf; long errline = -1; char buf[512]; int ret = EXIT_FAILURE, i; ctx = SSL_CTX_new(TLS_server_method()); conf = NCONF_new(NULL); if (NCONF_load(conf, "accept.cnf", &errline) <= 0) { if (errline <= 0) fprintf(stderr, "Error processing config file\n"); else fprintf(stderr, "Error on line %ld\n", errline); goto err; } sect = NCONF_get_section(conf, "default"); if (sect == NULL) { fprintf(stderr, "Error retrieving default section\n"); goto err; } cctx = SSL_CONF_CTX_new(); SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE); SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE); SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { int rv; cnf = sk_CONF_VALUE_value(sect, i); rv = SSL_CONF_cmd(cctx, cnf->name, cnf->value); if (rv > 0) continue; if (rv != -2) { fprintf(stderr, "Error processing %s = %s\n", cnf->name, cnf->value); ERR_print_errors_fp(stderr); goto err; } if (strcmp(cnf->name, "Port") == 0) { port = cnf->value; } else { fprintf(stderr, "Unknown configuration option %s\n", cnf->name); goto err; } } if (!SSL_CONF_CTX_finish(cctx)) { fprintf(stderr, "Finish error\n"); ERR_print_errors_fp(stderr); goto err; } /* Setup server side SSL bio */ ssl_bio = BIO_new_ssl(ctx, 0); if ((in = BIO_new_accept(port)) == NULL) goto err; /* * This means that when a new connection is accepted on 'in', The ssl_bio * will be 'duplicated' and have the new socket BIO push into it. * Basically it means the SSL BIO will be automatically setup */ BIO_set_accept_bios(in, ssl_bio); again: /* * The first call will setup the accept socket, and the second will get a * socket. In this loop, the first actual accept will occur in the * BIO_read() function. */ if (BIO_do_accept(in) <= 0) goto err; for (;;) { i = BIO_read(in, buf, 512); if (i == 0) { /* * If we have finished, remove the underlying BIO stack so the * next time we call any function for this BIO, it will attempt * to do an accept */ printf("Done\n"); tmp = BIO_pop(in); BIO_free_all(tmp); goto again; } if (i < 0) { if (BIO_should_retry(in)) continue; goto err; } fwrite(buf, 1, i, stdout); fflush(stdout); } ret = EXIT_SUCCESS; err: if (ret != EXIT_SUCCESS) ERR_print_errors_fp(stderr); BIO_free(in); return ret; }
/* * Custom call back tests. * Test 0: callbacks in TLSv1.2 * Test 1: callbacks in TLSv1.2 with SNI */ static int test_custom_exts(int tst) { SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; static int server = 1; static int client = 0; SSL_SESSION *sess = NULL; /* Reset callback counters */ clntaddcb = clntparsecb = srvaddcb = srvparsecb = 0; snicb = 0; if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx, &cctx, cert, privkey)) { printf("Unable to create SSL_CTX pair\n"); goto end; } if (tst == 1 && !create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2, NULL, cert, privkey)) { printf("Unable to create SSL_CTX pair (2)\n"); goto end; } /* Create a client side custom extension */ if (!SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, add_cb, free_cb, &client, parse_cb, &client)) { printf("Unable to add client custom extension\n"); goto end; } /* Should not be able to add duplicates */ if (SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, add_cb, free_cb, &client, parse_cb, &client)) { printf("Unexpected success adding duplicate extension\n"); goto end; } /* Create a server side custom extension */ if (!SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, add_cb, free_cb, &server, parse_cb, &server)) { printf("Unable to add server custom extension\n"); goto end; } if (sctx2 != NULL && !SSL_CTX_add_server_custom_ext(sctx2, TEST_EXT_TYPE1, add_cb, free_cb, &server, parse_cb, &server)) { printf("Unable to add server custom extension for SNI\n"); goto end; } /* Should not be able to add duplicates */ if (SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, add_cb, free_cb, &server, parse_cb, &server)) { printf("Unexpected success adding duplicate extension (2)\n"); goto end; } if (tst == 1) { /* Set up SNI */ if (!SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb) || !SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)) { printf("Cannot set SNI callbacks\n"); goto end; } } if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL) || !create_ssl_connection(serverssl, clientssl)) { printf("Cannot create SSL connection\n"); goto end; } if (clntaddcb != 1 || clntparsecb != 1 || srvaddcb != 1 || srvparsecb != 1 || (tst != 1 && snicb != 0) || (tst == 1 && snicb != 1)) { printf("Incorrect callback counts\n"); goto end; } sess = SSL_get1_session(clientssl); SSL_shutdown(clientssl); SSL_shutdown(serverssl); SSL_free(serverssl); SSL_free(clientssl); serverssl = clientssl = NULL; if (tst == 1) { /* We don't bother with the resumption aspects for this test */ testresult = 1; goto end; } if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL) || !SSL_set_session(clientssl, sess) || !create_ssl_connection(serverssl, clientssl)) { printf("Cannot create resumption connection\n"); goto end; } /* * For a resumed session we expect to add the ClientHello extension but we * should ignore it on the server side. */ if (clntaddcb != 2 || clntparsecb != 1 || srvaddcb != 1 || srvparsecb != 1) { printf("Incorrect resumption callback counts\n"); goto end; } testresult = 1; end: SSL_SESSION_free(sess); SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(sctx2); SSL_CTX_free(sctx); SSL_CTX_free(cctx); return testresult; }
net_socketSSL_t* net_socketSSL_listen(const char* port, int type, int backlog) { assert(port); assert(backlog > 0); int socktype; if((type >= NET_SOCKETSSL_TCP) && (type <= NET_SOCKETSSL_TCP_BUFFERED)) { socktype = SOCK_STREAM; } else { LOGE("invalid type=%i", type); return NULL; } net_socketSSL_t* self; self = (net_socketSSL_t*) malloc(sizeof(net_socketSSL_t)); if(self == NULL) { LOGE("malloc failed"); return NULL; } // SIGPIPE causes the process to exit for broken streams // but we want to receive EPIPE instead signal(SIGPIPE, SIG_IGN); // init SSL ctx #if NET_SOCKET_USE_OPENSSL_1_1 self->ctx = SSL_CTX_new(TLS_server_method()); #else // app should call SSL_library_init(); prior to creating any // OpenSSL sockets with the old API self->ctx = SSL_CTX_new(SSLv23_server_method()); #endif if(self->ctx == NULL) { LOGE("SSL_CTX_new failed"); goto fail_ctx; } self->method = NET_SOCKETSSL_METHOD_SERVER; self->ssl = NULL; if(SSL_CTX_load_verify_locations(self->ctx, "ca_cert.pem", NULL) != 1) { LOGE("SSL_CTX_load_verify_locations failed"); goto fail_load_verify; } #if NET_SOCKET_USE_OPENSSL_1_1 if(SSL_CTX_set_default_verify_file(self->ctx) != 1) { LOGE("SSL_CTX_set_default_verify_file failed"); goto fail_set_default_verify_file; } #endif STACK_OF(X509_NAME)* cert_names; cert_names = SSL_load_client_CA_file("ca_cert.pem"); if(cert_names == NULL) { LOGE("SSL_load_client_CA_file failed"); goto fail_cert_names; } SSL_CTX_set_client_CA_list(self->ctx, cert_names); if(SSL_CTX_use_certificate_file(self->ctx, "server_cert.pem", SSL_FILETYPE_PEM) != 1) { LOGE("SSL_CTX_use_certificate_file failed"); goto fail_use_cert; } if(SSL_CTX_use_PrivateKey_file(self->ctx, "server_key.pem", SSL_FILETYPE_PEM) != 1) { LOGE("SSL_CTX_use_PrivateKey_file failed"); goto fail_use_priv; } if(SSL_CTX_check_private_key(self->ctx) != 1) { LOGE("SSL_CTX_check_private_key failed"); goto fail_check_priv; } SSL_CTX_set_mode(self->ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(self->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); SSL_CTX_set_verify_depth(self->ctx, 1); // not needed for listening socket self->buffer = NULL; self->len = 0; struct addrinfo hints; memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = socktype; hints.ai_flags = AI_PASSIVE; struct addrinfo* info; if(getaddrinfo(NULL, port, &hints, &info) != 0) { LOGD("getaddrinfo failed"); goto fail_getaddrinfo; } struct addrinfo* i = info; self->sockfd = -1; while(i) { self->sockfd = socket(i->ai_family, i->ai_socktype, i->ai_protocol); if(self->sockfd == -1) { LOGD("socket failed"); i = i->ai_next; continue; } int yes = 1; if(setsockopt(self->sockfd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int)) == -1) { LOGD("setsockopt failed"); } // TCP_NODELAY is not needed for server socket if(bind(self->sockfd, i->ai_addr, i->ai_addrlen) == -1) { LOGD("bind failed"); close(self->sockfd); self->sockfd = -1; continue; } break; } freeaddrinfo(info); if(self->sockfd == -1) { LOGD("socket failed"); goto fail_socket; } if(listen(self->sockfd, backlog) == -1) { LOGD("listen failed"); goto fail_listen; } self->error = 0; self->connected = 1; self->type = type; // success return self; // failure fail_listen: close(self->sockfd); fail_socket: fail_getaddrinfo: fail_check_priv: fail_use_priv: fail_use_cert: fail_cert_names: #if NET_SOCKET_USE_OPENSSL_1_1 fail_set_default_verify_file: #endif fail_load_verify: SSL_CTX_free(self->ctx); fail_ctx: free(self); return NULL; }
static int test_cipher_name(void) { SSL_CTX *ctx = NULL; SSL *ssl = NULL; const SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk = NULL; const char *ciphers = "ALL:eNULL", *p, *q, *r; int i, id = 0, ret = 0; /* tests for invalid input */ p = SSL_CIPHER_standard_name(NULL); if (!TEST_str_eq(p, "(NONE)")) { TEST_info("test_cipher_name(std) failed: NULL input doesn't return \"(NONE)\"\n"); goto err; } p = OPENSSL_cipher_name(NULL); if (!TEST_str_eq(p, "(NONE)")) { TEST_info("test_cipher_name(ossl) failed: NULL input doesn't return \"(NONE)\"\n"); goto err; } p = OPENSSL_cipher_name("This is not a valid cipher"); if (!TEST_str_eq(p, "(NONE)")) { TEST_info("test_cipher_name(ossl) failed: invalid input doesn't return \"(NONE)\"\n"); goto err; } /* tests for valid input */ ctx = SSL_CTX_new(TLS_server_method()); if (ctx == NULL) { TEST_info("test_cipher_name failed: internal error\n"); goto err; } if (!SSL_CTX_set_cipher_list(ctx, ciphers)) { TEST_info("test_cipher_name failed: internal error\n"); goto err; } ssl = SSL_new(ctx); if (ssl == NULL) { TEST_info("test_cipher_name failed: internal error\n"); goto err; } sk = SSL_get_ciphers(ssl); if (sk == NULL) { TEST_info("test_cipher_name failed: internal error\n"); goto err; } for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { c = sk_SSL_CIPHER_value(sk, i); id = SSL_CIPHER_get_id(c) & 0xFFFF; if ((id == 0xFF85) || (id == 0xFF87)) /* skip GOST2012-GOST8912-GOST891 and GOST2012-NULL-GOST12 */ continue; p = SSL_CIPHER_standard_name(c); q = get_std_name_by_id(id); if (!TEST_ptr(p)) { TEST_info("test_cipher_name failed: expected %s, got NULL, cipher %x\n", q, id); goto err; } /* check if p is a valid standard name */ if (!TEST_str_eq(p, q)) { TEST_info("test_cipher_name(std) failed: expected %s, got %s, cipher %x\n", q, p, id); goto err; } /* test OPENSSL_cipher_name */ q = SSL_CIPHER_get_name(c); r = OPENSSL_cipher_name(p); if (!TEST_str_eq(r, q)) { TEST_info("test_cipher_name(ossl) failed: expected %s, got %s, cipher %x\n", q, r, id); goto err; } } ret = 1; err: SSL_CTX_free(ctx); SSL_free(ssl); return ret; }
void Context::createSSLContext() { if (SSLManager::isFIPSEnabled()) { _pSSLContext = SSL_CTX_new(TLSv1_method()); } else { switch (_usage) { case CLIENT_USE: #if OPENSSL_VERSION_NUMBER >= 0x10100000L _pSSLContext = SSL_CTX_new(TLS_client_method()); #else _pSSLContext = SSL_CTX_new(SSLv23_client_method()); #endif break; case SERVER_USE: #if OPENSSL_VERSION_NUMBER >= 0x10100000L _pSSLContext = SSL_CTX_new(TLS_server_method()); #else _pSSLContext = SSL_CTX_new(SSLv23_server_method()); #endif break; #if defined(SSL_OP_NO_TLSv1) && !defined(OPENSSL_NO_TLS1) case TLSV1_CLIENT_USE: _pSSLContext = SSL_CTX_new(TLSv1_client_method()); break; case TLSV1_SERVER_USE: _pSSLContext = SSL_CTX_new(TLSv1_server_method()); break; #endif #if defined(SSL_OP_NO_TLSv1_1) && !defined(OPENSSL_NO_TLS1) /* SSL_OP_NO_TLSv1_1 is defined in ssl.h if the library version supports TLSv1.1. * OPENSSL_NO_TLS1 is defined in opensslconf.h or on the compiler command line * if TLS1.x was removed at OpenSSL library build time via Configure options. */ case TLSV1_1_CLIENT_USE: _pSSLContext = SSL_CTX_new(TLSv1_1_client_method()); break; case TLSV1_1_SERVER_USE: _pSSLContext = SSL_CTX_new(TLSv1_1_server_method()); break; #endif #if defined(SSL_OP_NO_TLSv1_2) && !defined(OPENSSL_NO_TLS1) case TLSV1_2_CLIENT_USE: _pSSLContext = SSL_CTX_new(TLSv1_2_client_method()); break; case TLSV1_2_SERVER_USE: _pSSLContext = SSL_CTX_new(TLSv1_2_server_method()); break; #endif default: throw Poco::InvalidArgumentException("Invalid or unsupported usage"); } } if (!_pSSLContext) { unsigned long err = ERR_get_error(); throw SSLException("Cannot create SSL_CTX object", ERR_error_string(err, 0)); } SSL_CTX_set_default_passwd_cb(_pSSLContext, &SSLManager::privateKeyPassphraseCallback); Utility::clearErrorStack(); SSL_CTX_set_options(_pSSLContext, SSL_OP_ALL); }
int main(int argc, char *argv[]) { char *port = "*:4433"; BIO *ssl_bio, *tmp; SSL_CTX *ctx; SSL_CONF_CTX *cctx; char buf[512]; BIO *in = NULL; int ret = 1, i; char **args = argv + 1; int nargs = argc - 1; SSL_load_error_strings(); /* Add ciphers and message digests */ OpenSSL_add_ssl_algorithms(); ctx = SSL_CTX_new(TLS_server_method()); cctx = SSL_CONF_CTX_new(); SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE); SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); while (*args && **args == '-') { int rv; /* Parse standard arguments */ rv = SSL_CONF_cmd_argv(cctx, &nargs, &args); if (rv == -3) { fprintf(stderr, "Missing argument for %s\n", *args); goto err; } if (rv < 0) { fprintf(stderr, "Error in command %s\n", *args); ERR_print_errors_fp(stderr); goto err; } /* If rv > 0 we processed something so proceed to next arg */ if (rv > 0) continue; /* Otherwise application specific argument processing */ if (strcmp(*args, "-port") == 0) { port = args[1]; if (port == NULL) { fprintf(stderr, "Missing -port argument\n"); goto err; } args += 2; nargs -= 2; continue; } else { fprintf(stderr, "Unknown argument %s\n", *args); goto err; } } if (!SSL_CONF_CTX_finish(cctx)) { fprintf(stderr, "Finish error\n"); ERR_print_errors_fp(stderr); goto err; } #ifdef ITERATE_CERTS /* * Demo of how to iterate over all certificates in an SSL_CTX structure. */ { X509 *x; int rv; rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); while (rv) { X509 *x = SSL_CTX_get0_certificate(ctx); X509_NAME_print_ex_fp(stdout, X509_get_subject_name(x), 0, XN_FLAG_ONELINE); printf("\n"); rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT); } fflush(stdout); } #endif /* Setup server side SSL bio */ ssl_bio = BIO_new_ssl(ctx, 0); if ((in = BIO_new_accept(port)) == NULL) goto err; /* * This means that when a new connection is accepted on 'in', The ssl_bio * will be 'duplicated' and have the new socket BIO push into it. * Basically it means the SSL BIO will be automatically setup */ BIO_set_accept_bios(in, ssl_bio); again: /* * The first call will setup the accept socket, and the second will get a * socket. In this loop, the first actual accept will occur in the * BIO_read() function. */ if (BIO_do_accept(in) <= 0) goto err; for (;;) { i = BIO_read(in, buf, 512); if (i == 0) { /* * If we have finished, remove the underlying BIO stack so the * next time we call any function for this BIO, it will attempt * to do an accept */ printf("Done\n"); tmp = BIO_pop(in); BIO_free_all(tmp); goto again; } if (i < 0) goto err; fwrite(buf, 1, i, stdout); fflush(stdout); } ret = 0; err: if (ret) { ERR_print_errors_fp(stderr); } BIO_free(in); exit(ret); return (!ret); }
int ciphers_main(int argc, char **argv) { SSL_CTX *ctx = NULL; SSL *ssl = NULL; STACK_OF(SSL_CIPHER) *sk = NULL; const SSL_METHOD *meth = TLS_server_method(); int ret = 1, i, verbose = 0, Verbose = 0, use_supported = 0; #ifndef OPENSSL_NO_SSL_TRACE int stdname = 0; #endif #ifndef OPENSSL_NO_PSK int psk = 0; #endif #ifndef OPENSSL_NO_SRP int srp = 0; #endif const char *p; char *ciphers = NULL, *prog; char buf[512]; OPTION_CHOICE o; int min_version = 0, max_version = 0; prog = opt_init(argc, argv, ciphers_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { case OPT_EOF: case OPT_ERR: opthelp: BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); goto end; case OPT_HELP: opt_help(ciphers_options); ret = 0; goto end; case OPT_V: verbose = 1; break; case OPT_UPPER_V: verbose = Verbose = 1; break; case OPT_S: use_supported = 1; break; case OPT_STDNAME: #ifndef OPENSSL_NO_SSL_TRACE stdname = verbose = 1; #endif break; case OPT_SSL3: min_version = SSL3_VERSION; max_version = SSL3_VERSION; break; case OPT_TLS1: min_version = TLS1_VERSION; max_version = TLS1_VERSION; break; case OPT_TLS1_1: min_version = TLS1_1_VERSION; max_version = TLS1_1_VERSION; break; case OPT_TLS1_2: min_version = TLS1_2_VERSION; max_version = TLS1_2_VERSION; break; case OPT_TLS1_3: min_version = TLS1_3_VERSION; max_version = TLS1_3_VERSION; break; case OPT_PSK: #ifndef OPENSSL_NO_PSK psk = 1; #endif break; case OPT_SRP: #ifndef OPENSSL_NO_SRP srp = 1; #endif break; } } argv = opt_rest(); argc = opt_num_rest(); if (argc == 1) ciphers = *argv; else if (argc != 0) goto opthelp; ctx = SSL_CTX_new(meth); if (ctx == NULL) goto err; if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0) goto err; if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0) goto err; #ifndef OPENSSL_NO_PSK if (psk) SSL_CTX_set_psk_client_callback(ctx, dummy_psk); #endif #ifndef OPENSSL_NO_SRP if (srp) SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp); #endif if (ciphers != NULL) { if (!SSL_CTX_set_cipher_list(ctx, ciphers)) { BIO_printf(bio_err, "Error in cipher list\n"); goto err; } } ssl = SSL_new(ctx); if (ssl == NULL) goto err; if (use_supported) sk = SSL_get1_supported_ciphers(ssl); else sk = SSL_get_ciphers(ssl); if (!verbose) { for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i); p = SSL_CIPHER_get_name(c); if (p == NULL) break; if (i != 0) BIO_printf(bio_out, ":"); BIO_printf(bio_out, "%s", p); } BIO_printf(bio_out, "\n"); } else { for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { const SSL_CIPHER *c; c = sk_SSL_CIPHER_value(sk, i); if (Verbose) { unsigned long id = SSL_CIPHER_get_id(c); int id0 = (int)(id >> 24); int id1 = (int)((id >> 16) & 0xffL); int id2 = (int)((id >> 8) & 0xffL); int id3 = (int)(id & 0xffL); if ((id & 0xff000000L) == 0x03000000L) BIO_printf(bio_out, " 0x%02X,0x%02X - ", id2, id3); /* SSL3 * cipher */ else BIO_printf(bio_out, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */ } #ifndef OPENSSL_NO_SSL_TRACE if (stdname) { const char *nm = SSL_CIPHER_standard_name(c); if (nm == NULL) nm = "UNKNOWN"; BIO_printf(bio_out, "%s - ", nm); } #endif BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof buf)); } } ret = 0; goto end; err: ERR_print_errors(bio_err); end: if (use_supported) sk_SSL_CIPHER_free(sk); SSL_CTX_free(ctx); SSL_free(ssl); return (ret); }
/** Initialize the SSL context. * \return pointer to SSL context object. */ SSL_CTX * ssl_init(char *private_key_file, char *ca_file, char *ca_dir, int req_client_cert) { const SSL_METHOD *meth; /* If this const gives you a warning, you're using an old version of OpenSSL. Walker, this means you! */ /* uint8_t context[128]; */ unsigned int reps = 1; pcg32_random_t rand_state; uint64_t seeds[2]; bool seeded = false; if (!bio_err) { if (!SSL_library_init()) return NULL; SSL_load_error_strings(); /* Error write context */ bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); } lock_file(stderr); fputs("Seeding OpenSSL random number pool.\n", stderr); unlock_file(stderr); while (!RAND_status()) { /* At this point, a system with /dev/urandom or a EGD file in the usual places will have enough entropy. Otherwise, be lazy and use random numbers until it's satisfied. */ uint32_t gibberish[8]; int n; if (!seeded) { generate_seed(seeds); pcg32_srandom_r(&rand_state, seeds[0], seeds[1]); seeded = 1; } for (n = 0; n < 8; n++) gibberish[n] = pcg32_random_r(&rand_state); RAND_seed(gibberish, sizeof gibberish); reps += 1; } lock_file(stderr); fprintf(stderr, "Seeded after %u %s.\n", reps, reps > 1 ? "cycles" : "cycle"); unlock_file(stderr); /* Set up SIGPIPE handler here? */ /* Create context */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L meth = TLS_server_method(); #else meth = SSLv23_server_method(); #endif ctx = SSL_CTX_new(meth); SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); /* Load keys/certs */ if (private_key_file && *private_key_file) { if (!SSL_CTX_use_certificate_chain_file(ctx, private_key_file)) { ssl_errordump("Unable to load server certificate - only anonymous " "ciphers supported."); } if (!SSL_CTX_use_PrivateKey_file(ctx, private_key_file, SSL_FILETYPE_PEM)) { ssl_errordump( "Unable to load private key - only anonymous ciphers supported."); } } /* Load trusted CAs */ if ((ca_file && *ca_file) || (ca_dir && *ca_dir)) { if (!SSL_CTX_load_verify_locations(ctx, (ca_file && *ca_file) ? ca_file : NULL, (ca_dir && *ca_dir) ? ca_dir : NULL)) { ssl_errordump("Unable to load CA certificates"); } { STACK_OF(X509_NAME) *certs = NULL; if (ca_file && *ca_file) certs = SSL_load_client_CA_file(ca_file); if (certs) SSL_CTX_set_client_CA_list(ctx, certs); if (req_client_cert) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, client_verify_callback); else SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, client_verify_callback); #if (OPENSSL_VERSION_NUMBER < 0x0090600fL) SSL_CTX_set_verify_depth(ctx, 1); #endif } } SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE | SSL_OP_ALL); SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); /* Set up DH key */ { DH *dh; dh = get_dh2048(); SSL_CTX_set_tmp_dh(ctx, dh); DH_free(dh); } #ifdef NID_X9_62_prime256v1 /* Set up ECDH key */ { EC_KEY *ecdh = NULL; ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); SSL_CTX_set_tmp_ecdh(ctx, ecdh); EC_KEY_free(ecdh); } #endif /* Set the cipher list to the usual default list, except that * we'll allow anonymous diffie-hellman, too. */ SSL_CTX_set_cipher_list(ctx, "ALL:ECDH:ADH:!LOW:!MEDIUM:@STRENGTH"); /* Set up session cache if we can */ /* strncpy((char *) context, MUDNAME, 128); SSL_CTX_set_session_id_context(ctx, context, strlen(context)); */ return ctx; }
static int test_handshake(int idx) { int ret = 0; SSL_CTX *server_ctx = NULL, *server2_ctx = NULL, *client_ctx = NULL, *resume_server_ctx = NULL, *resume_client_ctx = NULL; SSL_TEST_CTX *test_ctx = NULL; HANDSHAKE_RESULT *result = NULL; char test_app[MAX_TESTCASE_NAME_LENGTH]; BIO_snprintf(test_app, sizeof(test_app), "test-%d", idx); test_ctx = SSL_TEST_CTX_create(conf, test_app); if (test_ctx == NULL) goto err; #ifndef OPENSSL_NO_DTLS if (test_ctx->method == SSL_TEST_METHOD_DTLS) { server_ctx = SSL_CTX_new(DTLS_server_method()); if (test_ctx->extra.server.servername_callback != SSL_TEST_SERVERNAME_CB_NONE) { server2_ctx = SSL_CTX_new(DTLS_server_method()); TEST_check(server2_ctx != NULL); } client_ctx = SSL_CTX_new(DTLS_client_method()); if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) { resume_server_ctx = SSL_CTX_new(DTLS_server_method()); resume_client_ctx = SSL_CTX_new(DTLS_client_method()); TEST_check(resume_server_ctx != NULL); TEST_check(resume_client_ctx != NULL); } } #endif if (test_ctx->method == SSL_TEST_METHOD_TLS) { server_ctx = SSL_CTX_new(TLS_server_method()); /* SNI on resumption isn't supported/tested yet. */ if (test_ctx->extra.server.servername_callback != SSL_TEST_SERVERNAME_CB_NONE) { server2_ctx = SSL_CTX_new(TLS_server_method()); TEST_check(server2_ctx != NULL); } client_ctx = SSL_CTX_new(TLS_client_method()); if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) { resume_server_ctx = SSL_CTX_new(TLS_server_method()); resume_client_ctx = SSL_CTX_new(TLS_client_method()); TEST_check(resume_server_ctx != NULL); TEST_check(resume_client_ctx != NULL); } } TEST_check(server_ctx != NULL); TEST_check(client_ctx != NULL); TEST_check(CONF_modules_load(conf, test_app, 0) > 0); if (!SSL_CTX_config(server_ctx, "server") || !SSL_CTX_config(client_ctx, "client")) { goto err; } if (server2_ctx != NULL && !SSL_CTX_config(server2_ctx, "server2")) goto err; if (resume_server_ctx != NULL && !SSL_CTX_config(resume_server_ctx, "resume-server")) goto err; if (resume_client_ctx != NULL && !SSL_CTX_config(resume_client_ctx, "resume-client")) goto err; result = do_handshake(server_ctx, server2_ctx, client_ctx, resume_server_ctx, resume_client_ctx, test_ctx); ret = check_test(result, test_ctx); err: CONF_modules_unload(0); SSL_CTX_free(server_ctx); SSL_CTX_free(server2_ctx); SSL_CTX_free(client_ctx); SSL_CTX_free(resume_server_ctx); SSL_CTX_free(resume_client_ctx); SSL_TEST_CTX_free(test_ctx); HANDSHAKE_RESULT_free(result); return ret; }
int mowgli_vio_openssl_default_listen(mowgli_vio_t *vio, int backlog) { return_val_if_fail(vio, -255); mowgli_ssl_connection_t *connection = vio->privdata; const int fd = mowgli_vio_getfd(vio); vio->error.op = MOWGLI_VIO_ERR_OP_LISTEN; #ifndef MOWGLI_HAVE_OPENSSL_TLS_METHOD_API connection->ssl_context = SSL_CTX_new(SSLv23_server_method()); #else connection->ssl_context = SSL_CTX_new(TLS_server_method()); #endif if (connection->ssl_context == NULL) return mowgli_vio_err_sslerrcode(vio, ERR_get_error()); #ifndef MOWGLI_HAVE_OPENSSL_TLS_METHOD_API # ifdef SSL_OP_NO_SSLv2 SSL_CTX_set_options(connection->ssl_context, SSL_OP_NO_SSLv2); # endif # ifdef SSL_OP_NO_SSLv3 SSL_CTX_set_options(connection->ssl_context, SSL_OP_NO_SSLv3); # endif #endif connection->ssl_handle = SSL_new(connection->ssl_context); if (connection->ssl_handle == NULL) return mowgli_vio_err_sslerrcode(vio, ERR_get_error()); SSL_set_accept_state(connection->ssl_handle); SSL_CTX_set_options(connection->ssl_context, SSL_OP_SINGLE_DH_USE); #ifdef OPENSSL_EC_AVAILABLE # ifdef MOWGLI_HAVE_OPENSSL_ECDH_AUTO SSL_CTX_set_ecdh_auto(connection->ssl_context, 1); # else EC_KEY *ec_key_p256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (ec_key_p256 != NULL) { SSL_CTX_set_tmp_ecdh(connection->ssl_context, ec_key_p256); EC_KEY_free(ec_key_p256); ec_key_p256 = NULL; } # endif # ifdef SSL_OP_SINGLE_ECDH_USE SSL_CTX_set_options(connection->ssl_context, SSL_OP_SINGLE_ECDH_USE); # endif #endif if (connection->settings.password_func) { SSL_CTX_set_default_passwd_cb(connection->ssl_context, connection->settings.password_func); SSL_CTX_set_default_passwd_cb_userdata(connection->ssl_context, vio->userdata); } if (SSL_CTX_use_certificate_file(connection->ssl_context, connection->settings.cert_path, SSL_FILETYPE_PEM) != 1) return mowgli_vio_err_sslerrcode(vio, ERR_get_error()); if (SSL_CTX_use_PrivateKey_file(connection->ssl_context, connection->settings.privatekey_path, SSL_FILETYPE_PEM) != 1) return mowgli_vio_err_sslerrcode(vio, ERR_get_error()); if (listen(fd, backlog) != 0) return mowgli_vio_err_errcode(vio, strerror, errno); if (!SSL_set_fd(connection->ssl_handle, fd)) return mowgli_vio_err_sslerrcode(vio, ERR_get_error()); mowgli_vio_setflag(vio, MOWGLI_VIO_FLAGS_ISSERVER, true); vio->error.op = MOWGLI_VIO_ERR_OP_NONE; return 0; }
static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix) { SSL_CTX *sctx = NULL, *cctx = NULL; SSL *serverssl1 = NULL, *clientssl1 = NULL; SSL *serverssl2 = NULL, *clientssl2 = NULL; #ifndef OPENSSL_NO_TLS1_1 SSL *serverssl3 = NULL, *clientssl3 = NULL; #endif SSL_SESSION *sess1 = NULL, *sess2 = NULL; int testresult = 0; if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx, &cctx, cert, privkey)) { printf("Unable to create SSL_CTX pair\n"); return 0; } #ifndef OPENSSL_NO_TLS1_2 /* Only allow TLS1.2 so we can force a connection failure later */ SSL_CTX_set_min_proto_version(cctx, TLS1_2_VERSION); #endif /* Set up session cache */ if (fix.use_ext_cache) { SSL_CTX_sess_set_new_cb(cctx, new_session_cb); SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb); } if (fix.use_int_cache) { /* Also covers instance where both are set */ SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT); } else { SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE); } if (!create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, NULL, NULL)) { printf("Unable to create SSL objects\n"); goto end; } if (!create_ssl_connection(serverssl1, clientssl1)) { printf("Unable to create SSL connection\n"); goto end; } sess1 = SSL_get1_session(clientssl1); if (sess1 == NULL) { printf("Unexpected NULL session\n"); goto end; } if (fix.use_int_cache && SSL_CTX_add_session(cctx, sess1)) { /* Should have failed because it should already be in the cache */ printf("Unexpected success adding session to cache\n"); goto end; } if (fix.use_ext_cache && (new_called != 1 || remove_called != 0)) { printf("Session not added to cache\n"); goto end; } if (!create_ssl_objects(sctx, cctx, &serverssl2, &clientssl2, NULL, NULL)) { printf("Unable to create second SSL objects\n"); goto end; } if (!create_ssl_connection(serverssl2, clientssl2)) { printf("Unable to create second SSL connection\n"); goto end; } sess2 = SSL_get1_session(clientssl2); if (sess2 == NULL) { printf("Unexpected NULL session from clientssl2\n"); goto end; } if (fix.use_ext_cache && (new_called != 2 || remove_called != 0)) { printf("Remove session callback unexpectedly called\n"); goto end; } /* * This should clear sess2 from the cache because it is a "bad" session. See * SSL_set_session() documentation. */ if (!SSL_set_session(clientssl2, sess1)) { printf("Unexpected failure setting session\n"); goto end; } if (fix.use_ext_cache && (new_called != 2 || remove_called != 1)) { printf("Failed to call callback to remove session\n"); goto end; } if (SSL_get_session(clientssl2) != sess1) { printf("Unexpected session found\n"); goto end; } if (fix.use_int_cache) { if (!SSL_CTX_add_session(cctx, sess2)) { /* * Should have succeeded because it should not already be in the cache */ printf("Unexpected failure adding session to cache\n"); goto end; } if (!SSL_CTX_remove_session(cctx, sess2)) { printf("Unexpected failure removing session from cache\n"); goto end; } /* This is for the purposes of internal cache testing...ignore the * counter for external cache */ if (fix.use_ext_cache) remove_called--; } /* This shouldn't be in the cache so should fail */ if (SSL_CTX_remove_session(cctx, sess2)) { printf("Unexpected success removing session from cache\n"); goto end; } if (fix.use_ext_cache && (new_called != 2 || remove_called != 2)) { printf("Failed to call callback to remove session #2\n"); goto end; } #if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_2) /* Force a connection failure */ SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION); if (!create_ssl_objects(sctx, cctx, &serverssl3, &clientssl3, NULL, NULL)) { printf("Unable to create third SSL objects\n"); goto end; } if (!SSL_set_session(clientssl3, sess1)) { printf("Unable to set session for third connection\n"); goto end; } /* This should fail because of the mismatched protocol versions */ if (create_ssl_connection(serverssl3, clientssl3)) { printf("Unable to create third SSL connection\n"); goto end; } /* We should have automatically removed the session from the cache */ if (fix.use_ext_cache && (new_called != 2 || remove_called != 3)) { printf("Failed to call callback to remove session #2\n"); goto end; } if (fix.use_int_cache && !SSL_CTX_add_session(cctx, sess2)) { /* * Should have succeeded because it should not already be in the cache */ printf("Unexpected failure adding session to cache #2\n"); goto end; } #endif testresult = 1; end: SSL_free(serverssl1); SSL_free(clientssl1); SSL_free(serverssl2); SSL_free(clientssl2); #ifndef OPENSSL_NO_TLS1_1 SSL_free(serverssl3); SSL_free(clientssl3); #endif SSL_SESSION_free(sess1); SSL_SESSION_free(sess2); /* * Check if we need to remove any sessions up-refed for the external cache */ if (new_called >= 1) SSL_SESSION_free(sess1); if (new_called >= 2) SSL_SESSION_free(sess2); SSL_CTX_free(sctx); SSL_CTX_free(cctx); return testresult; }
int main(int argc, char *argv[]) { char *port = NULL; BIO *ssl_bio, *tmp; SSL_CTX *ctx; char buf[512]; int ret = 1, i; if (argc <= 1) port = "*:4433"; else port = argv[1]; signal(SIGINT, close_up); SSL_load_error_strings(); /* Add ciphers and message digests */ OpenSSL_add_ssl_algorithms(); ctx = SSL_CTX_new(TLS_server_method()); if (!SSL_CTX_use_certificate_file(ctx, CERT_FILE, SSL_FILETYPE_PEM)) goto err; if (!SSL_CTX_use_PrivateKey_file(ctx, CERT_FILE, SSL_FILETYPE_PEM)) goto err; if (!SSL_CTX_check_private_key(ctx)) goto err; /* Setup server side SSL bio */ ssl_bio = BIO_new_ssl(ctx, 0); if ((in = BIO_new_accept(port)) == NULL) goto err; /* * This means that when a new connection is accepted on 'in', The ssl_bio * will be 'duplicated' and have the new socket BIO push into it. * Basically it means the SSL BIO will be automatically setup */ BIO_set_accept_bios(in, ssl_bio); again: /* * The first call will setup the accept socket, and the second will get a * socket. In this loop, the first actual accept will occur in the * BIO_read() function. */ if (BIO_do_accept(in) <= 0) goto err; for (;;) { i = BIO_read(in, buf, 512); if (i == 0) { /* * If we have finished, remove the underlying BIO stack so the * next time we call any function for this BIO, it will attempt * to do an accept */ printf("Done\n"); tmp = BIO_pop(in); BIO_free_all(tmp); goto again; } if (i < 0) goto err; fwrite(buf, 1, i, stdout); fflush(stdout); } ret = 0; err: if (ret) { ERR_print_errors_fp(stderr); } BIO_free(in); exit(ret); return (!ret); }
int rb_setup_ssl_server(const char *certfile, const char *keyfile, const char *dhfile, const char *cipher_list) { const char librb_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!aNULL"; #ifdef LRB_HAVE_TLS_SET_CURVES const char librb_curves[] = "P-521:P-384:P-256"; #endif if(certfile == NULL) { rb_lib_log("rb_setup_ssl_server: No certificate file"); return 0; } if(keyfile == NULL) keyfile = certfile; if(cipher_list == NULL) cipher_list = librb_ciphers; if (ssl_server_ctx) SSL_CTX_free(ssl_server_ctx); if (ssl_client_ctx) SSL_CTX_free(ssl_client_ctx); #ifdef LRB_HAVE_TLS_METHOD_API ssl_server_ctx = SSL_CTX_new(TLS_server_method()); ssl_client_ctx = SSL_CTX_new(TLS_client_method()); #else ssl_server_ctx = SSL_CTX_new(SSLv23_server_method()); ssl_client_ctx = SSL_CTX_new(SSLv23_client_method()); #endif if(ssl_server_ctx == NULL) { rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s", get_ssl_error(ERR_get_error())); return 0; } if(ssl_client_ctx == NULL) { rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s", get_ssl_error(ERR_get_error())); return 0; } #ifndef LRB_HAVE_TLS_METHOD_API SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); #endif #ifdef SSL_OP_SINGLE_DH_USE SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_DH_USE); #endif #ifdef SSL_OP_SINGLE_ECDH_USE SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_ECDH_USE); #endif #ifdef SSL_OP_NO_TICKET SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_TICKET); SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET); #endif #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE SSL_CTX_set_options(ssl_server_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); #endif SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb); SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF); #ifdef LRB_HAVE_TLS_SET_CURVES SSL_CTX_set1_curves_list(ssl_server_ctx, librb_curves); #endif #ifdef LRB_HAVE_TLS_ECDH_AUTO SSL_CTX_set_ecdh_auto(ssl_server_ctx, 1); #endif /* * Set manual ECDHE curve on OpenSSL 1.0.0 & 1.0.1, but make sure it's actually available */ #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(OPENSSL_NO_ECDH) EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1); if (key) { SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key); EC_KEY_free(key); } #endif SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list); SSL_CTX_set_cipher_list(ssl_client_ctx, cipher_list); if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, certfile) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, certfile)) { rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", certfile, get_ssl_error(ERR_get_error())); return 0; } if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM)) { rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile, get_ssl_error(ERR_get_error())); return 0; } if(dhfile != NULL) { /* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */ FILE *fp = fopen(dhfile, "r"); DH *dh = NULL; if(fp == NULL) { rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s", dhfile, strerror(errno)); } else if(PEM_read_DHparams(fp, &dh, NULL, NULL) == NULL) { rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s", dhfile, get_ssl_error(ERR_get_error())); fclose(fp); } else { SSL_CTX_set_tmp_dh(ssl_server_ctx, dh); DH_free(dh); fclose(fp); } } return 1; }
static int test_large_message_tls_read_ahead(void) { return execute_test_large_message(TLS_server_method(), TLS_client_method(), 1); }
int rb_init_ssl(void) { int ret = 1; char libratbox_data[] = "libratbox data"; const char libratbox_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL"; SSL_load_error_strings(); SSL_library_init(); libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL); #if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L) ssl_server_ctx = SSL_CTX_new(SSLv23_server_method()); #else ssl_server_ctx = SSL_CTX_new(TLS_server_method()); #endif if(ssl_server_ctx == NULL) { rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s", get_ssl_error(ERR_get_error())); ret = 0; } long server_options = SSL_CTX_get_options(ssl_server_ctx); #if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L) server_options |= SSL_OP_NO_SSLv2; server_options |= SSL_OP_NO_SSLv3; #endif #ifdef SSL_OP_SINGLE_DH_USE server_options |= SSL_OP_SINGLE_DH_USE; #endif #ifdef SSL_OP_SINGLE_ECDH_USE server_options |= SSL_OP_SINGLE_ECDH_USE; #endif #ifdef SSL_OP_NO_TICKET server_options |= SSL_OP_NO_TICKET; #endif server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE; SSL_CTX_set_options(ssl_server_ctx, server_options); SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb); SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_cipher_list(ssl_server_ctx, libratbox_ciphers); /* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks and bastardise their OpenSSL for stupid reasons... */ #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && defined(NID_secp384r1) EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1); if (key) { SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key); EC_KEY_free(key); } #endif #if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L) ssl_client_ctx = SSL_CTX_new(TLSv1_client_method()); #else ssl_client_ctx = SSL_CTX_new(TLS_client_method()); #endif if(ssl_client_ctx == NULL) { rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s", get_ssl_error(ERR_get_error())); ret = 0; } #ifdef SSL_OP_NO_TICKET SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET); #endif SSL_CTX_set_cipher_list(ssl_client_ctx, libratbox_ciphers); return ret; }
static int test_tlsext_status_type(void) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; STACK_OF(OCSP_RESPID) *ids = NULL; OCSP_RESPID *id = NULL; BIO *certbio = NULL; if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx, &cctx, cert, privkey)) { printf("Unable to create SSL_CTX pair\n"); return 0; } if (SSL_CTX_get_tlsext_status_type(cctx) != -1) { printf("Unexpected initial value for " "SSL_CTX_get_tlsext_status_type()\n"); goto end; } /* First just do various checks getting and setting tlsext_status_type */ clientssl = SSL_new(cctx); if (SSL_get_tlsext_status_type(clientssl) != -1) { printf("Unexpected initial value for SSL_get_tlsext_status_type()\n"); goto end; } if (!SSL_set_tlsext_status_type(clientssl, TLSEXT_STATUSTYPE_ocsp)) { printf("Unexpected fail for SSL_set_tlsext_status_type()\n"); goto end; } if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) { printf("Unexpected result for SSL_get_tlsext_status_type()\n"); goto end; } SSL_free(clientssl); clientssl = NULL; if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)) { printf("Unexpected fail for SSL_CTX_set_tlsext_status_type()\n"); goto end; } if (SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp) { printf("Unexpected result for SSL_CTX_get_tlsext_status_type()\n"); goto end; } clientssl = SSL_new(cctx); if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) { printf("Unexpected result for SSL_get_tlsext_status_type() (test 2)\n"); goto end; } SSL_free(clientssl); clientssl = NULL; /* * Now actually do a handshake and check OCSP information is exchanged and * the callbacks get called */ SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb); SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg); SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb); SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg); if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { printf("Unable to create SSL objects\n"); goto end; } if (!create_ssl_connection(serverssl, clientssl)) { printf("Unable to create SSL connection\n"); goto end; } if (!ocsp_client_called || !ocsp_server_called) { printf("OCSP callbacks not called\n"); goto end; } SSL_free(serverssl); SSL_free(clientssl); serverssl = NULL; clientssl = NULL; /* Try again but this time force the server side callback to fail */ ocsp_client_called = 0; ocsp_server_called = 0; cdummyarg = 0; if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { printf("Unable to create SSL objects\n"); goto end; } /* This should fail because the callback will fail */ if (create_ssl_connection(serverssl, clientssl)) { printf("Unexpected success creating the connection\n"); goto end; } if (ocsp_client_called || ocsp_server_called) { printf("OCSP callbacks successfully called unexpectedly\n"); goto end; } SSL_free(serverssl); SSL_free(clientssl); serverssl = NULL; clientssl = NULL; /* * This time we'll get the client to send an OCSP_RESPID that it will * accept. */ ocsp_client_called = 0; ocsp_server_called = 0; cdummyarg = 2; if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { printf("Unable to create SSL objects\n"); goto end; } /* * We'll just use any old cert for this test - it doesn't have to be an OCSP * specific one. We'll use the server cert. */ certbio = BIO_new_file(cert, "r"); if (certbio == NULL) { printf("Can't load the certificate file\n"); goto end; } id = OCSP_RESPID_new(); ids = sk_OCSP_RESPID_new_null(); ocspcert = PEM_read_bio_X509(certbio, NULL, NULL, NULL); if (id == NULL || ids == NULL || ocspcert == NULL || !OCSP_RESPID_set_by_key(id, ocspcert) || !sk_OCSP_RESPID_push(ids, id)) { printf("Unable to set OCSP_RESPIDs\n"); goto end; } id = NULL; SSL_set_tlsext_status_ids(clientssl, ids); /* Control has been transferred */ ids = NULL; BIO_free(certbio); certbio = NULL; if (!create_ssl_connection(serverssl, clientssl)) { printf("Unable to create SSL connection\n"); goto end; } if (!ocsp_client_called || !ocsp_server_called) { printf("OCSP callbacks not called\n"); goto end; } testresult = 1; end: SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(sctx); SSL_CTX_free(cctx); sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free); OCSP_RESPID_free(id); BIO_free(certbio); X509_free(ocspcert); ocspcert = NULL; return testresult; }
int rb_init_ssl(void) { int ret = 1; char librb_data[] = "librb data"; const char librb_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL"; SSL_load_error_strings(); SSL_library_init(); librb_index = SSL_get_ex_new_index(0, librb_data, NULL, NULL, NULL); #ifndef LRB_HAVE_TLS_METHOD_API ssl_server_ctx = SSL_CTX_new(SSLv23_server_method()); #else ssl_server_ctx = SSL_CTX_new(TLS_server_method()); #endif if(ssl_server_ctx == NULL) { rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s", get_ssl_error(ERR_get_error())); ret = 0; } long server_options = SSL_CTX_get_options(ssl_server_ctx); #ifndef LRB_HAVE_TLS_METHOD_API server_options |= SSL_OP_NO_SSLv2; server_options |= SSL_OP_NO_SSLv3; #endif #ifdef SSL_OP_SINGLE_DH_USE server_options |= SSL_OP_SINGLE_DH_USE; #endif #ifdef SSL_OP_SINGLE_ECDH_USE server_options |= SSL_OP_SINGLE_ECDH_USE; #endif #ifdef SSL_OP_NO_TICKET server_options |= SSL_OP_NO_TICKET; #endif server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE; SSL_CTX_set_options(ssl_server_ctx, server_options); SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb); SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_cipher_list(ssl_server_ctx, librb_ciphers); /* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available * (it's not by default on Solaris or Red Hat... f**k Red Hat and Oracle) */ #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && !defined(OPENSSL_NO_ECDH) EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1); if (key) { SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key); EC_KEY_free(key); } #endif #ifndef LRB_HAVE_TLS_METHOD_API ssl_client_ctx = SSL_CTX_new(SSLv23_client_method()); #else ssl_client_ctx = SSL_CTX_new(TLS_client_method()); #endif if(ssl_client_ctx == NULL) { rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s", get_ssl_error(ERR_get_error())); ret = 0; } #ifndef LRB_HAVE_TLS_METHOD_API SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); #endif #ifdef SSL_OP_NO_TICKET SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET); #endif SSL_CTX_set_cipher_list(ssl_client_ctx, librb_ciphers); return ret; }
static int test_set_sigalgs(int idx) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; const sigalgs_list *curr; int testctx; /* Should never happen */ if ((size_t)idx >= OSSL_NELEM(testsigalgs) * 2) return 0; testctx = ((size_t)idx < OSSL_NELEM(testsigalgs)); curr = testctx ? &testsigalgs[idx] : &testsigalgs[idx - OSSL_NELEM(testsigalgs)]; if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx, &cctx, cert, privkey)) { printf("Unable to create SSL_CTX pair\n"); return 0; } if (testctx) { int ret; if (curr->list != NULL) ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen); else ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr); if (!ret) { if (curr->valid) printf("Unexpected failure setting sigalgs in SSL_CTX (%d)\n", idx); else testresult = 1; goto end; } if (!curr->valid) { printf("Unexpected success setting sigalgs in SSL_CTX (%d)\n", idx); goto end; } } if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { printf("Unable to create SSL objects\n"); goto end; } if (!testctx) { int ret; if (curr->list != NULL) ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen); else ret = SSL_set1_sigalgs_list(clientssl, curr->liststr); if (!ret) { if (curr->valid) printf("Unexpected failure setting sigalgs in SSL (%d)\n", idx); else testresult = 1; goto end; } if (!curr->valid) { printf("Unexpected success setting sigalgs in SSL (%d)\n", idx); goto end; } } if (curr->connsuccess != create_ssl_connection(serverssl, clientssl)) { printf("Unexpected return value creating SSL connection (%d)\n", idx); goto end; } testresult = 1; end: SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(sctx); SSL_CTX_free(cctx); return testresult; }
BOOL create_ssl(int sockfd, const char* ca_crt_root, const char* ca_crt_server, const char* ca_password, const char* ca_key_server, BOOL enableclientcacheck, SSL** pp_ssl, SSL_CTX** pp_ssl_ctx) { int ssl_rc = -1; BOOL b_ssl_accepted; X509* client_cert; SSL_METHOD* meth = NULL; #if OPENSSL_VERSION_NUMBER >= 0x010100000L meth = (SSL_METHOD*)TLS_server_method(); #else meth = (SSL_METHOD*)SSLv23_server_method(); #endif /* OPENSSL_VERSION_NUMBER */ *pp_ssl_ctx = SSL_CTX_new(meth); if(!*pp_ssl_ctx) { CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME); uTrace.Write(Trace_Error, "SSL_CTX_use_certificate_file: %s", ERR_error_string(ERR_get_error(),NULL)); goto clean_ssl3; } if(enableclientcacheck) { SSL_CTX_set_verify(*pp_ssl_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); SSL_CTX_set_verify_depth(*pp_ssl_ctx, 4); } SSL_CTX_load_verify_locations(*pp_ssl_ctx, ca_crt_root, NULL); if(SSL_CTX_use_certificate_file(*pp_ssl_ctx, ca_crt_server, SSL_FILETYPE_PEM) <= 0) { CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME); uTrace.Write(Trace_Error, "SSL_CTX_use_certificate_file: %s", ERR_error_string(ERR_get_error(),NULL)); goto clean_ssl3; } SSL_CTX_set_default_passwd_cb_userdata(*pp_ssl_ctx, (char*)ca_password); if(SSL_CTX_use_PrivateKey_file(*pp_ssl_ctx, ca_key_server, SSL_FILETYPE_PEM) <= 0) { CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME); uTrace.Write(Trace_Error, "SSL_CTX_use_certificate_file: %s", ERR_error_string(ERR_get_error(),NULL)); goto clean_ssl3; } if(!SSL_CTX_check_private_key(*pp_ssl_ctx)) { CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME); uTrace.Write(Trace_Error, "SSL_CTX_use_certificate_file: %s", ERR_error_string(ERR_get_error(),NULL)); goto clean_ssl3; } ssl_rc = SSL_CTX_set_cipher_list(*pp_ssl_ctx, "ALL"); if(ssl_rc == 0) { CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME); uTrace.Write(Trace_Error, "SSL_CTX_set_cipher_list: %s", ERR_error_string(ERR_get_error(),NULL)); goto clean_ssl3; } SSL_CTX_set_mode(*pp_ssl_ctx, SSL_MODE_AUTO_RETRY); *pp_ssl = SSL_new(*pp_ssl_ctx); if(!*pp_ssl) { CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME); uTrace.Write(Trace_Error, "SSL_new: %s", ERR_error_string(ERR_get_error(),NULL)); goto clean_ssl2; } ssl_rc = SSL_set_fd(*pp_ssl, sockfd); if(ssl_rc == 0) { CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME); uTrace.Write(Trace_Error, "SSL_set_fd: %s", ERR_error_string(ERR_get_error(),NULL)); goto clean_ssl2; } ssl_rc = SSL_set_cipher_list(*pp_ssl, "ALL"); if(ssl_rc == 0) { CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME); uTrace.Write(Trace_Error, "SSL_set_cipher_list: %s", ERR_error_string(ERR_get_error(),NULL)); goto clean_ssl2; } ssl_rc = SSL_accept(*pp_ssl); if(ssl_rc < 0) { CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME); uTrace.Write(Trace_Error, "SSL_accept: %s", ERR_error_string(ERR_get_error(),NULL)); goto clean_ssl2; } else if(ssl_rc = 0) { goto clean_ssl1; } b_ssl_accepted = TRUE; if(enableclientcacheck) { ssl_rc = SSL_get_verify_result(*pp_ssl); if(ssl_rc != X509_V_OK) { CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME); uTrace.Write(Trace_Error, "SSL_get_verify_result: %s", ERR_error_string(ERR_get_error(),NULL)); goto clean_ssl1; } } if(enableclientcacheck) { X509* client_cert; client_cert = SSL_get_peer_certificate(*pp_ssl); if (client_cert != NULL) { X509_free (client_cert); } else { CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME); uTrace.Write(Trace_Error, "SSL_get_peer_certificate: %s", ERR_error_string(ERR_get_error(),NULL)); goto clean_ssl1; } } return TRUE; clean_ssl1: if(*pp_ssl && b_ssl_accepted) { SSL_shutdown(*pp_ssl); b_ssl_accepted = FALSE; } clean_ssl2: if(*pp_ssl) { SSL_free(*pp_ssl); *pp_ssl = NULL; } clean_ssl3: if(*pp_ssl_ctx) { SSL_CTX_free(*pp_ssl_ctx); *pp_ssl_ctx = NULL; } return FALSE; }