static int execute_test(SSL_TEST_FIXTURE fixture)
{
int ret = 0;
SSL_CTX *server_ctx = NULL, *server2_ctx = NULL, *client_ctx = NULL;
SSL_TEST_CTX *test_ctx = NULL;
HANDSHAKE_RESULT result;
test_ctx = SSL_TEST_CTX_create(conf, fixture.test_app);
if (test_ctx == NULL)
goto err;
#ifndef OPENSSL_NO_DTLS
if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
server_ctx = SSL_CTX_new(DTLS_server_method());
if (test_ctx->servername_callback != SSL_TEST_SERVERNAME_CB_NONE) {
server2_ctx = SSL_CTX_new(DTLS_server_method());
OPENSSL_assert(server2_ctx != NULL);
}
client_ctx = SSL_CTX_new(DTLS_client_method());
}
#endif
if (test_ctx->method == SSL_TEST_METHOD_TLS) {
server_ctx = SSL_CTX_new(TLS_server_method());
if (test_ctx->servername_callback != SSL_TEST_SERVERNAME_CB_NONE) {
server2_ctx = SSL_CTX_new(TLS_server_method());
OPENSSL_assert(server2_ctx != NULL);
}
client_ctx = SSL_CTX_new(TLS_client_method());
}
OPENSSL_assert(server_ctx != NULL && client_ctx != NULL);
OPENSSL_assert(CONF_modules_load(conf, fixture.test_app, 0) > 0);
if (!SSL_CTX_config(server_ctx, "server")
|| !SSL_CTX_config(client_ctx, "client")) {
goto err;
}
if (server2_ctx != NULL && !SSL_CTX_config(server2_ctx, "server2"))
goto err;
result = do_handshake(server_ctx, server2_ctx, client_ctx, test_ctx);
ret = check_test(result, test_ctx);
err:
CONF_modules_unload(0);
SSL_CTX_free(server_ctx);
SSL_CTX_free(server2_ctx);
SSL_CTX_free(client_ctx);
SSL_TEST_CTX_free(test_ctx);
if (ret != 1)
ERR_print_errors_fp(stderr);
return ret;
}
static int server_setup_sni(void)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
|| !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL)))
goto end;
/* set SNI at server side */
SSL_set_tlsext_host_name(serverssl, host);
if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
goto end;
if (!TEST_ptr_null(SSL_get_servername(serverssl,
TLSEXT_NAMETYPE_host_name))) {
/* SNI should have been cleared during handshake */
goto end;
}
testresult = 1;
end:
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
static CIPHERLIST_TEST_FIXTURE set_up(const char *const test_case_name)
{
CIPHERLIST_TEST_FIXTURE fixture;
fixture.test_case_name = test_case_name;
fixture.server = SSL_CTX_new(TLS_server_method());
fixture.client = SSL_CTX_new(TLS_client_method());
OPENSSL_assert(fixture.client != NULL && fixture.server != NULL);
return fixture;
}
int setup_tests(void)
{
if (!TEST_ptr(ctx = SSL_CTX_new(TLS_server_method()))
|| !TEST_ptr(s = SSL_new(ctx)))
return 0;
ADD_TEST(test_empty);
ADD_TEST(test_unsupported);
ADD_TEST(test_v2);
ADD_TEST(test_v3);
return 1;
}
static CIPHERLIST_TEST_FIXTURE *set_up(const char *const test_case_name)
{
CIPHERLIST_TEST_FIXTURE *fixture;
if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
return NULL;
fixture->test_case_name = test_case_name;
if (!TEST_ptr(fixture->server = SSL_CTX_new(TLS_server_method()))
|| !TEST_ptr(fixture->client = SSL_CTX_new(TLS_client_method()))) {
tear_down(fixture);
return NULL;
}
return fixture;
}
static const SSL_METHOD *tls1_get_server_method(int ver)
{
if (ver == TLS_ANY_VERSION)
return TLS_server_method();
if (ver == TLS1_2_VERSION)
return TLSv1_2_server_method();
if (ver == TLS1_1_VERSION)
return TLSv1_1_server_method();
if (ver == TLS1_VERSION)
return TLSv1_server_method();
#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return (SSLv3_server_method());
#endif
return NULL;
}
noPollPtr ssl_context_creator (noPollCtx * ctx, noPollConn * conn, noPollConnOpts * opts, nopoll_bool is_client, noPollPtr user_data)
{
SSL_CTX * ssl_ctx;
noPollConn * listener;
/* very basic context creation using default settings provided
* by OpenSSL */
if (is_client) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L
return SSL_CTX_new (TLSv1_client_method ());
#else
return SSL_CTX_new (TLS_client_method ());
#endif
} /* end if */
/* get the ssl context */
#if OPENSSL_VERSION_NUMBER < 0x10100000L
ssl_ctx = SSL_CTX_new (TLSv1_server_method ());
#else
ssl_ctx = SSL_CTX_new (TLS_server_method ());
#endif
/* get a reference to the listener */
listener = nopoll_conn_get_listener (conn);
if (nopoll_cmp ("1239", nopoll_conn_port (listener))) {
printf ("ACCEPTED ssl connection on port: %s (for conn %p)\n", nopoll_conn_port (listener), conn);
/* ok, especiall case where we require a certain
* certificate from renote side */
if (SSL_CTX_load_verify_locations (ssl_ctx, "client-side-cert-auth-cacert.crt", NULL) != 1) {
printf ("ERROR: unable to add ca certificate...\n");
}
/* make server to ask for a certificate to the client
* .... and verify it */
SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
} /* end if */
printf ("RETURNING: ssl context reference %p\n", ssl_ctx);
return ssl_ctx;
}
int
lws_tls_server_vhost_backend_init(struct lws_context_creation_info *info,
struct lws_vhost *vhost, struct lws *wsi)
{
const SSL_METHOD *method = TLS_server_method();
uint8_t *p;
lws_filepos_t flen;
vhost->ssl_ctx = SSL_CTX_new(method); /* create context */
if (!vhost->ssl_ctx) {
lwsl_err("problem creating ssl context\n");
return 1;
}
if (!vhost->use_ssl || !info->ssl_cert_filepath)
return 0;
if (info->ssl_ca_filepath) {
lwsl_notice("%s: vh %s: loading CA filepath %s\n", __func__,
vhost->name, info->ssl_ca_filepath);
if (lws_tls_alloc_pem_to_der_file(vhost->context,
info->ssl_ca_filepath, NULL, 0, &p, &flen)) {
lwsl_err("couldn't find client CA file %s\n",
info->ssl_ca_filepath);
return 1;
}
if (SSL_CTX_add_client_CA_ASN1(vhost->ssl_ctx, (int)flen, p) != 1) {
lwsl_err("%s: SSL_CTX_add_client_CA_ASN1 unhappy\n",
__func__);
free(p);
return 1;
}
free(p);
}
return lws_tls_server_certs_load(vhost, wsi,
info->ssl_cert_filepath,
info->ssl_private_key_filepath,
NULL, 0, NULL, 0);
}
static int tls_create_new_context(const char *cert_file,
const char *key_file)
{
# ifdef HAVE_TLS_SERVER_METHOD
if ((tls_ctx = SSL_CTX_new(TLS_server_method())) == NULL) {
tls_error(__LINE__, 0);
}
# else
if ((tls_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
tls_error(__LINE__, 0);
}
# endif
tls_init_options();
tls_init_cache();
tls_load_cert_file(cert_file, key_file);
if (ssl_verify_client_cert) {
tls_init_client_cert_verification(cert_file);
}
tls_init_ecdh_curve();
tls_init_dhparams();
return 0;
}
const SSL_METHOD * hb_ssl_method_id_to_ptr( int n )
{
const SSL_METHOD * p;
switch( n )
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
case HB_SSL_CTX_NEW_METHOD_TLS: p = TLS_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLS_SERVER: p = TLS_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLS_CLIENT: p = TLS_client_method(); break;
#else
case HB_SSL_CTX_NEW_METHOD_TLSV1: p = TLSv1_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1_SERVER: p = TLSv1_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1_CLIENT: p = TLSv1_client_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLS: p = SSLv23_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLS_SERVER: p = SSLv23_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLS_CLIENT: p = SSLv23_client_method(); break;
#endif
default: p = SSLv23_method();
}
return p;
}
static int test_large_message_tls(void)
{
return execute_test_large_message(TLS_server_method(), TLS_client_method(),
0);
}
int main(int argc, char *argv[])
{
char *port = "*:4433";
BIO *in = NULL;
BIO *ssl_bio, *tmp;
SSL_CTX *ctx;
SSL_CONF_CTX *cctx = NULL;
CONF *conf = NULL;
STACK_OF(CONF_VALUE) *sect = NULL;
CONF_VALUE *cnf;
long errline = -1;
char buf[512];
int ret = EXIT_FAILURE, i;
ctx = SSL_CTX_new(TLS_server_method());
conf = NCONF_new(NULL);
if (NCONF_load(conf, "accept.cnf", &errline) <= 0) {
if (errline <= 0)
fprintf(stderr, "Error processing config file\n");
else
fprintf(stderr, "Error on line %ld\n", errline);
goto err;
}
sect = NCONF_get_section(conf, "default");
if (sect == NULL) {
fprintf(stderr, "Error retrieving default section\n");
goto err;
}
cctx = SSL_CONF_CTX_new();
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE);
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
for (i = 0; i < sk_CONF_VALUE_num(sect); i++) {
int rv;
cnf = sk_CONF_VALUE_value(sect, i);
rv = SSL_CONF_cmd(cctx, cnf->name, cnf->value);
if (rv > 0)
continue;
if (rv != -2) {
fprintf(stderr, "Error processing %s = %s\n",
cnf->name, cnf->value);
ERR_print_errors_fp(stderr);
goto err;
}
if (strcmp(cnf->name, "Port") == 0) {
port = cnf->value;
} else {
fprintf(stderr, "Unknown configuration option %s\n", cnf->name);
goto err;
}
}
if (!SSL_CONF_CTX_finish(cctx)) {
fprintf(stderr, "Finish error\n");
ERR_print_errors_fp(stderr);
goto err;
}
/* Setup server side SSL bio */
ssl_bio = BIO_new_ssl(ctx, 0);
if ((in = BIO_new_accept(port)) == NULL)
goto err;
/*
* This means that when a new connection is accepted on 'in', The ssl_bio
* will be 'duplicated' and have the new socket BIO push into it.
* Basically it means the SSL BIO will be automatically setup
*/
BIO_set_accept_bios(in, ssl_bio);
again:
/*
* The first call will setup the accept socket, and the second will get a
* socket. In this loop, the first actual accept will occur in the
* BIO_read() function.
*/
if (BIO_do_accept(in) <= 0)
goto err;
for (;;) {
i = BIO_read(in, buf, 512);
if (i == 0) {
/*
* If we have finished, remove the underlying BIO stack so the
* next time we call any function for this BIO, it will attempt
* to do an accept
*/
printf("Done\n");
tmp = BIO_pop(in);
BIO_free_all(tmp);
goto again;
}
if (i < 0) {
if (BIO_should_retry(in))
continue;
goto err;
}
fwrite(buf, 1, i, stdout);
fflush(stdout);
}
ret = EXIT_SUCCESS;
err:
if (ret != EXIT_SUCCESS)
ERR_print_errors_fp(stderr);
BIO_free(in);
return ret;
}
/*
* Custom call back tests.
* Test 0: callbacks in TLSv1.2
* Test 1: callbacks in TLSv1.2 with SNI
*/
static int test_custom_exts(int tst)
{
SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
static int server = 1;
static int client = 0;
SSL_SESSION *sess = NULL;
/* Reset callback counters */
clntaddcb = clntparsecb = srvaddcb = srvparsecb = 0;
snicb = 0;
if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
&cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
goto end;
}
if (tst == 1
&& !create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2, NULL,
cert, privkey)) {
printf("Unable to create SSL_CTX pair (2)\n");
goto end;
}
/* Create a client side custom extension */
if (!SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, add_cb, free_cb,
&client, parse_cb, &client)) {
printf("Unable to add client custom extension\n");
goto end;
}
/* Should not be able to add duplicates */
if (SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, add_cb, free_cb,
&client, parse_cb, &client)) {
printf("Unexpected success adding duplicate extension\n");
goto end;
}
/* Create a server side custom extension */
if (!SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, add_cb, free_cb,
&server, parse_cb, &server)) {
printf("Unable to add server custom extension\n");
goto end;
}
if (sctx2 != NULL
&& !SSL_CTX_add_server_custom_ext(sctx2, TEST_EXT_TYPE1,
add_cb, free_cb,
&server, parse_cb,
&server)) {
printf("Unable to add server custom extension for SNI\n");
goto end;
}
/* Should not be able to add duplicates */
if (SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, add_cb, free_cb,
&server, parse_cb, &server)) {
printf("Unexpected success adding duplicate extension (2)\n");
goto end;
}
if (tst == 1) {
/* Set up SNI */
if (!SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb)
|| !SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)) {
printf("Cannot set SNI callbacks\n");
goto end;
}
}
if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)
|| !create_ssl_connection(serverssl, clientssl)) {
printf("Cannot create SSL connection\n");
goto end;
}
if (clntaddcb != 1
|| clntparsecb != 1
|| srvaddcb != 1
|| srvparsecb != 1
|| (tst != 1 && snicb != 0)
|| (tst == 1 && snicb != 1)) {
printf("Incorrect callback counts\n");
goto end;
}
sess = SSL_get1_session(clientssl);
SSL_shutdown(clientssl);
SSL_shutdown(serverssl);
SSL_free(serverssl);
SSL_free(clientssl);
serverssl = clientssl = NULL;
if (tst == 1) {
/* We don't bother with the resumption aspects for this test */
testresult = 1;
goto end;
}
if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)
|| !SSL_set_session(clientssl, sess)
|| !create_ssl_connection(serverssl, clientssl)) {
printf("Cannot create resumption connection\n");
goto end;
}
/*
* For a resumed session we expect to add the ClientHello extension but we
* should ignore it on the server side.
*/
if (clntaddcb != 2
|| clntparsecb != 1
|| srvaddcb != 1
|| srvparsecb != 1) {
printf("Incorrect resumption callback counts\n");
goto end;
}
testresult = 1;
end:
SSL_SESSION_free(sess);
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx2);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
net_socketSSL_t*
net_socketSSL_listen(const char* port, int type,
int backlog)
{
assert(port);
assert(backlog > 0);
int socktype;
if((type >= NET_SOCKETSSL_TCP) &&
(type <= NET_SOCKETSSL_TCP_BUFFERED))
{
socktype = SOCK_STREAM;
}
else
{
LOGE("invalid type=%i", type);
return NULL;
}
net_socketSSL_t* self;
self = (net_socketSSL_t*)
malloc(sizeof(net_socketSSL_t));
if(self == NULL)
{
LOGE("malloc failed");
return NULL;
}
// SIGPIPE causes the process to exit for broken streams
// but we want to receive EPIPE instead
signal(SIGPIPE, SIG_IGN);
// init SSL ctx
#if NET_SOCKET_USE_OPENSSL_1_1
self->ctx = SSL_CTX_new(TLS_server_method());
#else
// app should call SSL_library_init(); prior to creating any
// OpenSSL sockets with the old API
self->ctx = SSL_CTX_new(SSLv23_server_method());
#endif
if(self->ctx == NULL)
{
LOGE("SSL_CTX_new failed");
goto fail_ctx;
}
self->method = NET_SOCKETSSL_METHOD_SERVER;
self->ssl = NULL;
if(SSL_CTX_load_verify_locations(self->ctx,
"ca_cert.pem", NULL) != 1)
{
LOGE("SSL_CTX_load_verify_locations failed");
goto fail_load_verify;
}
#if NET_SOCKET_USE_OPENSSL_1_1
if(SSL_CTX_set_default_verify_file(self->ctx) != 1)
{
LOGE("SSL_CTX_set_default_verify_file failed");
goto fail_set_default_verify_file;
}
#endif
STACK_OF(X509_NAME)* cert_names;
cert_names = SSL_load_client_CA_file("ca_cert.pem");
if(cert_names == NULL)
{
LOGE("SSL_load_client_CA_file failed");
goto fail_cert_names;
}
SSL_CTX_set_client_CA_list(self->ctx, cert_names);
if(SSL_CTX_use_certificate_file(self->ctx,
"server_cert.pem",
SSL_FILETYPE_PEM) != 1)
{
LOGE("SSL_CTX_use_certificate_file failed");
goto fail_use_cert;
}
if(SSL_CTX_use_PrivateKey_file(self->ctx,
"server_key.pem",
SSL_FILETYPE_PEM) != 1)
{
LOGE("SSL_CTX_use_PrivateKey_file failed");
goto fail_use_priv;
}
if(SSL_CTX_check_private_key(self->ctx) != 1)
{
LOGE("SSL_CTX_check_private_key failed");
goto fail_check_priv;
}
SSL_CTX_set_mode(self->ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(self->ctx,
SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL);
SSL_CTX_set_verify_depth(self->ctx, 1);
// not needed for listening socket
self->buffer = NULL;
self->len = 0;
struct addrinfo hints;
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = socktype;
hints.ai_flags = AI_PASSIVE;
struct addrinfo* info;
if(getaddrinfo(NULL, port, &hints, &info) != 0)
{
LOGD("getaddrinfo failed");
goto fail_getaddrinfo;
}
struct addrinfo* i = info;
self->sockfd = -1;
while(i)
{
self->sockfd = socket(i->ai_family, i->ai_socktype,
i->ai_protocol);
if(self->sockfd == -1)
{
LOGD("socket failed");
i = i->ai_next;
continue;
}
int yes = 1;
if(setsockopt(self->sockfd, SOL_SOCKET,
SO_REUSEADDR, &yes,
sizeof(int)) == -1)
{
LOGD("setsockopt failed");
}
// TCP_NODELAY is not needed for server socket
if(bind(self->sockfd, i->ai_addr,
i->ai_addrlen) == -1)
{
LOGD("bind failed");
close(self->sockfd);
self->sockfd = -1;
continue;
}
break;
}
freeaddrinfo(info);
if(self->sockfd == -1)
{
LOGD("socket failed");
goto fail_socket;
}
if(listen(self->sockfd, backlog) == -1)
{
LOGD("listen failed");
goto fail_listen;
}
self->error = 0;
self->connected = 1;
self->type = type;
// success
return self;
// failure
fail_listen:
close(self->sockfd);
fail_socket:
fail_getaddrinfo:
fail_check_priv:
fail_use_priv:
fail_use_cert:
fail_cert_names:
#if NET_SOCKET_USE_OPENSSL_1_1
fail_set_default_verify_file:
#endif
fail_load_verify:
SSL_CTX_free(self->ctx);
fail_ctx:
free(self);
return NULL;
}
static int test_cipher_name(void)
{
SSL_CTX *ctx = NULL;
SSL *ssl = NULL;
const SSL_CIPHER *c;
STACK_OF(SSL_CIPHER) *sk = NULL;
const char *ciphers = "ALL:eNULL", *p, *q, *r;
int i, id = 0, ret = 0;
/* tests for invalid input */
p = SSL_CIPHER_standard_name(NULL);
if (!TEST_str_eq(p, "(NONE)")) {
TEST_info("test_cipher_name(std) failed: NULL input doesn't return \"(NONE)\"\n");
goto err;
}
p = OPENSSL_cipher_name(NULL);
if (!TEST_str_eq(p, "(NONE)")) {
TEST_info("test_cipher_name(ossl) failed: NULL input doesn't return \"(NONE)\"\n");
goto err;
}
p = OPENSSL_cipher_name("This is not a valid cipher");
if (!TEST_str_eq(p, "(NONE)")) {
TEST_info("test_cipher_name(ossl) failed: invalid input doesn't return \"(NONE)\"\n");
goto err;
}
/* tests for valid input */
ctx = SSL_CTX_new(TLS_server_method());
if (ctx == NULL) {
TEST_info("test_cipher_name failed: internal error\n");
goto err;
}
if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
TEST_info("test_cipher_name failed: internal error\n");
goto err;
}
ssl = SSL_new(ctx);
if (ssl == NULL) {
TEST_info("test_cipher_name failed: internal error\n");
goto err;
}
sk = SSL_get_ciphers(ssl);
if (sk == NULL) {
TEST_info("test_cipher_name failed: internal error\n");
goto err;
}
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
c = sk_SSL_CIPHER_value(sk, i);
id = SSL_CIPHER_get_id(c) & 0xFFFF;
if ((id == 0xFF85) || (id == 0xFF87))
/* skip GOST2012-GOST8912-GOST891 and GOST2012-NULL-GOST12 */
continue;
p = SSL_CIPHER_standard_name(c);
q = get_std_name_by_id(id);
if (!TEST_ptr(p)) {
TEST_info("test_cipher_name failed: expected %s, got NULL, cipher %x\n",
q, id);
goto err;
}
/* check if p is a valid standard name */
if (!TEST_str_eq(p, q)) {
TEST_info("test_cipher_name(std) failed: expected %s, got %s, cipher %x\n",
q, p, id);
goto err;
}
/* test OPENSSL_cipher_name */
q = SSL_CIPHER_get_name(c);
r = OPENSSL_cipher_name(p);
if (!TEST_str_eq(r, q)) {
TEST_info("test_cipher_name(ossl) failed: expected %s, got %s, cipher %x\n",
q, r, id);
goto err;
}
}
ret = 1;
err:
SSL_CTX_free(ctx);
SSL_free(ssl);
return ret;
}
void Context::createSSLContext()
{
if (SSLManager::isFIPSEnabled())
{
_pSSLContext = SSL_CTX_new(TLSv1_method());
}
else
{
switch (_usage)
{
case CLIENT_USE:
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new(TLS_client_method());
#else
_pSSLContext = SSL_CTX_new(SSLv23_client_method());
#endif
break;
case SERVER_USE:
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new(TLS_server_method());
#else
_pSSLContext = SSL_CTX_new(SSLv23_server_method());
#endif
break;
#if defined(SSL_OP_NO_TLSv1) && !defined(OPENSSL_NO_TLS1)
case TLSV1_CLIENT_USE:
_pSSLContext = SSL_CTX_new(TLSv1_client_method());
break;
case TLSV1_SERVER_USE:
_pSSLContext = SSL_CTX_new(TLSv1_server_method());
break;
#endif
#if defined(SSL_OP_NO_TLSv1_1) && !defined(OPENSSL_NO_TLS1)
/* SSL_OP_NO_TLSv1_1 is defined in ssl.h if the library version supports TLSv1.1.
* OPENSSL_NO_TLS1 is defined in opensslconf.h or on the compiler command line
* if TLS1.x was removed at OpenSSL library build time via Configure options.
*/
case TLSV1_1_CLIENT_USE:
_pSSLContext = SSL_CTX_new(TLSv1_1_client_method());
break;
case TLSV1_1_SERVER_USE:
_pSSLContext = SSL_CTX_new(TLSv1_1_server_method());
break;
#endif
#if defined(SSL_OP_NO_TLSv1_2) && !defined(OPENSSL_NO_TLS1)
case TLSV1_2_CLIENT_USE:
_pSSLContext = SSL_CTX_new(TLSv1_2_client_method());
break;
case TLSV1_2_SERVER_USE:
_pSSLContext = SSL_CTX_new(TLSv1_2_server_method());
break;
#endif
default:
throw Poco::InvalidArgumentException("Invalid or unsupported usage");
}
}
if (!_pSSLContext)
{
unsigned long err = ERR_get_error();
throw SSLException("Cannot create SSL_CTX object", ERR_error_string(err, 0));
}
SSL_CTX_set_default_passwd_cb(_pSSLContext, &SSLManager::privateKeyPassphraseCallback);
Utility::clearErrorStack();
SSL_CTX_set_options(_pSSLContext, SSL_OP_ALL);
}
int main(int argc, char *argv[])
{
char *port = "*:4433";
BIO *ssl_bio, *tmp;
SSL_CTX *ctx;
SSL_CONF_CTX *cctx;
char buf[512];
BIO *in = NULL;
int ret = 1, i;
char **args = argv + 1;
int nargs = argc - 1;
SSL_load_error_strings();
/* Add ciphers and message digests */
OpenSSL_add_ssl_algorithms();
ctx = SSL_CTX_new(TLS_server_method());
cctx = SSL_CONF_CTX_new();
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE);
SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
while (*args && **args == '-') {
int rv;
/* Parse standard arguments */
rv = SSL_CONF_cmd_argv(cctx, &nargs, &args);
if (rv == -3) {
fprintf(stderr, "Missing argument for %s\n", *args);
goto err;
}
if (rv < 0) {
fprintf(stderr, "Error in command %s\n", *args);
ERR_print_errors_fp(stderr);
goto err;
}
/* If rv > 0 we processed something so proceed to next arg */
if (rv > 0)
continue;
/* Otherwise application specific argument processing */
if (strcmp(*args, "-port") == 0) {
port = args[1];
if (port == NULL) {
fprintf(stderr, "Missing -port argument\n");
goto err;
}
args += 2;
nargs -= 2;
continue;
} else {
fprintf(stderr, "Unknown argument %s\n", *args);
goto err;
}
}
if (!SSL_CONF_CTX_finish(cctx)) {
fprintf(stderr, "Finish error\n");
ERR_print_errors_fp(stderr);
goto err;
}
#ifdef ITERATE_CERTS
/*
* Demo of how to iterate over all certificates in an SSL_CTX structure.
*/
{
X509 *x;
int rv;
rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
while (rv) {
X509 *x = SSL_CTX_get0_certificate(ctx);
X509_NAME_print_ex_fp(stdout, X509_get_subject_name(x), 0,
XN_FLAG_ONELINE);
printf("\n");
rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT);
}
fflush(stdout);
}
#endif
/* Setup server side SSL bio */
ssl_bio = BIO_new_ssl(ctx, 0);
if ((in = BIO_new_accept(port)) == NULL)
goto err;
/*
* This means that when a new connection is accepted on 'in', The ssl_bio
* will be 'duplicated' and have the new socket BIO push into it.
* Basically it means the SSL BIO will be automatically setup
*/
BIO_set_accept_bios(in, ssl_bio);
again:
/*
* The first call will setup the accept socket, and the second will get a
* socket. In this loop, the first actual accept will occur in the
* BIO_read() function.
*/
if (BIO_do_accept(in) <= 0)
goto err;
for (;;) {
i = BIO_read(in, buf, 512);
if (i == 0) {
/*
* If we have finished, remove the underlying BIO stack so the
* next time we call any function for this BIO, it will attempt
* to do an accept
*/
printf("Done\n");
tmp = BIO_pop(in);
BIO_free_all(tmp);
goto again;
}
if (i < 0)
goto err;
fwrite(buf, 1, i, stdout);
fflush(stdout);
}
ret = 0;
err:
if (ret) {
ERR_print_errors_fp(stderr);
}
BIO_free(in);
exit(ret);
return (!ret);
}
int ciphers_main(int argc, char **argv)
{
SSL_CTX *ctx = NULL;
SSL *ssl = NULL;
STACK_OF(SSL_CIPHER) *sk = NULL;
const SSL_METHOD *meth = TLS_server_method();
int ret = 1, i, verbose = 0, Verbose = 0, use_supported = 0;
#ifndef OPENSSL_NO_SSL_TRACE
int stdname = 0;
#endif
#ifndef OPENSSL_NO_PSK
int psk = 0;
#endif
#ifndef OPENSSL_NO_SRP
int srp = 0;
#endif
const char *p;
char *ciphers = NULL, *prog;
char buf[512];
OPTION_CHOICE o;
int min_version = 0, max_version = 0;
prog = opt_init(argc, argv, ciphers_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(ciphers_options);
ret = 0;
goto end;
case OPT_V:
verbose = 1;
break;
case OPT_UPPER_V:
verbose = Verbose = 1;
break;
case OPT_S:
use_supported = 1;
break;
case OPT_STDNAME:
#ifndef OPENSSL_NO_SSL_TRACE
stdname = verbose = 1;
#endif
break;
case OPT_SSL3:
min_version = SSL3_VERSION;
max_version = SSL3_VERSION;
break;
case OPT_TLS1:
min_version = TLS1_VERSION;
max_version = TLS1_VERSION;
break;
case OPT_TLS1_1:
min_version = TLS1_1_VERSION;
max_version = TLS1_1_VERSION;
break;
case OPT_TLS1_2:
min_version = TLS1_2_VERSION;
max_version = TLS1_2_VERSION;
break;
case OPT_TLS1_3:
min_version = TLS1_3_VERSION;
max_version = TLS1_3_VERSION;
break;
case OPT_PSK:
#ifndef OPENSSL_NO_PSK
psk = 1;
#endif
break;
case OPT_SRP:
#ifndef OPENSSL_NO_SRP
srp = 1;
#endif
break;
}
}
argv = opt_rest();
argc = opt_num_rest();
if (argc == 1)
ciphers = *argv;
else if (argc != 0)
goto opthelp;
ctx = SSL_CTX_new(meth);
if (ctx == NULL)
goto err;
if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
goto err;
if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
goto err;
#ifndef OPENSSL_NO_PSK
if (psk)
SSL_CTX_set_psk_client_callback(ctx, dummy_psk);
#endif
#ifndef OPENSSL_NO_SRP
if (srp)
SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp);
#endif
if (ciphers != NULL) {
if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
BIO_printf(bio_err, "Error in cipher list\n");
goto err;
}
}
ssl = SSL_new(ctx);
if (ssl == NULL)
goto err;
if (use_supported)
sk = SSL_get1_supported_ciphers(ssl);
else
sk = SSL_get_ciphers(ssl);
if (!verbose) {
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
p = SSL_CIPHER_get_name(c);
if (p == NULL)
break;
if (i != 0)
BIO_printf(bio_out, ":");
BIO_printf(bio_out, "%s", p);
}
BIO_printf(bio_out, "\n");
} else {
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
const SSL_CIPHER *c;
c = sk_SSL_CIPHER_value(sk, i);
if (Verbose) {
unsigned long id = SSL_CIPHER_get_id(c);
int id0 = (int)(id >> 24);
int id1 = (int)((id >> 16) & 0xffL);
int id2 = (int)((id >> 8) & 0xffL);
int id3 = (int)(id & 0xffL);
if ((id & 0xff000000L) == 0x03000000L)
BIO_printf(bio_out, " 0x%02X,0x%02X - ", id2, id3); /* SSL3
* cipher */
else
BIO_printf(bio_out, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */
}
#ifndef OPENSSL_NO_SSL_TRACE
if (stdname) {
const char *nm = SSL_CIPHER_standard_name(c);
if (nm == NULL)
nm = "UNKNOWN";
BIO_printf(bio_out, "%s - ", nm);
}
#endif
BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof buf));
}
}
ret = 0;
goto end;
err:
ERR_print_errors(bio_err);
end:
if (use_supported)
sk_SSL_CIPHER_free(sk);
SSL_CTX_free(ctx);
SSL_free(ssl);
return (ret);
}
/** Initialize the SSL context.
* \return pointer to SSL context object.
*/
SSL_CTX *
ssl_init(char *private_key_file, char *ca_file, char *ca_dir,
int req_client_cert)
{
const SSL_METHOD
*meth; /* If this const gives you a warning, you're
using an old version of OpenSSL. Walker, this means you! */
/* uint8_t context[128]; */
unsigned int reps = 1;
pcg32_random_t rand_state;
uint64_t seeds[2];
bool seeded = false;
if (!bio_err) {
if (!SSL_library_init())
return NULL;
SSL_load_error_strings();
/* Error write context */
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
}
lock_file(stderr);
fputs("Seeding OpenSSL random number pool.\n", stderr);
unlock_file(stderr);
while (!RAND_status()) {
/* At this point, a system with /dev/urandom or a EGD file in the usual
places will have enough entropy. Otherwise, be lazy and use random
numbers until it's satisfied. */
uint32_t gibberish[8];
int n;
if (!seeded) {
generate_seed(seeds);
pcg32_srandom_r(&rand_state, seeds[0], seeds[1]);
seeded = 1;
}
for (n = 0; n < 8; n++)
gibberish[n] = pcg32_random_r(&rand_state);
RAND_seed(gibberish, sizeof gibberish);
reps += 1;
}
lock_file(stderr);
fprintf(stderr, "Seeded after %u %s.\n", reps, reps > 1 ? "cycles" : "cycle");
unlock_file(stderr);
/* Set up SIGPIPE handler here? */
/* Create context */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
meth = TLS_server_method();
#else
meth = SSLv23_server_method();
#endif
ctx = SSL_CTX_new(meth);
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
/* Load keys/certs */
if (private_key_file && *private_key_file) {
if (!SSL_CTX_use_certificate_chain_file(ctx, private_key_file)) {
ssl_errordump("Unable to load server certificate - only anonymous "
"ciphers supported.");
}
if (!SSL_CTX_use_PrivateKey_file(ctx, private_key_file, SSL_FILETYPE_PEM)) {
ssl_errordump(
"Unable to load private key - only anonymous ciphers supported.");
}
}
/* Load trusted CAs */
if ((ca_file && *ca_file) || (ca_dir && *ca_dir)) {
if (!SSL_CTX_load_verify_locations(ctx,
(ca_file && *ca_file) ? ca_file : NULL,
(ca_dir && *ca_dir) ? ca_dir : NULL)) {
ssl_errordump("Unable to load CA certificates");
}
{
STACK_OF(X509_NAME) *certs = NULL;
if (ca_file && *ca_file)
certs = SSL_load_client_CA_file(ca_file);
if (certs)
SSL_CTX_set_client_CA_list(ctx, certs);
if (req_client_cert)
SSL_CTX_set_verify(ctx,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
client_verify_callback);
else
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, client_verify_callback);
#if (OPENSSL_VERSION_NUMBER < 0x0090600fL)
SSL_CTX_set_verify_depth(ctx, 1);
#endif
}
}
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE | SSL_OP_ALL);
SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
/* Set up DH key */
{
DH *dh;
dh = get_dh2048();
SSL_CTX_set_tmp_dh(ctx, dh);
DH_free(dh);
}
#ifdef NID_X9_62_prime256v1
/* Set up ECDH key */
{
EC_KEY *ecdh = NULL;
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
}
#endif
/* Set the cipher list to the usual default list, except that
* we'll allow anonymous diffie-hellman, too.
*/
SSL_CTX_set_cipher_list(ctx, "ALL:ECDH:ADH:!LOW:!MEDIUM:@STRENGTH");
/* Set up session cache if we can */
/*
strncpy((char *) context, MUDNAME, 128);
SSL_CTX_set_session_id_context(ctx, context, strlen(context));
*/
return ctx;
}
static int test_handshake(int idx)
{
int ret = 0;
SSL_CTX *server_ctx = NULL, *server2_ctx = NULL, *client_ctx = NULL,
*resume_server_ctx = NULL, *resume_client_ctx = NULL;
SSL_TEST_CTX *test_ctx = NULL;
HANDSHAKE_RESULT *result = NULL;
char test_app[MAX_TESTCASE_NAME_LENGTH];
BIO_snprintf(test_app, sizeof(test_app), "test-%d", idx);
test_ctx = SSL_TEST_CTX_create(conf, test_app);
if (test_ctx == NULL)
goto err;
#ifndef OPENSSL_NO_DTLS
if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
server_ctx = SSL_CTX_new(DTLS_server_method());
if (test_ctx->extra.server.servername_callback !=
SSL_TEST_SERVERNAME_CB_NONE) {
server2_ctx = SSL_CTX_new(DTLS_server_method());
TEST_check(server2_ctx != NULL);
}
client_ctx = SSL_CTX_new(DTLS_client_method());
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new(DTLS_server_method());
resume_client_ctx = SSL_CTX_new(DTLS_client_method());
TEST_check(resume_server_ctx != NULL);
TEST_check(resume_client_ctx != NULL);
}
}
#endif
if (test_ctx->method == SSL_TEST_METHOD_TLS) {
server_ctx = SSL_CTX_new(TLS_server_method());
/* SNI on resumption isn't supported/tested yet. */
if (test_ctx->extra.server.servername_callback !=
SSL_TEST_SERVERNAME_CB_NONE) {
server2_ctx = SSL_CTX_new(TLS_server_method());
TEST_check(server2_ctx != NULL);
}
client_ctx = SSL_CTX_new(TLS_client_method());
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new(TLS_server_method());
resume_client_ctx = SSL_CTX_new(TLS_client_method());
TEST_check(resume_server_ctx != NULL);
TEST_check(resume_client_ctx != NULL);
}
}
TEST_check(server_ctx != NULL);
TEST_check(client_ctx != NULL);
TEST_check(CONF_modules_load(conf, test_app, 0) > 0);
if (!SSL_CTX_config(server_ctx, "server")
|| !SSL_CTX_config(client_ctx, "client")) {
goto err;
}
if (server2_ctx != NULL && !SSL_CTX_config(server2_ctx, "server2"))
goto err;
if (resume_server_ctx != NULL
&& !SSL_CTX_config(resume_server_ctx, "resume-server"))
goto err;
if (resume_client_ctx != NULL
&& !SSL_CTX_config(resume_client_ctx, "resume-client"))
goto err;
result = do_handshake(server_ctx, server2_ctx, client_ctx,
resume_server_ctx, resume_client_ctx, test_ctx);
ret = check_test(result, test_ctx);
err:
CONF_modules_unload(0);
SSL_CTX_free(server_ctx);
SSL_CTX_free(server2_ctx);
SSL_CTX_free(client_ctx);
SSL_CTX_free(resume_server_ctx);
SSL_CTX_free(resume_client_ctx);
SSL_TEST_CTX_free(test_ctx);
HANDSHAKE_RESULT_free(result);
return ret;
}
int
mowgli_vio_openssl_default_listen(mowgli_vio_t *vio, int backlog)
{
return_val_if_fail(vio, -255);
mowgli_ssl_connection_t *connection = vio->privdata;
const int fd = mowgli_vio_getfd(vio);
vio->error.op = MOWGLI_VIO_ERR_OP_LISTEN;
#ifndef MOWGLI_HAVE_OPENSSL_TLS_METHOD_API
connection->ssl_context = SSL_CTX_new(SSLv23_server_method());
#else
connection->ssl_context = SSL_CTX_new(TLS_server_method());
#endif
if (connection->ssl_context == NULL)
return mowgli_vio_err_sslerrcode(vio, ERR_get_error());
#ifndef MOWGLI_HAVE_OPENSSL_TLS_METHOD_API
# ifdef SSL_OP_NO_SSLv2
SSL_CTX_set_options(connection->ssl_context, SSL_OP_NO_SSLv2);
# endif
# ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(connection->ssl_context, SSL_OP_NO_SSLv3);
# endif
#endif
connection->ssl_handle = SSL_new(connection->ssl_context);
if (connection->ssl_handle == NULL)
return mowgli_vio_err_sslerrcode(vio, ERR_get_error());
SSL_set_accept_state(connection->ssl_handle);
SSL_CTX_set_options(connection->ssl_context, SSL_OP_SINGLE_DH_USE);
#ifdef OPENSSL_EC_AVAILABLE
# ifdef MOWGLI_HAVE_OPENSSL_ECDH_AUTO
SSL_CTX_set_ecdh_auto(connection->ssl_context, 1);
# else
EC_KEY *ec_key_p256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ec_key_p256 != NULL)
{
SSL_CTX_set_tmp_ecdh(connection->ssl_context, ec_key_p256);
EC_KEY_free(ec_key_p256);
ec_key_p256 = NULL;
}
# endif
# ifdef SSL_OP_SINGLE_ECDH_USE
SSL_CTX_set_options(connection->ssl_context, SSL_OP_SINGLE_ECDH_USE);
# endif
#endif
if (connection->settings.password_func)
{
SSL_CTX_set_default_passwd_cb(connection->ssl_context, connection->settings.password_func);
SSL_CTX_set_default_passwd_cb_userdata(connection->ssl_context, vio->userdata);
}
if (SSL_CTX_use_certificate_file(connection->ssl_context, connection->settings.cert_path, SSL_FILETYPE_PEM) != 1)
return mowgli_vio_err_sslerrcode(vio, ERR_get_error());
if (SSL_CTX_use_PrivateKey_file(connection->ssl_context, connection->settings.privatekey_path, SSL_FILETYPE_PEM) != 1)
return mowgli_vio_err_sslerrcode(vio, ERR_get_error());
if (listen(fd, backlog) != 0)
return mowgli_vio_err_errcode(vio, strerror, errno);
if (!SSL_set_fd(connection->ssl_handle, fd))
return mowgli_vio_err_sslerrcode(vio, ERR_get_error());
mowgli_vio_setflag(vio, MOWGLI_VIO_FLAGS_ISSERVER, true);
vio->error.op = MOWGLI_VIO_ERR_OP_NONE;
return 0;
}
static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *serverssl1 = NULL, *clientssl1 = NULL;
SSL *serverssl2 = NULL, *clientssl2 = NULL;
#ifndef OPENSSL_NO_TLS1_1
SSL *serverssl3 = NULL, *clientssl3 = NULL;
#endif
SSL_SESSION *sess1 = NULL, *sess2 = NULL;
int testresult = 0;
if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
&cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
#ifndef OPENSSL_NO_TLS1_2
/* Only allow TLS1.2 so we can force a connection failure later */
SSL_CTX_set_min_proto_version(cctx, TLS1_2_VERSION);
#endif
/* Set up session cache */
if (fix.use_ext_cache) {
SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
}
if (fix.use_int_cache) {
/* Also covers instance where both are set */
SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
} else {
SSL_CTX_set_session_cache_mode(cctx,
SSL_SESS_CACHE_CLIENT
| SSL_SESS_CACHE_NO_INTERNAL_STORE);
}
if (!create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, NULL,
NULL)) {
printf("Unable to create SSL objects\n");
goto end;
}
if (!create_ssl_connection(serverssl1, clientssl1)) {
printf("Unable to create SSL connection\n");
goto end;
}
sess1 = SSL_get1_session(clientssl1);
if (sess1 == NULL) {
printf("Unexpected NULL session\n");
goto end;
}
if (fix.use_int_cache && SSL_CTX_add_session(cctx, sess1)) {
/* Should have failed because it should already be in the cache */
printf("Unexpected success adding session to cache\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 1 || remove_called != 0)) {
printf("Session not added to cache\n");
goto end;
}
if (!create_ssl_objects(sctx, cctx, &serverssl2, &clientssl2, NULL, NULL)) {
printf("Unable to create second SSL objects\n");
goto end;
}
if (!create_ssl_connection(serverssl2, clientssl2)) {
printf("Unable to create second SSL connection\n");
goto end;
}
sess2 = SSL_get1_session(clientssl2);
if (sess2 == NULL) {
printf("Unexpected NULL session from clientssl2\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 2 || remove_called != 0)) {
printf("Remove session callback unexpectedly called\n");
goto end;
}
/*
* This should clear sess2 from the cache because it is a "bad" session. See
* SSL_set_session() documentation.
*/
if (!SSL_set_session(clientssl2, sess1)) {
printf("Unexpected failure setting session\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 2 || remove_called != 1)) {
printf("Failed to call callback to remove session\n");
goto end;
}
if (SSL_get_session(clientssl2) != sess1) {
printf("Unexpected session found\n");
goto end;
}
if (fix.use_int_cache) {
if (!SSL_CTX_add_session(cctx, sess2)) {
/*
* Should have succeeded because it should not already be in the cache
*/
printf("Unexpected failure adding session to cache\n");
goto end;
}
if (!SSL_CTX_remove_session(cctx, sess2)) {
printf("Unexpected failure removing session from cache\n");
goto end;
}
/* This is for the purposes of internal cache testing...ignore the
* counter for external cache
*/
if (fix.use_ext_cache)
remove_called--;
}
/* This shouldn't be in the cache so should fail */
if (SSL_CTX_remove_session(cctx, sess2)) {
printf("Unexpected success removing session from cache\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 2 || remove_called != 2)) {
printf("Failed to call callback to remove session #2\n");
goto end;
}
#if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_2)
/* Force a connection failure */
SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
if (!create_ssl_objects(sctx, cctx, &serverssl3, &clientssl3, NULL, NULL)) {
printf("Unable to create third SSL objects\n");
goto end;
}
if (!SSL_set_session(clientssl3, sess1)) {
printf("Unable to set session for third connection\n");
goto end;
}
/* This should fail because of the mismatched protocol versions */
if (create_ssl_connection(serverssl3, clientssl3)) {
printf("Unable to create third SSL connection\n");
goto end;
}
/* We should have automatically removed the session from the cache */
if (fix.use_ext_cache && (new_called != 2 || remove_called != 3)) {
printf("Failed to call callback to remove session #2\n");
goto end;
}
if (fix.use_int_cache && !SSL_CTX_add_session(cctx, sess2)) {
/*
* Should have succeeded because it should not already be in the cache
*/
printf("Unexpected failure adding session to cache #2\n");
goto end;
}
#endif
testresult = 1;
end:
SSL_free(serverssl1);
SSL_free(clientssl1);
SSL_free(serverssl2);
SSL_free(clientssl2);
#ifndef OPENSSL_NO_TLS1_1
SSL_free(serverssl3);
SSL_free(clientssl3);
#endif
SSL_SESSION_free(sess1);
SSL_SESSION_free(sess2);
/*
* Check if we need to remove any sessions up-refed for the external cache
*/
if (new_called >= 1)
SSL_SESSION_free(sess1);
if (new_called >= 2)
SSL_SESSION_free(sess2);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
int main(int argc, char *argv[])
{
char *port = NULL;
BIO *ssl_bio, *tmp;
SSL_CTX *ctx;
char buf[512];
int ret = 1, i;
if (argc <= 1)
port = "*:4433";
else
port = argv[1];
signal(SIGINT, close_up);
SSL_load_error_strings();
/* Add ciphers and message digests */
OpenSSL_add_ssl_algorithms();
ctx = SSL_CTX_new(TLS_server_method());
if (!SSL_CTX_use_certificate_file(ctx, CERT_FILE, SSL_FILETYPE_PEM))
goto err;
if (!SSL_CTX_use_PrivateKey_file(ctx, CERT_FILE, SSL_FILETYPE_PEM))
goto err;
if (!SSL_CTX_check_private_key(ctx))
goto err;
/* Setup server side SSL bio */
ssl_bio = BIO_new_ssl(ctx, 0);
if ((in = BIO_new_accept(port)) == NULL)
goto err;
/*
* This means that when a new connection is accepted on 'in', The ssl_bio
* will be 'duplicated' and have the new socket BIO push into it.
* Basically it means the SSL BIO will be automatically setup
*/
BIO_set_accept_bios(in, ssl_bio);
again:
/*
* The first call will setup the accept socket, and the second will get a
* socket. In this loop, the first actual accept will occur in the
* BIO_read() function.
*/
if (BIO_do_accept(in) <= 0)
goto err;
for (;;) {
i = BIO_read(in, buf, 512);
if (i == 0) {
/*
* If we have finished, remove the underlying BIO stack so the
* next time we call any function for this BIO, it will attempt
* to do an accept
*/
printf("Done\n");
tmp = BIO_pop(in);
BIO_free_all(tmp);
goto again;
}
if (i < 0)
goto err;
fwrite(buf, 1, i, stdout);
fflush(stdout);
}
ret = 0;
err:
if (ret) {
ERR_print_errors_fp(stderr);
}
BIO_free(in);
exit(ret);
return (!ret);
}
int
rb_setup_ssl_server(const char *certfile, const char *keyfile, const char *dhfile, const char *cipher_list)
{
const char librb_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!aNULL";
#ifdef LRB_HAVE_TLS_SET_CURVES
const char librb_curves[] = "P-521:P-384:P-256";
#endif
if(certfile == NULL)
{
rb_lib_log("rb_setup_ssl_server: No certificate file");
return 0;
}
if(keyfile == NULL)
keyfile = certfile;
if(cipher_list == NULL)
cipher_list = librb_ciphers;
if (ssl_server_ctx)
SSL_CTX_free(ssl_server_ctx);
if (ssl_client_ctx)
SSL_CTX_free(ssl_client_ctx);
#ifdef LRB_HAVE_TLS_METHOD_API
ssl_server_ctx = SSL_CTX_new(TLS_server_method());
ssl_client_ctx = SSL_CTX_new(TLS_client_method());
#else
ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
#endif
if(ssl_server_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
get_ssl_error(ERR_get_error()));
return 0;
}
if(ssl_client_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
get_ssl_error(ERR_get_error()));
return 0;
}
#ifndef LRB_HAVE_TLS_METHOD_API
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
#endif
#ifdef SSL_OP_SINGLE_DH_USE
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_DH_USE);
#endif
#ifdef SSL_OP_SINGLE_ECDH_USE
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_ECDH_USE);
#endif
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_TICKET);
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
#endif
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
#endif
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
#ifdef LRB_HAVE_TLS_SET_CURVES
SSL_CTX_set1_curves_list(ssl_server_ctx, librb_curves);
#endif
#ifdef LRB_HAVE_TLS_ECDH_AUTO
SSL_CTX_set_ecdh_auto(ssl_server_ctx, 1);
#endif
/*
* Set manual ECDHE curve on OpenSSL 1.0.0 & 1.0.1, but make sure it's actually available
*/
#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(OPENSSL_NO_ECDH)
EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
if (key) {
SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
EC_KEY_free(key);
}
#endif
SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list);
SSL_CTX_set_cipher_list(ssl_client_ctx, cipher_list);
if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, certfile) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, certfile))
{
rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", certfile,
get_ssl_error(ERR_get_error()));
return 0;
}
if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM))
{
rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
get_ssl_error(ERR_get_error()));
return 0;
}
if(dhfile != NULL)
{
/* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */
FILE *fp = fopen(dhfile, "r");
DH *dh = NULL;
if(fp == NULL)
{
rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
dhfile, strerror(errno));
}
else if(PEM_read_DHparams(fp, &dh, NULL, NULL) == NULL)
{
rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
dhfile, get_ssl_error(ERR_get_error()));
fclose(fp);
}
else
{
SSL_CTX_set_tmp_dh(ssl_server_ctx, dh);
DH_free(dh);
fclose(fp);
}
}
return 1;
}
static int test_large_message_tls_read_ahead(void)
{
return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1);
}
int
rb_init_ssl(void)
{
int ret = 1;
char libratbox_data[] = "libratbox data";
const char libratbox_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
SSL_load_error_strings();
SSL_library_init();
libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
#else
ssl_server_ctx = SSL_CTX_new(TLS_server_method());
#endif
if(ssl_server_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
get_ssl_error(ERR_get_error()));
ret = 0;
}
long server_options = SSL_CTX_get_options(ssl_server_ctx);
#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
server_options |= SSL_OP_NO_SSLv2;
server_options |= SSL_OP_NO_SSLv3;
#endif
#ifdef SSL_OP_SINGLE_DH_USE
server_options |= SSL_OP_SINGLE_DH_USE;
#endif
#ifdef SSL_OP_SINGLE_ECDH_USE
server_options |= SSL_OP_SINGLE_ECDH_USE;
#endif
#ifdef SSL_OP_NO_TICKET
server_options |= SSL_OP_NO_TICKET;
#endif
server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
SSL_CTX_set_options(ssl_server_ctx, server_options);
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_cipher_list(ssl_server_ctx, libratbox_ciphers);
/* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
and bastardise their OpenSSL for stupid reasons... */
#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && defined(NID_secp384r1)
EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
if (key) {
SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
EC_KEY_free(key);
}
#endif
#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());
#else
ssl_client_ctx = SSL_CTX_new(TLS_client_method());
#endif
if(ssl_client_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
get_ssl_error(ERR_get_error()));
ret = 0;
}
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
#endif
SSL_CTX_set_cipher_list(ssl_client_ctx, libratbox_ciphers);
return ret;
}
static int test_tlsext_status_type(void)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
STACK_OF(OCSP_RESPID) *ids = NULL;
OCSP_RESPID *id = NULL;
BIO *certbio = NULL;
if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
&cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
if (SSL_CTX_get_tlsext_status_type(cctx) != -1) {
printf("Unexpected initial value for "
"SSL_CTX_get_tlsext_status_type()\n");
goto end;
}
/* First just do various checks getting and setting tlsext_status_type */
clientssl = SSL_new(cctx);
if (SSL_get_tlsext_status_type(clientssl) != -1) {
printf("Unexpected initial value for SSL_get_tlsext_status_type()\n");
goto end;
}
if (!SSL_set_tlsext_status_type(clientssl, TLSEXT_STATUSTYPE_ocsp)) {
printf("Unexpected fail for SSL_set_tlsext_status_type()\n");
goto end;
}
if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) {
printf("Unexpected result for SSL_get_tlsext_status_type()\n");
goto end;
}
SSL_free(clientssl);
clientssl = NULL;
if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)) {
printf("Unexpected fail for SSL_CTX_set_tlsext_status_type()\n");
goto end;
}
if (SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp) {
printf("Unexpected result for SSL_CTX_get_tlsext_status_type()\n");
goto end;
}
clientssl = SSL_new(cctx);
if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) {
printf("Unexpected result for SSL_get_tlsext_status_type() (test 2)\n");
goto end;
}
SSL_free(clientssl);
clientssl = NULL;
/*
* Now actually do a handshake and check OCSP information is exchanged and
* the callbacks get called
*/
SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
printf("Unable to create SSL objects\n");
goto end;
}
if (!create_ssl_connection(serverssl, clientssl)) {
printf("Unable to create SSL connection\n");
goto end;
}
if (!ocsp_client_called || !ocsp_server_called) {
printf("OCSP callbacks not called\n");
goto end;
}
SSL_free(serverssl);
SSL_free(clientssl);
serverssl = NULL;
clientssl = NULL;
/* Try again but this time force the server side callback to fail */
ocsp_client_called = 0;
ocsp_server_called = 0;
cdummyarg = 0;
if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
printf("Unable to create SSL objects\n");
goto end;
}
/* This should fail because the callback will fail */
if (create_ssl_connection(serverssl, clientssl)) {
printf("Unexpected success creating the connection\n");
goto end;
}
if (ocsp_client_called || ocsp_server_called) {
printf("OCSP callbacks successfully called unexpectedly\n");
goto end;
}
SSL_free(serverssl);
SSL_free(clientssl);
serverssl = NULL;
clientssl = NULL;
/*
* This time we'll get the client to send an OCSP_RESPID that it will
* accept.
*/
ocsp_client_called = 0;
ocsp_server_called = 0;
cdummyarg = 2;
if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
printf("Unable to create SSL objects\n");
goto end;
}
/*
* We'll just use any old cert for this test - it doesn't have to be an OCSP
* specific one. We'll use the server cert.
*/
certbio = BIO_new_file(cert, "r");
if (certbio == NULL) {
printf("Can't load the certificate file\n");
goto end;
}
id = OCSP_RESPID_new();
ids = sk_OCSP_RESPID_new_null();
ocspcert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
if (id == NULL || ids == NULL || ocspcert == NULL
|| !OCSP_RESPID_set_by_key(id, ocspcert)
|| !sk_OCSP_RESPID_push(ids, id)) {
printf("Unable to set OCSP_RESPIDs\n");
goto end;
}
id = NULL;
SSL_set_tlsext_status_ids(clientssl, ids);
/* Control has been transferred */
ids = NULL;
BIO_free(certbio);
certbio = NULL;
if (!create_ssl_connection(serverssl, clientssl)) {
printf("Unable to create SSL connection\n");
goto end;
}
if (!ocsp_client_called || !ocsp_server_called) {
printf("OCSP callbacks not called\n");
goto end;
}
testresult = 1;
end:
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
OCSP_RESPID_free(id);
BIO_free(certbio);
X509_free(ocspcert);
ocspcert = NULL;
return testresult;
}
int
rb_init_ssl(void)
{
int ret = 1;
char librb_data[] = "librb data";
const char librb_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
SSL_load_error_strings();
SSL_library_init();
librb_index = SSL_get_ex_new_index(0, librb_data, NULL, NULL, NULL);
#ifndef LRB_HAVE_TLS_METHOD_API
ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
#else
ssl_server_ctx = SSL_CTX_new(TLS_server_method());
#endif
if(ssl_server_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
get_ssl_error(ERR_get_error()));
ret = 0;
}
long server_options = SSL_CTX_get_options(ssl_server_ctx);
#ifndef LRB_HAVE_TLS_METHOD_API
server_options |= SSL_OP_NO_SSLv2;
server_options |= SSL_OP_NO_SSLv3;
#endif
#ifdef SSL_OP_SINGLE_DH_USE
server_options |= SSL_OP_SINGLE_DH_USE;
#endif
#ifdef SSL_OP_SINGLE_ECDH_USE
server_options |= SSL_OP_SINGLE_ECDH_USE;
#endif
#ifdef SSL_OP_NO_TICKET
server_options |= SSL_OP_NO_TICKET;
#endif
server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
SSL_CTX_set_options(ssl_server_ctx, server_options);
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_cipher_list(ssl_server_ctx, librb_ciphers);
/* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available
* (it's not by default on Solaris or Red Hat... f**k Red Hat and Oracle)
*/
#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && !defined(OPENSSL_NO_ECDH)
EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
if (key) {
SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
EC_KEY_free(key);
}
#endif
#ifndef LRB_HAVE_TLS_METHOD_API
ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
#else
ssl_client_ctx = SSL_CTX_new(TLS_client_method());
#endif
if(ssl_client_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
get_ssl_error(ERR_get_error()));
ret = 0;
}
#ifndef LRB_HAVE_TLS_METHOD_API
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
#endif
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
#endif
SSL_CTX_set_cipher_list(ssl_client_ctx, librb_ciphers);
return ret;
}
static int test_set_sigalgs(int idx)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
const sigalgs_list *curr;
int testctx;
/* Should never happen */
if ((size_t)idx >= OSSL_NELEM(testsigalgs) * 2)
return 0;
testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
curr = testctx ? &testsigalgs[idx]
: &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
&cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
if (testctx) {
int ret;
if (curr->list != NULL)
ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
else
ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
if (!ret) {
if (curr->valid)
printf("Unexpected failure setting sigalgs in SSL_CTX (%d)\n",
idx);
else
testresult = 1;
goto end;
}
if (!curr->valid) {
printf("Unexpected success setting sigalgs in SSL_CTX (%d)\n", idx);
goto end;
}
}
if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
printf("Unable to create SSL objects\n");
goto end;
}
if (!testctx) {
int ret;
if (curr->list != NULL)
ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
else
ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
if (!ret) {
if (curr->valid)
printf("Unexpected failure setting sigalgs in SSL (%d)\n", idx);
else
testresult = 1;
goto end;
}
if (!curr->valid) {
printf("Unexpected success setting sigalgs in SSL (%d)\n", idx);
goto end;
}
}
if (curr->connsuccess != create_ssl_connection(serverssl, clientssl)) {
printf("Unexpected return value creating SSL connection (%d)\n", idx);
goto end;
}
testresult = 1;
end:
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
BOOL create_ssl(int sockfd,
const char* ca_crt_root,
const char* ca_crt_server,
const char* ca_password,
const char* ca_key_server,
BOOL enableclientcacheck,
SSL** pp_ssl, SSL_CTX** pp_ssl_ctx)
{
int ssl_rc = -1;
BOOL b_ssl_accepted;
X509* client_cert;
SSL_METHOD* meth = NULL;
#if OPENSSL_VERSION_NUMBER >= 0x010100000L
meth = (SSL_METHOD*)TLS_server_method();
#else
meth = (SSL_METHOD*)SSLv23_server_method();
#endif /* OPENSSL_VERSION_NUMBER */
*pp_ssl_ctx = SSL_CTX_new(meth);
if(!*pp_ssl_ctx)
{
CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME);
uTrace.Write(Trace_Error, "SSL_CTX_use_certificate_file: %s", ERR_error_string(ERR_get_error(),NULL));
goto clean_ssl3;
}
if(enableclientcacheck)
{
SSL_CTX_set_verify(*pp_ssl_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
SSL_CTX_set_verify_depth(*pp_ssl_ctx, 4);
}
SSL_CTX_load_verify_locations(*pp_ssl_ctx, ca_crt_root, NULL);
if(SSL_CTX_use_certificate_file(*pp_ssl_ctx, ca_crt_server, SSL_FILETYPE_PEM) <= 0)
{
CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME);
uTrace.Write(Trace_Error, "SSL_CTX_use_certificate_file: %s", ERR_error_string(ERR_get_error(),NULL));
goto clean_ssl3;
}
SSL_CTX_set_default_passwd_cb_userdata(*pp_ssl_ctx, (char*)ca_password);
if(SSL_CTX_use_PrivateKey_file(*pp_ssl_ctx, ca_key_server, SSL_FILETYPE_PEM) <= 0)
{
CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME);
uTrace.Write(Trace_Error, "SSL_CTX_use_certificate_file: %s", ERR_error_string(ERR_get_error(),NULL));
goto clean_ssl3;
}
if(!SSL_CTX_check_private_key(*pp_ssl_ctx))
{
CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME);
uTrace.Write(Trace_Error, "SSL_CTX_use_certificate_file: %s", ERR_error_string(ERR_get_error(),NULL));
goto clean_ssl3;
}
ssl_rc = SSL_CTX_set_cipher_list(*pp_ssl_ctx, "ALL");
if(ssl_rc == 0)
{
CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME);
uTrace.Write(Trace_Error, "SSL_CTX_set_cipher_list: %s", ERR_error_string(ERR_get_error(),NULL));
goto clean_ssl3;
}
SSL_CTX_set_mode(*pp_ssl_ctx, SSL_MODE_AUTO_RETRY);
*pp_ssl = SSL_new(*pp_ssl_ctx);
if(!*pp_ssl)
{
CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME);
uTrace.Write(Trace_Error, "SSL_new: %s", ERR_error_string(ERR_get_error(),NULL));
goto clean_ssl2;
}
ssl_rc = SSL_set_fd(*pp_ssl, sockfd);
if(ssl_rc == 0)
{
CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME);
uTrace.Write(Trace_Error, "SSL_set_fd: %s", ERR_error_string(ERR_get_error(),NULL));
goto clean_ssl2;
}
ssl_rc = SSL_set_cipher_list(*pp_ssl, "ALL");
if(ssl_rc == 0)
{
CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME);
uTrace.Write(Trace_Error, "SSL_set_cipher_list: %s", ERR_error_string(ERR_get_error(),NULL));
goto clean_ssl2;
}
ssl_rc = SSL_accept(*pp_ssl);
if(ssl_rc < 0)
{
CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME);
uTrace.Write(Trace_Error, "SSL_accept: %s", ERR_error_string(ERR_get_error(),NULL));
goto clean_ssl2;
}
else if(ssl_rc = 0)
{
goto clean_ssl1;
}
b_ssl_accepted = TRUE;
if(enableclientcacheck)
{
ssl_rc = SSL_get_verify_result(*pp_ssl);
if(ssl_rc != X509_V_OK)
{
CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME);
uTrace.Write(Trace_Error, "SSL_get_verify_result: %s", ERR_error_string(ERR_get_error(),NULL));
goto clean_ssl1;
}
}
if(enableclientcacheck)
{
X509* client_cert;
client_cert = SSL_get_peer_certificate(*pp_ssl);
if (client_cert != NULL)
{
X509_free (client_cert);
}
else
{
CUplusTrace uTrace(SSLERR_LOGNAME, SSLERR_LCKNAME);
uTrace.Write(Trace_Error, "SSL_get_peer_certificate: %s", ERR_error_string(ERR_get_error(),NULL));
goto clean_ssl1;
}
}
return TRUE;
clean_ssl1:
if(*pp_ssl && b_ssl_accepted)
{
SSL_shutdown(*pp_ssl);
b_ssl_accepted = FALSE;
}
clean_ssl2:
if(*pp_ssl)
{
SSL_free(*pp_ssl);
*pp_ssl = NULL;
}
clean_ssl3:
if(*pp_ssl_ctx)
{
SSL_CTX_free(*pp_ssl_ctx);
*pp_ssl_ctx = NULL;
}
return FALSE;
}