const SSL_METHOD * hb_ssl_method_id_to_ptr( int n )
{
const SSL_METHOD * p;
switch( n )
{
#if OPENSSL_VERSION_NUMBER < 0x10000000L
case HB_SSL_CTX_NEW_METHOD_SSLV2: p = SSLv2_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV2_SERVER: p = SSLv2_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV2_CLIENT: p = SSLv2_client_method(); break;
#endif
case HB_SSL_CTX_NEW_METHOD_SSLV3: p = SSLv3_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV3_SERVER: p = SSLv3_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV3_CLIENT: p = SSLv3_client_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1: p = TLSv1_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1_SERVER: p = TLSv1_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1_CLIENT: p = TLSv1_client_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV23: p = SSLv23_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV23_SERVER: p = SSLv23_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV23_CLIENT: p = SSLv23_client_method(); break;
default: p = SSLv23_method();
}
return p;
}
static const SSL_METHOD *tls1_get_method(int ver)
{
if (ver == TLS1_VERSION)
return(TLSv1_method());
else
return(NULL);
}
void ContextImpl::setProtocol(Protocol protocol)
{
bool v2 = false;
switch(protocol)
{
case SSLv2:
// SSLv2_method is not available everywhere (check OPENSSL_NO_SSL2)
SSL_CTX_set_ssl_version(_ctx, SSLv23_method() );
v2 = true;
break;
case SSLv3or2:
SSL_CTX_set_ssl_version( _ctx, SSLv23_method() );
v2 = true;
break;
default:
case SSLv3:
SSL_CTX_set_ssl_version( _ctx, SSLv3_method() );
break;
case TLSv1:
SSL_CTX_set_ssl_version( _ctx, TLSv1_method() );
break;
}
_protocol = protocol;
const char* ciphers = v2 ? "ALL:!aNULL:!eNULL" : "ALL:!aNULL:!eNULL:!SSLv2";
SSL_CTX_set_cipher_list(_ctx, ciphers);
}
/*
** ctx = ssl.context.new("sslv23/sslv3/tlsv1")
*/
static int l_new(lua_State *L)
{
const char *str = luaL_checkstring(L, 1);
SSL_METHOD *method;
SSL_CTX *ctx;
if (strcasecmp(str, "sslv3") == 0)
method = SSLv3_method();
else if (strcasecmp(str, "sslv23") == 0)
method = SSLv23_method();
else if (strcasecmp(str, "tlsv1") == 0)
method = TLSv1_method();
else
luaL_error(L, "invalid arugment #1, should be sslv3/sslv23/tlsv1");
ctx = SSL_CTX_new(method);
if (ctx != NULL) {
Object *obj = (Object*)lua_newuserdata(L, sizeof(Object));
obj->ctx = ctx;
luaL_getmetatable(L, META_NAME);
lua_setmetatable(L, -2);
} else {
lua_pushnil(L);
}
return 1;
}
static const SSL_METHOD *tls1_get_method(int ver)
{
if (ver == TLS1_1_VERSION)
return TLSv1_1_method();
if (ver == TLS1_VERSION)
return TLSv1_method();
return NULL;
}
void Context::createSSLContext()
{
if (SSLManager::isFIPSEnabled())
{
_pSSLContext = SSL_CTX_new(TLSv1_method());
}
else
{
switch (_usage)
{
case CLIENT_USE:
_pSSLContext = SSL_CTX_new(SSLv23_client_method());
break;
case SERVER_USE:
_pSSLContext = SSL_CTX_new(SSLv23_server_method());
break;
#if defined(SSL_OP_NO_TLSv1) && !defined(OPENSSL_NO_TLS1)
case TLSV1_CLIENT_USE:
_pSSLContext = SSL_CTX_new(TLSv1_client_method());
break;
case TLSV1_SERVER_USE:
_pSSLContext = SSL_CTX_new(TLSv1_server_method());
break;
#endif
#if defined(SSL_OP_NO_TLSv1_1) && !defined(OPENSSL_NO_TLS1)
/* SSL_OP_NO_TLSv1_1 is defined in ssl.h if the library version supports TLSv1.1.
* OPENSSL_NO_TLS1 is defined in opensslconf.h or on the compiler command line
* if TLS1.x was removed at OpenSSL library build time via Configure options.
*/
case TLSV1_1_CLIENT_USE:
_pSSLContext = SSL_CTX_new(TLSv1_1_client_method());
break;
case TLSV1_1_SERVER_USE:
_pSSLContext = SSL_CTX_new(TLSv1_1_server_method());
break;
#endif
#if defined(SSL_OP_NO_TLSv1_2) && !defined(OPENSSL_NO_TLS1)
case TLSV1_2_CLIENT_USE:
_pSSLContext = SSL_CTX_new(TLSv1_2_client_method());
break;
case TLSV1_2_SERVER_USE:
_pSSLContext = SSL_CTX_new(TLSv1_2_server_method());
break;
#endif
default:
throw Poco::InvalidArgumentException("Invalid or unsupported usage");
}
}
if (!_pSSLContext)
{
unsigned long err = ERR_get_error();
throw SSLException("Cannot create SSL_CTX object", ERR_error_string(err, 0));
}
SSL_CTX_set_default_passwd_cb(_pSSLContext, &SSLManager::privateKeyPassphraseCallback);
Utility::clearErrorStack();
SSL_CTX_set_options(_pSSLContext, SSL_OP_ALL);
}
/**
* Find the protocol.
*/
static LSEC_SSL_METHOD* str2method(const char *method)
{
if (!strcmp(method, "sslv23")) return SSLv23_method();
if (!strcmp(method, "sslv3")) return SSLv3_method();
if (!strcmp(method, "tlsv1")) return TLSv1_method();
#if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
if (!strcmp(method, "tlsv1_1")) return TLSv1_1_method();
if (!strcmp(method, "tlsv1_2")) return TLSv1_2_method();
#endif
return NULL;
}
static SSL_METHOD *ssl23_get_method(int ver)
{
if (ver == SSL2_VERSION)
return(SSLv2_method());
else if (ver == SSL3_VERSION)
return(SSLv3_method());
else if (ver == TLS1_VERSION)
return(TLSv1_method());
else
return(NULL);
}
// nassl.SSL_CTX.new()
static PyObject* nassl_SSL_CTX_new(PyTypeObject *type, PyObject *args, PyObject *kwds) {
nassl_SSL_CTX_Object *self;
int sslVersion;
SSL_CTX *sslCtx;
self = (nassl_SSL_CTX_Object *)type->tp_alloc(type, 0);
if (self == NULL)
return NULL;
self->sslCtx = NULL;
self->pkeyPasswordBuf = NULL;
if (!PyArg_ParseTuple(args, "I", &sslVersion)) {
Py_DECREF(self);
return NULL;
}
switch (sslVersion) {
case sslv23:
sslCtx = SSL_CTX_new(SSLv23_method());
break;
case sslv2:
sslCtx = SSL_CTX_new(SSLv2_method());
break;
case sslv3:
sslCtx = SSL_CTX_new(SSLv3_method());
break;
case tlsv1:
sslCtx = SSL_CTX_new(TLSv1_method());
break;
case tlsv1_1:
sslCtx = SSL_CTX_new(TLSv1_1_method());
break;
case tlsv1_2:
sslCtx = SSL_CTX_new(TLSv1_2_method());
break;
default:
PyErr_SetString(PyExc_ValueError, "Invalid value for ssl version");
Py_DECREF(self);
return NULL;
}
if (sslCtx == NULL) {
raise_OpenSSL_error();
Py_DECREF(self);
return NULL;
}
// Add the client certificate callback
SSL_CTX_set_client_cert_cb(sslCtx, client_cert_cb);
self->sslCtx = sslCtx;
return (PyObject *)self;
}
static const SSL_METHOD *
ssl23_get_method(int ver)
{
if (ver == SSL3_VERSION)
return (SSLv3_method());
if (ver == TLS1_VERSION)
return (TLSv1_method());
if (ver == TLS1_1_VERSION)
return (TLSv1_1_method());
if (ver == TLS1_2_VERSION)
return (TLSv1_2_method());
return (NULL);
}
static const SSL_METHOD *swSSL_get_method(int method)
{
switch (method)
{
#ifndef OPENSSL_NO_SSL3_METHOD
case SW_SSLv3_METHOD:
return SSLv3_method();
case SW_SSLv3_SERVER_METHOD:
return SSLv3_server_method();
case SW_SSLv3_CLIENT_METHOD:
return SSLv3_client_method();
#endif
case SW_SSLv23_SERVER_METHOD:
return SSLv23_server_method();
case SW_SSLv23_CLIENT_METHOD:
return SSLv23_client_method();
case SW_TLSv1_METHOD:
return TLSv1_method();
case SW_TLSv1_SERVER_METHOD:
return TLSv1_server_method();
case SW_TLSv1_CLIENT_METHOD:
return TLSv1_client_method();
#ifdef TLS1_1_VERSION
case SW_TLSv1_1_METHOD:
return TLSv1_1_method();
case SW_TLSv1_1_SERVER_METHOD:
return TLSv1_1_server_method();
case SW_TLSv1_1_CLIENT_METHOD:
return TLSv1_1_client_method();
#endif
#ifdef TLS1_2_VERSION
case SW_TLSv1_2_METHOD:
return TLSv1_2_method();
case SW_TLSv1_2_SERVER_METHOD:
return TLSv1_2_server_method();
case SW_TLSv1_2_CLIENT_METHOD:
return TLSv1_2_client_method();
#endif
case SW_DTLSv1_METHOD:
return DTLSv1_method();
case SW_DTLSv1_SERVER_METHOD:
return DTLSv1_server_method();
case SW_DTLSv1_CLIENT_METHOD:
return DTLSv1_client_method();
case SW_SSLv23_METHOD:
default:
return SSLv23_method();
}
return SSLv23_method();
}
P_ST_TLS_STRUCT st_tls_create_ctx(P_ST_TLS_STRUCT p_st_tls)
{
P_SSL_CTX p_ctx = NULL;
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
SSL_library_init(); //SSL_library_init() always returns "1"
tls_rand_seed();
if ( p_st_tls->work_status == WORK_SERVER )
{
st_print("Initialize with TLSv1_server_method() \n");
RET_NULL_IF_TRUE_S(!(p_ctx = SSL_CTX_new(TLSv1_server_method())));
}
else if ( p_st_tls->work_status == WORK_CLIENT )
{
st_print("Initialize with TLSv1_client_method() \n");
RET_NULL_IF_TRUE_S(!(p_ctx = SSL_CTX_new(TLSv1_client_method())));
}
else
{
st_print("Initialize with TLSv1_method() \n");
RET_NULL_IF_TRUE_S(!(p_ctx = SSL_CTX_new(TLSv1_method())));
}
//SSL_CTX_set_default_passwd_cb(p_ctx, no_passphrase_callback);
SSL_CTX_set_mode(p_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
if ( strlen(p_st_tls->ca_file) )
{
RET_NULL_IF_TRUE_S( !SSL_CTX_load_verify_locations(p_ctx, p_st_tls->ca_file, NULL));
}
else
{
st_print("No CAfile Verify!\n");
}
RET_NULL_IF_TRUE_S( !SSL_CTX_use_PrivateKey_file(p_ctx, p_st_tls->key_file, SSL_FILETYPE_PEM));
RET_NULL_IF_TRUE_S( !SSL_CTX_use_certificate_chain_file(p_ctx, p_st_tls->cert_file));
// 判定私钥是否正确
RET_NULL_IF_TRUE_S( !SSL_CTX_check_private_key(p_ctx));
p_st_tls->p_ctx = p_ctx;
return p_st_tls;
}
int TlsInit( char* cacertPath )
{
e_TlsError vl_Error;
char a_DefaultCertPath[] = DEFAULT_CERT_PATH;
char *p_CertToUse;
DEBUG_LOG_PRINT_LEV2(("TlsInit : Entry"));
SSL_load_error_strings();
SSL_library_init();
gp_SSL_CTX = SSL_CTX_new(TLSv1_method());
if( NULL == gp_SSL_CTX )
{
DEBUG_LOG_PRINT_LEV2(("SSL_CTX_new returned NULL!\n"));
return FALSE;
}
if ( SSL_CTX_set_cipher_list(gp_SSL_CTX, DEFAULT_CIPHER_LIST ) != 1 )
{
DEBUG_LOG_PRINT_LEV2(("SSL_CTX_set_cipher_list returned NULL!\n"));
SSL_CTX_free(gp_SSL_CTX);
return FALSE; // ERROR selecting SUPL cipher list
}
SSL_CTX_set_info_callback(gp_SSL_CTX, Tls_openssl_info_callback);
#ifdef AGPS_DISABLE_TLS_CA_CERT_VERIFY
/* In this mode, even if a CA cert is not found, a secure connection is established */
SSL_CTX_set_verify( gp_SSL_CTX , SSL_VERIFY_NONE , NULL );
#else
/* If a CA cert is not found matching the server certificate, the handshake is shutdown */
SSL_CTX_set_verify( gp_SSL_CTX , SSL_VERIFY_PEER , Tls_openssl_certificate_verify_callback );
#endif
p_CertToUse = ( cacertPath == NULL ) ? a_DefaultCertPath : cacertPath;
DEBUG_LOG_PRINT_LEV2(("TlsInit : Certificate %s\n" , p_CertToUse));
if( SSL_CTX_load_verify_locations(gp_SSL_CTX, p_CertToUse ,NULL) != 1 )
{
DEBUG_LOG_PRINT_LEV2(("SSL_CTX_load_verify_locations failed!\n"));
return FALSE;
}
DEBUG_LOG_PRINT_LEV2(("SSL_CTX_get_options : %ld" , SSL_CTX_get_options( gp_SSL_CTX ) ));
SSL_CTX_set_options( gp_SSL_CTX,SSL_OP_NO_TICKET|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3) ;
DEBUG_LOG_PRINT_LEV2(("SSL_CTX_get_options : %ld" , SSL_CTX_get_options( gp_SSL_CTX ) ));
DEBUG_LOG_PRINT_LEV2(("TlsInit : Exit"));
return TRUE;
}
static SSLTransport * _ssl_init(AppTransportPluginHelper * helper,
AppTransportMode mode, char const * name)
{
SSLTransport * ssl;
int res;
#ifdef DEBUG
fprintf(stderr, "DEBUG: %s(%u, \"%s\")\n", __func__, mode, name);
#endif
if((ssl = object_new(sizeof(*ssl))) == NULL)
return NULL;
memset(ssl, 0, sizeof(*ssl));
ssl->helper = helper;
if((ssl->ssl_ctx = SSL_CTX_new(TLSv1_method())) == NULL
|| SSL_CTX_set_cipher_list(ssl->ssl_ctx,
SSL_DEFAULT_CIPHER_LIST) != 1
|| SSL_CTX_load_verify_locations(ssl->ssl_ctx, NULL,
"/etc/openssl/certs") != 1)
/* FIXME report the underlying error */
res = -error_set_code(1, "Could not initialize SSL");
else
switch((ssl->mode = mode))
{
case ATM_CLIENT:
res = _init_client(ssl, name);
break;
case ATM_SERVER:
res = _init_server(ssl, name);
break;
default:
res = -error_set_code(1,
"Unknown transport mode");
break;
}
/* check for errors */
if(res != 0)
{
#ifdef DEBUG
fprintf(stderr, "DEBUG: %s() => %d (%s)\n", __func__, res,
error_get(NULL));
#endif
_ssl_destroy(ssl);
return NULL;
}
#if 0 /* XXX may be useful */
SSL_CTX_set_mode(ssl->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
#endif
return ssl;
}
/**
* Initializes an SSL context using the specified certificates.
*
* @param pubkey The public key.
* @param privkey The matching private key.
* @param cakey CA certificate chain file.
* @returns An SSL context.
*/
shared_ptr<SSL_CTX> MakeSSLContext(const String& pubkey, const String& privkey, const String& cakey)
{
InitializeOpenSSL();
shared_ptr<SSL_CTX> sslContext = shared_ptr<SSL_CTX>(SSL_CTX_new(TLSv1_method()), SSL_CTX_free);
SSL_CTX_set_mode(sslContext.get(), 0);
if (!SSL_CTX_use_certificate_chain_file(sslContext.get(), pubkey.CStr())) {
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("SSL_CTX_use_certificate_chain_file")
<< errinfo_openssl_error(ERR_get_error())
<< boost::errinfo_file_name(pubkey));
}
if (!SSL_CTX_use_PrivateKey_file(sslContext.get(), privkey.CStr(), SSL_FILETYPE_PEM)) {
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("SSL_CTX_use_PrivateKey_file")
<< errinfo_openssl_error(ERR_get_error())
<< boost::errinfo_file_name(privkey));
}
if (!SSL_CTX_check_private_key(sslContext.get())) {
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("SSL_CTX_check_private_key")
<< errinfo_openssl_error(ERR_get_error()));
}
if (!SSL_CTX_load_verify_locations(sslContext.get(), cakey.CStr(), NULL)) {
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("SSL_CTX_load_verify_locations")
<< errinfo_openssl_error(ERR_get_error())
<< boost::errinfo_file_name(cakey));
}
STACK_OF(X509_NAME) *cert_names;
cert_names = SSL_load_client_CA_file(cakey.CStr());
if (cert_names == NULL) {
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("SSL_load_client_CA_file")
<< errinfo_openssl_error(ERR_get_error())
<< boost::errinfo_file_name(cakey));
}
SSL_CTX_set_client_CA_list(sslContext.get(), cert_names);
return sslContext;
}
static const SSL_METHOD *ssl23_get_method(int ver)
{
#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return (SSLv3_method());
else
#endif
if (ver == TLS1_VERSION)
return (TLSv1_method());
else if (ver == TLS1_1_VERSION)
return (TLSv1_1_method());
else if (ver == TLS1_2_VERSION)
return (TLSv1_2_method());
else
return (NULL);
}
static void init()
{
if (gSSL_CTX) return;
SSL_load_error_strings();
SSL_library_init();
gSSL_CTX = SSL_CTX_new(TLSv1_method());
#if OPENSSL_VERSION_NUMBER >= 0x00905000L
SSL_CTX_set_cipher_list(gSSL_CTX, "ADH:@STRENGTH");
#else
SSL_CTX_set_cipher_list(gSSL_CTX, "ADH");
#endif
SSL_CTX_set_info_callback(gSSL_CTX, (void (*)())ssl_info_callback);
DH *dh = get_dh512();
SSL_CTX_set_tmp_dh(gSSL_CTX, dh);
DH_free(dh);
}
static int
handshake (struct stream_data *data)
{
int ret;
int finished;
SSL_library_init();
SSL_load_error_strings();
data->ssl_ctx = SSL_CTX_new(TLSv1_method());
if(!data->ssl_ctx) return IKS_NOMEM;
data->ssl = SSL_new(data->ssl_ctx);
if(!data->ssl) return IKS_NOMEM;
if( SSL_set_fd(data->ssl, (int)(intptr_t)data->sock) != 1 ) return IKS_NOMEM;
/* Set both the read and write BIO's to non-blocking mode */
BIO_set_nbio(SSL_get_rbio(data->ssl), 1);
BIO_set_nbio(SSL_get_wbio(data->ssl), 1);
finished = 0;
do
{
ret = SSL_connect(data->ssl);
if( ret != 1 )
{
if( wait_for_data(data, ret, 1) != IKS_OK )
{
finished = 1;
SSL_free(data->ssl);
}
}
} while( ret != 1 && finished != 1 );
if( ret == 1 )
{
data->flags &= (~SF_TRY_SECURE);
data->flags |= SF_SECURE;
iks_send_header (data->prs, data->server);
}
return ret == 1 ? IKS_OK : IKS_NET_TLSFAIL;
}
static const SSL_METHOD *tls1_get_method(int ver)
{
if (ver == TLS_ANY_VERSION)
return TLS_method();
if (ver == TLS1_2_VERSION)
return TLSv1_2_method();
if (ver == TLS1_1_VERSION)
return TLSv1_1_method();
if (ver == TLS1_VERSION)
return TLSv1_method();
#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return (SSLv3_method());
else
#endif
return NULL;
}
MMGSSLConnection::MMGSSLConnection(const std::string& hostname, const unsigned short port, const std::string& certsPath, const std::string& certFile, const std::string& keyFile, const std::string& keyPassword)
{
this->_hostname = hostname;
this->_port = port;
this->_certsPath = certsPath;
this->_certFile = certFile;
this->_keyFile = keyFile;
this->_keyPassword = keyPassword;
this->_socket = -1;
this->_hostent = NULL;
this->_sslCtx = NULL;
this->_ssl = NULL;
this->_serverCert = NULL;
this->_privateKey = NULL;
// Choose a SSL/TLS protocol version
this->_sslMethod = (SSL_METHOD*)TLSv1_method();
}
int neo4j_openssl_init(void)
{
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
int num_locks = CRYPTO_num_locks();
thread_locks = calloc(num_locks, sizeof(neo4j_mutex_t));
if (thread_locks == NULL)
{
return -1;
}
for (int i = 0; i < num_locks; i++)
{
int err = neo4j_mutex_init(&(thread_locks[i]));
if (err)
{
for (; i > 0; --i)
{
neo4j_mutex_destroy(&(thread_locks[i-1]));
}
free(thread_locks);
errno = err;
return -1;
}
}
if (CRYPTO_get_locking_callback() == NULL)
{
CRYPTO_set_locking_callback(locking_callback);
CRYPTO_set_id_callback(neo4j_current_thread_id);
}
SSL_CTX *ctx = SSL_CTX_new(TLSv1_method());
if (ctx == NULL)
{
errno = openssl_error(NULL, NEO4J_LOG_ERROR, __FILE__, __LINE__);
return -1;
}
SSL_CTX_free(ctx);
return 0;
}
int easyssl_setup(EASYSSL *ctx) {
SSL_load_error_strings();
if(SSL_library_init() != 1) {
printf("Error: SSL lib init failure\n");
return -SSL_ERR_INIT;
}
if((ctx->ctx = SSL_CTX_new(SSLv3_method())) == NULL) {
printf("Create SSLv3 failure\n");
if((ctx->ctx = SSL_CTX_new(TLSv1_method())) == NULL) {
printf("Create TLSv1 failure\n");
return -SSL_ERR_TLS;
}
}
if(ctx->cert_auth == 0){
SSL_CTX_set_verify(ctx->ctx, SSL_VERIFY_NONE, NULL);
}else{
SSL_CTX_set_verify(ctx->ctx, SSL_VERIFY_PEER, easyssl_ca_verify_cb);
SSL_CTX_set_verify_depth(ctx->ctx, EASYSSL_DEPTH);
if(SSL_CTX_load_verify_locations(ctx->ctx, ctx->cert_path, NULL) != 1) {
return -SSL_ERR_CERT;
}
}
SSL_CTX_set_default_passwd_cb_userdata(ctx->ctx, ctx->passwd);
if(SSL_CTX_use_certificate_chain_file(ctx->ctx, ctx->cert_path) == 1){
printf("Load certificate success\n");
}
if(SSL_CTX_use_PrivateKey_file(ctx->ctx, ctx->pkey_path, SSL_FILETYPE_PEM) == 1) {
printf("Load private key success\n");
}
if(SSL_CTX_check_private_key(ctx->ctx) == 1) {
printf("Check private key success\n");
}
if((ctx->ssl = SSL_new(ctx->ctx)) == NULL) {
printf("Error: create SSL failure\n");
return -SSL_ERR_NEW;
}
if(SSL_set_fd(ctx->ssl, ctx->fd) != 1) {
printf("Error: set SSL fd failure\n");
}
if(SSL_connect(ctx->ssl) != 1) {
return -SSL_ERR_CONN;
}
printf("Connected to SSL success\n");
return SSL_ERR_SUCCESS;
}
int ssl_connect(int sock, SSL ** ssl_con)
{
SSL_METHOD *meth;
SSL_CTX *ctx;
SSL_library_init();
SSL_load_error_strings();
meth = (SSL_METHOD *) TLSv1_method();
ctx = SSL_CTX_new(meth);
*ssl_con = SSL_new(ctx);
SSL_set_fd(*ssl_con, sock);
if (SSL_connect(*ssl_con) <= 0)
return -1;
return 0;
}
static const SSL_METHOD* get_ssl_method(const char* tls_version)
{
if (!tls_version || !*tls_version)
{
LOG_ERROR("tls_version is not set.");
return 0;
}
if (!strcmp(tls_version, "1.0"))
return TLSv1_method();
if (!strcmp(tls_version, "1.1"))
return TLSv1_1_method();
if (!strcmp(tls_version, "1.2"))
return TLSv1_2_method();
LOG_ERROR("Unable to recognize tls_version.");
return 0;
}
int mosquitto_ssl_set(struct mosquitto *mosq, const char *pemfile, const char *password)
{
#ifdef WITH_SSL
if(!mosq || mosq->ssl) return MOSQ_ERR_INVAL; //FIXME
mosq->ssl = _mosquitto_malloc(sizeof(struct _mosquitto_ssl));
if(!mosq->ssl) return MOSQ_ERR_NOMEM;
mosq->ssl->ssl_ctx = SSL_CTX_new(TLSv1_method());
if(!mosq->ssl->ssl_ctx) return MOSQ_ERR_SSL;
mosq->ssl->ssl = SSL_new(mosq->ssl->ssl_ctx);
return MOSQ_ERR_SUCCESS;
#else
return MOSQ_ERR_NOT_SUPPORTED;
#endif
}
static const SSL_METHOD *swSSL_get_method(int method)
{
switch (method)
{
case SW_SSLv3_METHOD:
return SSLv3_method();
case SW_SSLv3_SERVER_METHOD:
return SSLv3_server_method();
case SW_SSLv3_CLIENT_METHOD:
return SSLv3_client_method();
case SW_SSLv23_SERVER_METHOD:
return SSLv23_server_method();
case SW_SSLv23_CLIENT_METHOD:
return SSLv23_client_method();
case SW_TLSv1_METHOD:
return TLSv1_method();
case SW_TLSv1_SERVER_METHOD:
return TLSv1_server_method();
case SW_TLSv1_CLIENT_METHOD:
return TLSv1_client_method();
case SW_TLSv1_1_METHOD:
return TLSv1_1_method();
case SW_TLSv1_1_SERVER_METHOD:
return TLSv1_1_server_method();
case SW_TLSv1_1_CLIENT_METHOD:
return TLSv1_1_client_method();
case SW_TLSv1_2_METHOD:
return TLSv1_2_method();
case SW_TLSv1_2_SERVER_METHOD:
return TLSv1_2_server_method();
case SW_TLSv1_2_CLIENT_METHOD:
return TLSv1_2_client_method();
case SW_DTLSv1_METHOD:
return DTLSv1_method();
case SW_DTLSv1_SERVER_METHOD:
return DTLSv1_server_method();
case SW_DTLSv1_CLIENT_METHOD:
return DTLSv1_client_method();
case SW_SSLv23_METHOD:
default:
return SSLv23_method();
}
return SSLv23_method();
}
/*
* initialize ssl methods
*/
static void
init_ssl_methods(void)
{
LM_DBG("entered\n");
ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLSv1_client_method();
ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLSv1_server_method();
ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLSv1_method();
ssl_methods[TLS_USE_SSLv23_cli-1] = (SSL_METHOD*)SSLv23_client_method();
ssl_methods[TLS_USE_SSLv23_srv-1] = (SSL_METHOD*)SSLv23_server_method();
ssl_methods[TLS_USE_SSLv23-1] = (SSL_METHOD*)SSLv23_method();
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLSv1_2_client_method();
ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLSv1_2_server_method();
ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLSv1_2_method();
#endif
}
static SSL_METHOD *ssl23_get_method(int ver)
{
#ifndef OPENSSL_NO_SSL2
if (ver == SSL2_VERSION)
return(SSLv2_method());
else
#endif
#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return(SSLv3_method());
else
#endif
#ifndef OPENSSL_NO_TLS1
if (ver == TLS1_VERSION)
return(TLSv1_method());
else
#endif
return(NULL);
}
void
get_highest_preference_tls_cipher (char *buf, int size)
{
SSL_CTX *ctx;
SSL *ssl;
const char *cipher_name;
ctx = SSL_CTX_new (TLSv1_method ());
if (!ctx)
msg (M_SSLERR, "Cannot create SSL_CTX object");
ssl = SSL_new (ctx);
if (!ssl)
msg (M_SSLERR, "Cannot create SSL object");
cipher_name = SSL_get_cipher_list (ssl, 0);
strncpynt (buf, cipher_name, size);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
/*
* initialize ssl methods
*/
static void
init_ssl_methods(void)
{
DBG("init_methods: Entered\n");
ssl_methods[TLS_USE_SSLv2_cli - 1] = SSLv2_client_method();
ssl_methods[TLS_USE_SSLv2_srv - 1] = SSLv2_server_method();
ssl_methods[TLS_USE_SSLv2 - 1] = SSLv2_method();
ssl_methods[TLS_USE_SSLv3_cli - 1] = SSLv3_client_method();
ssl_methods[TLS_USE_SSLv3_srv - 1] = SSLv3_server_method();
ssl_methods[TLS_USE_SSLv3 - 1] = SSLv3_method();
ssl_methods[TLS_USE_TLSv1_cli - 1] = TLSv1_client_method();
ssl_methods[TLS_USE_TLSv1_srv - 1] = TLSv1_server_method();
ssl_methods[TLS_USE_TLSv1 - 1] = TLSv1_method();
ssl_methods[TLS_USE_SSLv23_cli - 1] = SSLv23_client_method();
ssl_methods[TLS_USE_SSLv23_srv - 1] = SSLv23_server_method();
ssl_methods[TLS_USE_SSLv23 - 1] = SSLv23_method();
}
