static void perform_ssl_connection (void)
{
    struct evhttp_connection *con;
    struct evhttp_request *req;
    struct bufferevent *bev;
    SSL_CTX *sctx;
    SSL *ssl;

    sctx = SSL_CTX_new (SSLv23_client_method ());
    assert (sctx);

    SSL_CTX_set_options (sctx, SSL_OP_NO_TLSv1_2);
	//SSL_CTX_set_options (sctx, SSL_OP_ALL);
	SSL_CTX_set_timeout (sctx, 3000);
	SSL_CTX_set_verify (sctx, SSL_VERIFY_PEER, SSLX_CTX_verify_callback);
	SSL_CTX_set_default_verify_paths (sctx);
    SSL_CTX_set_cipher_list (sctx, "RC4-MD5");

    ssl = SSL_new (sctx);
    assert (ssl);

     bev = bufferevent_openssl_socket_new (evbase, -1, ssl, BUFFEREVENT_SSL_CONNECTING , BEV_OPT_CLOSE_ON_FREE);
    //bev = bufferevent_socket_new (evbase, -1, BEV_OPT_CLOSE_ON_FREE);
    assert (bev);

    con = evhttp_connection_base_bufferevent_new (evbase, dnsbase, bev, HOST, PORT);
    evhttp_connection_set_closecb (con, on_connection_close, NULL);
    evhttp_connection_set_timeout (con, 10);

	req = evhttp_request_new (on_response_cb, NULL);
	evhttp_add_header (req->output_headers, "Host", HOST);
//	evhttp_add_header (req->output_headers, "Connection", "Keep-Alive");

    evhttp_make_request (con, req, EVHTTP_REQ_GET, "/index.html");
}
Exemple #2
0
int git_openssl_stream_global_init(void)
{
#ifdef GIT_OPENSSL
	long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;

	/* Older OpenSSL and MacOS OpenSSL doesn't have this */
#ifdef SSL_OP_NO_COMPRESSION
	ssl_opts |= SSL_OP_NO_COMPRESSION;
#endif

	SSL_load_error_strings();
	OpenSSL_add_ssl_algorithms();
	/*
	 * Load SSLv{2,3} and TLSv1 so that we can talk with servers
	 * which use the SSL hellos, which are often used for
	 * compatibility. We then disable SSL so we only allow OpenSSL
	 * to speak TLSv1 to perform the encryption itself.
	 */
	git__ssl_ctx = SSL_CTX_new(SSLv23_method());
	SSL_CTX_set_options(git__ssl_ctx, ssl_opts);
	SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
	SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
	if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {
		SSL_CTX_free(git__ssl_ctx);
		git__ssl_ctx = NULL;
		return -1;
	}
#endif

	git__on_shutdown(shutdown_ssl);

	return 0;
}
/* sqSetupSSL: Common SSL setup tasks */
sqInt sqSetupSSL(sqSSL *ssl, int server) {

	/* Fixme. Needs to use specified version */
	if(ssl->loglevel) printf("sqSetupSSL: setting method\n");
	ssl->method = SSLv23_method();
	if(ssl->loglevel) printf("sqSetupSSL: Creating context\n");
	ssl->ctx = SSL_CTX_new(ssl->method);

	if(!ssl->ctx) ERR_print_errors_fp(stdout);

	if(ssl->loglevel) printf("sqSetupSSL: setting cipher list\n");
	SSL_CTX_set_cipher_list(ssl->ctx, "!ADH:HIGH:MEDIUM:@STRENGTH");

	/* if a cert is provided, use it */
	if(ssl->certName) {
		if(ssl->loglevel) printf("sqSetupSSL: Using cert file %s\n", ssl->certName);
		if(SSL_CTX_use_certificate_file(ssl->ctx, ssl->certName, SSL_FILETYPE_PEM)<=0)
		  ERR_print_errors_fp(stderr);

		if(SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->certName, SSL_FILETYPE_PEM)<=0)
		  ERR_print_errors_fp(stderr);
	}

	/* Set up trusted CA */
	if(ssl->loglevel) printf("sqSetupSSL: No root CA given; using default verify paths\n");
	if(SSL_CTX_set_default_verify_paths(ssl->ctx) <=0)
	  ERR_print_errors_fp(stderr);

	if(ssl->loglevel) printf("sqSetupSSL: Creating SSL\n");
	ssl->ssl = SSL_new(ssl->ctx);
	if(ssl->loglevel) printf("sqSetupSSL: setting bios\n");
	SSL_set_bio(ssl->ssl, ssl->bioRead, ssl->bioWrite);
	return 1;
}
Exemple #4
0
static int ssl_setup(git_transport *t, const char *host)
{
	int ret;

	SSL_library_init();
	SSL_load_error_strings();
	t->ssl.ctx = SSL_CTX_new(SSLv23_method());
	if (t->ssl.ctx == NULL)
		return ssl_set_error(&t->ssl, 0);

	SSL_CTX_set_mode(t->ssl.ctx, SSL_MODE_AUTO_RETRY);
	SSL_CTX_set_verify(t->ssl.ctx, SSL_VERIFY_PEER, NULL);
	if (!SSL_CTX_set_default_verify_paths(t->ssl.ctx))
		return ssl_set_error(&t->ssl, 0);

	t->ssl.ssl = SSL_new(t->ssl.ctx);
	if (t->ssl.ssl == NULL)
		return ssl_set_error(&t->ssl, 0);

	if((ret = SSL_set_fd(t->ssl.ssl, t->socket)) == 0)
		return ssl_set_error(&t->ssl, ret);

	if ((ret = SSL_connect(t->ssl.ssl)) <= 0)
		return ssl_set_error(&t->ssl, ret);

	if (t->check_cert && verify_server_cert(t, host) < 0)
		return -1;

	return 0;
}
Exemple #5
0
int _ssl_ctx_set_packed_file(void *ctx, const char *cfile) {
	_SSLO_CTX *so = ctx;
	if (ctx == NULL) {
		return ERR_TR50_BADHANDLE;
	}

	if (SSL_CTX_use_certificate_chain_file(so->ctx, cfile) != 1) {
		//so->errcode = ERR_get_error();
		//ERR_error_string_n(so->errcode, so->errmsg, SSL_ERR_STR_LEN);
		return ERR_TR50_SSL_CTX;
	}

	if (SSL_CTX_load_verify_locations(so->ctx, cfile, NULL) != 1) {
		//so->errcode = ERR_get_error();
		//ERR_error_string_n(so->errcode, so->errmsg, SSL_ERR_STR_LEN);
		return ERR_TR50_SSL_CTX;
	}

	if (SSL_CTX_set_default_verify_paths(so->ctx) != 1) {
		//so->errcode = ERR_get_error();
		//ERR_error_string_n(so->errcode, so->errmsg, SSL_ERR_STR_LEN);
		return ERR_TR50_SSL_CTX;
	}

	SSL_CTX_set_default_passwd_cb(so->ctx, _ssl_ctx_passwd_cb);
	SSL_CTX_set_default_passwd_cb_userdata(so->ctx, so->passwd);
	if (SSL_CTX_use_PrivateKey_file(so->ctx, cfile, SSL_FILETYPE_PEM) != 1) {
		//so->errcode = ERR_get_error();
		//ERR_error_string_n(so->errcode, so->errmsg, SSL_ERR_STR_LEN);
		return ERR_TR50_SSL_CTX;
	}

	return 0;
}
SSL *getSSL(void)
{
	if (!context) {
		const SSL_METHOD *m;
		unsigned char f_randfile[PATH_MAX];

		const unsigned char *f = (const unsigned char *)RAND_file_name(cast_char f_randfile, sizeof(f_randfile));
		if (f && RAND_egd(cast_const_char f)<0) {
			/* Not an EGD, so read and write to it */
			if (RAND_load_file(cast_const_char f_randfile, -1))
				RAND_write_file(cast_const_char f_randfile);
		}
		SSLeay_add_ssl_algorithms();
		m = SSLv23_client_method();
		if (!m) return NULL;
		context = SSL_CTX_new((void *)m);
		if (!context) return NULL;
		SSL_CTX_set_options(context, SSL_OP_ALL);
		SSL_CTX_set_default_verify_paths(context);
/* needed for systems without /dev/random, but obviously kills security. */
		/*{
			unsigned char pool[32768];
			int i;
			int rs;
			struct timeval tv;
			EINTRLOOP(rs, gettimeofday(&tv, NULL));
			for (i = 0; i < sizeof pool; i++) pool[i] = random() ^ tv.tv_sec ^ tv.tv_usec;
			RAND_add(pool, sizeof pool, sizeof pool);
		}*/
	}
	return (SSL_new(context));
}
Exemple #7
0
static int ssl_setup(gitno_socket *socket, const char *host, int flags)
{
	int ret;

	SSL_library_init();
	SSL_load_error_strings();
	socket->ssl.ctx = SSL_CTX_new(SSLv23_method());
	if (socket->ssl.ctx == NULL)
		return ssl_set_error(&socket->ssl, 0);

	SSL_CTX_set_mode(socket->ssl.ctx, SSL_MODE_AUTO_RETRY);
	SSL_CTX_set_verify(socket->ssl.ctx, SSL_VERIFY_NONE, NULL);
	if (!SSL_CTX_set_default_verify_paths(socket->ssl.ctx))
		return ssl_set_error(&socket->ssl, 0);

	socket->ssl.ssl = SSL_new(socket->ssl.ctx);
	if (socket->ssl.ssl == NULL)
		return ssl_set_error(&socket->ssl, 0);

	if((ret = SSL_set_fd(socket->ssl.ssl, socket->socket)) == 0)
		return ssl_set_error(&socket->ssl, ret);

	if ((ret = SSL_connect(socket->ssl.ssl)) <= 0)
		return ssl_set_error(&socket->ssl, ret);

	if (GITNO_CONNECT_SSL_NO_CHECK_CERT & flags)
		return 0;

	return verify_server_cert(&socket->ssl, host);
}
Exemple #8
0
void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile)
{
    if (SSL_CTX_load_verify_locations(ctx, CertFile, KeyFile) != 1)
        ERR_print_errors_fp(stderr);

    if (SSL_CTX_set_default_verify_paths(ctx) != 1)
        ERR_print_errors_fp(stderr);

    if (SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0)
    {
        ERR_print_errors_fp(stderr);
        abort();
    }

    if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0)
    {
        ERR_print_errors_fp(stderr);
        abort();
    }

    if (!SSL_CTX_check_private_key(ctx))
    {
        fprintf(stderr, "Private key does not match the public certificate\n");
        abort();
    }

    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
}
Exemple #9
0
bool HTTPSClient::initSSL()
{
#if SSLEAY_VERSION_NUMBER < 0x0800
    mpCTX = SSL_CTX_new();
    if (mpCTX == NULL)
        return false;
    X509_set_default_verify_paths(pCTX->cert);
#else
    SSLeay_add_ssl_algorithms();
    mpCTX = SSL_CTX_new(SSLv23_client_method());
    SSL_CTX_set_options(pCTX, SSL_OP_ALL);
    SSL_CTX_set_default_verify_paths(pCTX);
#endif /* SSLEAY_VERSION_NUMBER < 0x0800 */
#if SSLEAY_VERSION_NUMBER >= 0x00905100
    if (RAND_status() == 0) {
        time_t t;
        long l,seed;
        t = time(NULL);
        RAND_seed((unsigned char *)&t, sizeof(time_t));
        RAND_bytes((unsigned char *)&seed, sizeof(long));
        srand(seed);
        while (RAND_status() == 0) {
            l = rand();
            RAND_seed((unsigned char *)&l, sizeof(long));
        }
    }
#endif /* SSLEAY_VERSION_NUMBER >= 0x00905100 */
    mpSSL = SSL_new(pCTX);
    if(!mpSSL)
        return false;
#if SSLEAY_VERSION_NUMBER >= 0x0900
    pSSL->options|=SSL_OP_NO_TLSv1;
#endif
    return true;
}
Exemple #10
0
/* Initialize the library */
static void tls_init(int verify)
{
	if(_tlsctx)
	{
		TLSERROR("Library is already initialized!");
		return;
	}

	SSL_load_error_strings();
	SSL_library_init();

	_tlsctx = SSL_CTX_new(TLSv1_method());
	if(!_tlsctx) TLSERROR("Couldn't create TLS object.\n");
	else
	{
		OPENSSLCHECK(SSL_CTX_set_quiet_shutdown(_tlsctx, 1));
		OPENSSLCHECK(SSL_CTX_set_info_callback(_tlsctx, NULL));
		OPENSSLCHECK(SSL_CTX_load_verify_locations(ctx, CAfile, CApath));
		OPENSSLCHECK(SSL_CTX_set_default_verify_paths());
		if(verify == GGZ_TLS_VERIFY_PEER) SSL_CTX_set_verify(_tlsctx, SSL_VERIFY_PEER, tls_verify);
		else SSL_CTX_set_verify(_tlsctx, SSL_VERIFY_NONE, NULL);
	}

	openssllist = ggz_list_create(NULL, NULL, NULL, GGZ_LIST_ALLOW_DUPS);
}
Exemple #11
0
SSL_CTX *setup_client_ctx (void)
{
  SSL_CTX *ctx;
  ctx = SSL_CTX_new (SSLv23_method ());
	/* Test de la passphrase */
  SSL_CTX_set_default_passwd_cb (ctx, passwd_cb);
  if (SSL_CTX_load_verify_locations (ctx, CAFILE, CADIR) != 1)
    int_error ("ERREUR DE CHARGEMENT DU FICHIER");
  if (SSL_CTX_set_default_verify_paths (ctx) != 1)
    int_error ("ERREUR DE CHARGEMENT DU FICHIER default CA file");
  if (SSL_CTX_use_certificate_chain_file (ctx, CERTFILE) != 1)
    int_error ("ERREUR DE CHARGEMENT DU CERTIFICAT");
  if (SSL_CTX_use_PrivateKey_file (ctx, CERTFILE, SSL_FILETYPE_PEM) != 1)
    int_error ("ERREUR DE CHARGEMENT DE LA CLEF PRIVE");
  SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
		      verify_callback);
  SSL_CTX_set_verify_depth (ctx, 4);
  SSL_CTX_set_options (ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 |
		       SSL_OP_SINGLE_DH_USE);
  /*
  SSL_CTX_set_tmp_dh_callback (ctx, tmp_dh_callback);
  
  if (SSL_CTX_set_cipher_list (ctx, CIPHER_LIST) != 1)
    int_error ("ERREUR DE LECTURE DE LA LISTE DE CHIPTER");
  */
  return (ctx);
}
void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile)
{
	if (SSL_CTX_load_verify_locations(ctx, CertFile, KeyFile) != 1)
	       ERR_print_errors_fp(stderr);

	if (SSL_CTX_set_default_verify_paths(ctx) != 1)
	       ERR_print_errors_fp(stderr);


	/* set the local certificate from CertFile */
    if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0 ){
        ERR_print_errors_fp(stderr);
        abort();
    }

    /* set the private key from KeyFile (may be the same as CertFile) */
    if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 ){
        ERR_print_errors_fp(stderr);
        abort();
    }
    /* verify private key */
    if ( !SSL_CTX_check_private_key(ctx) ){
        fprintf(stderr, "Private key does not match the public certificate\n");
        abort();
    }
}
//=========================================
// setupClientCTX
//-----------------------------------------
void SSLClient::setupClientCTX (void) {
	ctx = SSL_CTX_new(SSLv23_method(  ));
	SSL_CTX_set_default_passwd_cb (ctx, passwd_cb);
	OpenSSL_add_all_algorithms();
	if (SSL_CTX_load_verify_locations(
		ctx, CAFILE.toLatin1().data(), CADIR) != 1
	) {
		qerror("Error loading CA file and/or directory");
	}
	if (SSL_CTX_set_default_verify_paths(ctx) != 1) {
		qerror("Error loading default CA file and/or directory");
	}
	if (SSL_CTX_use_certificate_chain_file(
		ctx, CLIENT_CERTFILE.toLatin1().data()) != 1
	) {
		qerror("Error loading certificate from file");
	}
	if (SSL_CTX_use_PrivateKey_file(
		ctx,CLIENT_CERTFILE.toLatin1().data(),SSL_FILETYPE_PEM
	) != 1) {
		qerror("Error loading private key from file");
	}
	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
	SSL_CTX_set_verify_depth(ctx, 4);
	SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
	if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1) {
		qerror("Error setting cipher list (no valid ciphers)");
	}
}
Exemple #14
0
static void
init_openssl(struct module *module)
{
	unsigned char f_randfile[PATH_MAX];

	/* In a nutshell, on OS's without a /dev/urandom, the OpenSSL library
	 * cannot initialize the PRNG and so every attempt to use SSL fails.
	 * It's actually an OpenSSL FAQ, and according to them, it's up to the
	 * application coders to seed the RNG. -- William Yodlowsky */
	RAND_file_name(f_randfile, sizeof(f_randfile));
#ifdef HAVE_RAND_EGD
	if (RAND_egd(f_randfile) < 0) {
		/* Not an EGD, so read and write to it */
#endif
		if (RAND_load_file(f_randfile, -1))
			RAND_write_file(f_randfile);
#ifdef HAVE_RAND_EGD
	}
#endif

	SSLeay_add_ssl_algorithms();
	context = SSL_CTX_new(SSLv23_client_method());
	SSL_CTX_set_options(context, SSL_OP_ALL);
	SSL_CTX_set_default_verify_paths(context);
	socket_SSL_ex_data_idx = SSL_get_ex_new_index(0, NULL,
						      NULL,
						      socket_SSL_ex_data_dup,
						      NULL);
}
Exemple #15
0
int git_openssl_stream_global_init(void)
{
#ifdef GIT_OPENSSL
	long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
	const char *ciphers = git_libgit2__ssl_ciphers();

	/* Older OpenSSL and MacOS OpenSSL doesn't have this */
#ifdef SSL_OP_NO_COMPRESSION
	ssl_opts |= SSL_OP_NO_COMPRESSION;
#endif

#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
	SSL_load_error_strings();
	OpenSSL_add_ssl_algorithms();
#else
	OPENSSL_init_ssl(0, NULL);
#endif

	/*
	 * Load SSLv{2,3} and TLSv1 so that we can talk with servers
	 * which use the SSL hellos, which are often used for
	 * compatibility. We then disable SSL so we only allow OpenSSL
	 * to speak TLSv1 to perform the encryption itself.
	 */
	git__ssl_ctx = SSL_CTX_new(SSLv23_method());
	SSL_CTX_set_options(git__ssl_ctx, ssl_opts);
	SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
	SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
	if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {
		SSL_CTX_free(git__ssl_ctx);
		git__ssl_ctx = NULL;
		return -1;
	}

	if (!ciphers) {
		ciphers = GIT_SSL_DEFAULT_CIPHERS;
	}

	if(!SSL_CTX_set_cipher_list(git__ssl_ctx, ciphers)) {
		SSL_CTX_free(git__ssl_ctx);
		git__ssl_ctx = NULL;
		return -1;
	}

	if (init_bio_method() < 0) {
		SSL_CTX_free(git__ssl_ctx);
		git__ssl_ctx = NULL;
		return -1;
	}

#endif

	git__on_shutdown(shutdown_ssl);

	return 0;
}
Exemple #16
0
SSL_CTX* SSLListener::initSSLContext() {
  SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
  EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
  SSL_CTX_set_tmp_ecdh(ctx,ecdh);
  EC_KEY_free(ecdh);
  SSL_CTX_set_default_verify_paths(ctx);
  return ctx;
};
Exemple #17
0
SSL_CTX *initCTX() {
	SSL_CTX *m_ctx;
	ERR((m_ctx = SSL_CTX_new(SSLv23_method())) == NULL,
		COMP("SSL_CTX_new():%1", SSLErrors()))

	SSL_CTX_set_options(m_ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
	ERR(SSL_CTX_set_default_verify_paths(m_ctx) == 0,
		COMP("SSL_CTX_set_default_verify_paths():%1", SSLErrors()))
	return m_ctx;
}
Exemple #18
0
static inline int tls_setup(shout_tls_t *tls)
{
	SSL_METHOD *meth;

	SSL_library_init();
	SSL_load_error_strings();
	SSLeay_add_all_algorithms();
 	SSLeay_add_ssl_algorithms();

	meth = TLSv1_client_method();
	if (!meth)
		goto error;

	tls->ssl_ctx = SSL_CTX_new(meth);
	if (!tls->ssl_ctx)
		goto error;

	SSL_CTX_set_default_verify_paths(tls->ssl_ctx);
	SSL_CTX_load_verify_locations(tls->ssl_ctx, tls->ca_file, tls->ca_directory);

	SSL_CTX_set_verify(tls->ssl_ctx, SSL_VERIFY_NONE, NULL);

	if (tls->client_certificate) {
		if (SSL_CTX_use_certificate_file(tls->ssl_ctx, tls->client_certificate, SSL_FILETYPE_PEM) != 1)
			goto error;
		if (SSL_CTX_use_PrivateKey_file(tls->ssl_ctx, tls->client_certificate, SSL_FILETYPE_PEM) != 1)
			goto error;
	}

	if (SSL_CTX_set_cipher_list(tls->ssl_ctx, tls->allowed_ciphers) <= 0)
		goto error;

	SSL_CTX_set_mode(tls->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
	SSL_CTX_set_mode(tls->ssl_ctx, SSL_MODE_AUTO_RETRY);

	tls->ssl = SSL_new(tls->ssl_ctx);
	if (!tls->ssl)
		goto error;

	if (!SSL_set_fd(tls->ssl, tls->socket))
		goto error;

	SSL_set_tlsext_host_name(tls->ssl, tls->host);
	SSL_set_connect_state(tls->ssl);
	tls->ssl_ret = SSL_connect(tls->ssl);

	return SHOUTERR_SUCCESS;

	error:
		if (tls->ssl)
			SSL_free(tls->ssl);
		if (tls->ssl_ctx)
			SSL_CTX_free(tls->ssl_ctx);
		return SHOUTERR_UNSUPPORTED;
}
Exemple #19
0
void server_ssl_init(void) 
{
    SSLeay_add_ssl_algorithms();
    SSL_load_error_strings();
    global_server_ssl_context = SSL_CTX_new(SSLv23_server_method());
    SSL_CTX_set_mode(global_server_ssl_context, 
        SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
    if (!SSL_CTX_set_default_verify_paths(global_server_ssl_context)) {
	   panic(0, "can not set default path for server");
    }
}
Exemple #20
0
SSLContext::SSLContext(
    Usage usage,
    const std::string& caLocation, 
    VerificationMode verificationMode,
    int verificationDepth,
    bool loadDefaultCAs,
    const std::string& cipherList):
    _usage(usage),
    _mode(verificationMode),
    _sslContext(0),
    _extendedVerificationErrorDetails(true)
{
    crypto::initializeEngine();
    
    createSSLContext();

    int errCode = 0;
    if (!caLocation.empty())
    {
        if (fs::isdir(caLocation))
            errCode = SSL_CTX_load_verify_locations(_sslContext, 0, fs::transcode(caLocation).c_str());
        else
            errCode = SSL_CTX_load_verify_locations(_sslContext, fs::transcode(caLocation).c_str(), 0);
        if (errCode != 1)
        {
            std::string msg = getLastError();
            SSL_CTX_free(_sslContext);
            throw std::runtime_error(std::string("SSL Error: Cannot load CA file/directory at ") + caLocation + ": " + msg);
        }
    }

    if (loadDefaultCAs)
    {
        errCode = SSL_CTX_set_default_verify_paths(_sslContext);
        if (errCode != 1)
        {
            std::string msg = getLastError();
            SSL_CTX_free(_sslContext);
            throw std::runtime_error("SSL Error: Cannot load default CA certificates: " + msg);
        }
    }

    if (isForServerUse())
        SSL_CTX_set_verify(_sslContext, verificationMode, &SSLManager::verifyServerCallback);
    else
        SSL_CTX_set_verify(_sslContext, verificationMode, &SSLManager::verifyClientCallback);

    SSL_CTX_set_cipher_list(_sslContext, cipherList.c_str());
    SSL_CTX_set_verify_depth(_sslContext, verificationDepth);
    SSL_CTX_set_mode(_sslContext, SSL_MODE_AUTO_RETRY);
    SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF);
}
Exemple #21
0
static int ssl_init(GF_DownloadManager *dm, u32 mode)
{
	SSL_METHOD *meth;
	
	if (!dm) return 0;
    /* The SSL has already been initialized. */
	if (dm->ssl_ctx) return 1;
	/* Init the PRNG.  If that fails, bail out.  */
	init_prng();
	if (RAND_status() != 1) goto error;
	SSL_library_init();
	SSL_load_error_strings();
	SSLeay_add_all_algorithms();
	SSLeay_add_ssl_algorithms();
	
	switch (mode) {
	case 0:
		meth = SSLv23_client_method();
		break;
	case 1:
		meth = SSLv2_client_method();
		break;
	case 2:
		meth = SSLv3_client_method();
		break;
	case 3:
		meth = TLSv1_client_method();
		break;
	default:
		goto error;
	}
	
	dm->ssl_ctx = SSL_CTX_new(meth);
	if (!dm->ssl_ctx) goto error;
	SSL_CTX_set_default_verify_paths(dm->ssl_ctx);
	SSL_CTX_load_verify_locations (dm->ssl_ctx, NULL, NULL);
	/* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the
     certificate is invalid.  We verify the certificate separately in
     ssl_check_certificate, which provides much better diagnostics
     than examining the error stack after a failed SSL_connect.  */
	SSL_CTX_set_verify(dm->ssl_ctx, SSL_VERIFY_NONE, NULL);

	/* Since fd_write unconditionally assumes partial writes (and handles them correctly), 
	allow them in OpenSSL.  */
	SSL_CTX_set_mode(dm->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
	return 1;
error:
	if (dm->ssl_ctx) SSL_CTX_free(dm->ssl_ctx);
	dm->ssl_ctx = NULL;
	return 0;
}
Exemple #22
0
static void init_ssl(void)
{
#ifdef GIT_SSL
	SSL_load_error_strings();
	OpenSSL_add_ssl_algorithms();
	/*
	 * Load SSLv{2,3} and TLSv1 so that we can talk with servers
	 * which use the SSL hellos, which are often used for
	 * compatibility. We then disable SSL so we only allow OpenSSL
	 * to speak TLSv1 to perform the encryption itself.
	 */
	git__ssl_ctx = SSL_CTX_new(SSLv23_method());
	SSL_CTX_set_options(git__ssl_ctx,
			    SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
	/* Older OpenSSL and MacOS OpenSSL doesn't have this */
# ifdef SSL_OP_NO_COMPRESSION
			    | SSL_OP_NO_COMPRESSION
# endif
		);
	SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
	SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
	if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {
		SSL_CTX_free(git__ssl_ctx);
		git__ssl_ctx = NULL;
	}

# ifdef GIT_THREADS
	{
		int num_locks, i;

		num_locks = CRYPTO_num_locks();
		openssl_locks = git__calloc(num_locks, sizeof(git_mutex));
		if (openssl_locks == NULL) {
			SSL_CTX_free(git__ssl_ctx);
			git__ssl_ctx = NULL;
		}

		for (i = 0; i < num_locks; i++) {
			if (git_mutex_init(&openssl_locks[i]) != 0) {
				SSL_CTX_free(git__ssl_ctx);
				git__ssl_ctx = NULL;
			}
		}

		CRYPTO_set_locking_callback(openssl_locking_function);
	}

	git__on_shutdown(shutdown_ssl);
# endif
#endif
}
Exemple #23
0
/*
 * we keep local copies of each of the variables so we can properly determine
 * when something has changed.  if neither ca_path nor ca_file is set, then we
 * load the default paths.
 */
void
ssl_setup_certs(u_char *dummy)
{
#ifdef USE_OPENSSL
	if (!ssl_ctx)
		return;

	static	u_char	*ca_file;
	static	u_char	*ca_path;
	static	u_char	*chain_file;
	static	u_char	*private_key_file;
		u_char	*cur_ca_file = get_string_var(SSL_CA_FILE_VAR);
		u_char	*cur_ca_path = get_string_var(SSL_CA_PATH_VAR);
		u_char	*cur_chain_file = get_string_var(SSL_CA_CHAIN_FILE_VAR);
		u_char	*cur_private_key_file =
			 get_string_var(SSL_CA_PRIVATE_KEY_FILE_VAR);

	if (ca_file != cur_ca_file ||
	    ca_path != cur_ca_path)
	{
		ca_file = cur_ca_file;
		ca_path = cur_ca_path;

		Debug(DB_SSL, "calling SSL_CTX_load_verify_locations(%s, %s)",
		      ca_file, ca_path);
		SSL_CTX_load_verify_locations(ssl_ctx, CP(ca_file), CP(ca_path));
	}
	
	if (!ca_path && !ca_file)
		SSL_CTX_set_default_verify_paths(ssl_ctx);

	if (chain_file != cur_chain_file)
	{
		chain_file = cur_chain_file;
		Debug(DB_SSL, "calling SSL_CTX_use_certificate_chain_file(%s)",
		      chain_file);
		SSL_CTX_use_certificate_chain_file(ssl_ctx, CP(chain_file));
	}

	if (private_key_file != cur_private_key_file)
	{
		private_key_file = cur_private_key_file;
		Debug(DB_SSL, "calling SSL_CTX_use_PrivateKey_file(%s)",
		      private_key_file);
		SSL_CTX_use_PrivateKey_file(ssl_ctx, CP(private_key_file),
					    SSL_FILETYPE_PEM);
	}
#endif
}
Exemple #24
0
static int BSslSetupVerify(SSL_CTX *pSCtx, SslServerBind const *pSSLB)
{
	char const *pszKeyFile = pSSLB->pszKeyFile;

	if (pSSLB->pszCertFile != NULL) {
		if (SSL_CTX_use_certificate_chain_file(pSCtx,
						       pSSLB->pszCertFile) <= 0) {
			ErrSetErrorCode(ERR_SSL_SETCERT, pSSLB->pszCertFile);
			return ERR_SSL_SETCERT;
		}
		if (pszKeyFile == NULL)
			pszKeyFile = pSSLB->pszCertFile;
	}
	if (pszKeyFile != NULL) {
		if (SSL_CTX_use_PrivateKey_file(pSCtx, pszKeyFile,
						SSL_FILETYPE_PEM) <= 0) {
			ErrSetErrorCode(ERR_SSL_SETKEY, pszKeyFile);
			return ERR_SSL_SETKEY;
		}
		if (!SSL_CTX_check_private_key(pSCtx)) {
			ErrSetErrorCode(ERR_SSL_CHECKKEY, pszKeyFile);
			return ERR_SSL_CHECKKEY;
		}
	}
	if (pSSLB->ulFlags & BSSLF_WANT_VERIFY) {
		int iVerMode = SSL_VERIFY_PEER;

		if (pSSLB->ulFlags & BSSLF_WANT_CERT)
			iVerMode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
		SSL_CTX_set_verify(pSCtx, iVerMode, BSslCertVerifyCB);
		if (pSSLB->iMaxDepth > 0)
			SSL_CTX_set_verify_depth(pSCtx, pSSLB->iMaxDepth);
		SSL_CTX_set_app_data(pSCtx, pSSLB);

		if (pSSLB->pszCAFile != NULL || pSSLB->pszCAPath != NULL) {
			if (!SSL_CTX_load_verify_locations(pSCtx, pSSLB->pszCAFile,
							   pSSLB->pszCAPath)) {
				ErrSetErrorCode(ERR_SSL_VERPATHS);
				return ERR_SSL_VERPATHS;
			}
		} else if (!SSL_CTX_set_default_verify_paths(pSCtx)) {
			ErrSetErrorCode(ERR_SSL_VERPATHS);
			return ERR_SSL_VERPATHS;
		}
	}

	return 0;
}
Exemple #25
0
SSL_CTX *setup_client_ctx(void)
{
    SSL_CTX *ctx;
 
    ctx = SSL_CTX_new(SSLv23_method(  ));
    if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1)
        int_error("Error loading CA file and/or directory");
    if (SSL_CTX_set_default_verify_paths(ctx) != 1)
        int_error("Error loading default CA file and/or directory");
    if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1)
        int_error("Error loading certificate from file");
    if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1)
        int_error("Error loading private key from file");
    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
    SSL_CTX_set_verify_depth(ctx, 4);
    return ctx;
}
Exemple #26
0
extern	SSL_CTX	*
MakeSSL_CTX_PKCS11(
	ENGINE  **e,
	char	*pkcs11,
	char	*slotstr,
	char	*cafile,
	char	*capath,
	char	*ciphers)
{
	SSL_CTX *ctx;
	int	 mode = SSL_VERIFY_NONE;

	if ((ctx = SSL_CTX_new(SSLv23_method())) == NULL){
		SSL_Error(_d("SSL_CTX_new failure:\n %s\n"), GetSSLErrorString());
		return NULL;
	}

	if (!SSL_CTX_set_cipher_list(ctx, ciphers)){
		SSL_Error(_d("SSL_CTX_set_cipher_list(%s) failure:\n %s\n"),
				ciphers, GetSSLErrorString());
		SSL_CTX_free(ctx);
		return NULL;
	}

	mode = SSL_VERIFY_PEER;
	mode |= SSL_VERIFY_CLIENT_ONCE;
	SSL_CTX_set_verify(ctx, mode, RemoteVerifyCallBack);
	SSL_CTX_set_options(ctx, SSL_OP_ALL);

	if ((cafile == NULL) && (capath == NULL)){
		if (!SSL_CTX_set_default_verify_paths(ctx)){
			SSL_Error(_d("SSL_CTX_set_default_verify_paths error:\n %s\n"),
					GetSSLErrorString());
		}
	}
	else if (!SSL_CTX_load_verify_locations(ctx, cafile, capath)){
		if (cafile == NULL) cafile = capath;
		SSL_Error(_d("SSL_CTX_load_verify_locations(%s)\n"), cafile);
		SSL_CTX_free(ctx);
		return NULL;
	}

	if (LoadEnginePKCS11(ctx, e, pkcs11, slotstr)) return ctx;
	return NULL;
}
Exemple #27
0
void
_lm_ssl_initialize (LmSSL *ssl)
{
    static gboolean initialized = FALSE;
    /*const char *cert_file = NULL;*/

    if (!initialized) {
        SSL_library_init();
        /* FIXME: Is this needed when we are not in debug? */
        SSL_load_error_strings();
        initialized = TRUE;
    }

    ssl->ssl_method = TLSv1_client_method();
    if (ssl->ssl_method == NULL) {
        g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL,
               "TLSv1_client_method() == NULL");
        abort();
    }
    ssl->ssl_ctx = SSL_CTX_new(ssl->ssl_method);
    if (ssl->ssl_ctx == NULL) {
        g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "SSL_CTX_new() == NULL");
        abort();
    }

    /* Set the NO_TICKET option on the context to allow for talk to Google Talk
     * which apparently seems to be having a problem handling empty session
     * tickets due to a bug in Java.
     *
     * See http://twistedmatrix.com/trac/ticket/3463 and
     * Loudmouth [#28].
     */
    SSL_CTX_set_options (ssl->ssl_ctx, SSL_OP_NO_TICKET);

    /*if (access("/etc/ssl/cert.pem", R_OK) == 0)
      cert_file = "/etc/ssl/cert.pem";
      if (!SSL_CTX_load_verify_locations(ssl->ssl_ctx,
      cert_file, "/etc/ssl/certs")) {
      g_warning("SSL_CTX_load_verify_locations() failed");
      }*/
    SSL_CTX_set_default_verify_paths (ssl->ssl_ctx);
    SSL_CTX_set_verify (ssl->ssl_ctx, SSL_VERIFY_PEER, ssl_verify_cb);
}
Exemple #28
0
/**
 * oh_ssl_ctx_init
 *
 * Create a new SSL_CTX object as a framework for TLS/SSL enabled functions.
 * In particular:
 * - Creates a new CTX object with default option values
 * - Sets common compatibility options
 * - Sets the default locations for trusted CA certificates.
 *   SSL_CTX_set_default_verify_paths() is used to add system-wide default
 *   certificate paths to the verify CApath without having to specify a
 *   default location.  The intent is that the distribution's configured
 *   location will be used.
 *
 * Return value: pointer to SSL_CTX or NULL for failure
 **/
SSL_CTX         *oh_ssl_ctx_init()
{
        SSL_CTX         *ctx;

        ctx = SSL_CTX_new(SSLv23_client_method());
        if (ctx == NULL) {
                err("SSL_CTX_new() failed");
                return(NULL);
        }

        SSL_CTX_set_options(ctx, SSL_OP_TLS_ROLLBACK_BUG | SSL_OP_ALL);

        if (! SSL_CTX_set_default_verify_paths(ctx)) {
                err("SSL_CTX_set_default_verify_paths() failed");
                return(NULL);
        }

        return(ctx);
}
Exemple #29
0
SSL*
imap_create_ssl(void)
{
  SSL *ssl;

  g_mutex_lock(&global_tls_lock);
  if(!global_ssl_context) {
    /* Initialize OpenSSL library, follow "Network Security with
       OpenSSL", ISBN 0-596-00270-X, guidelines. Example 4-2. */
    imaptls_thread_setup();
    SSL_library_init();
    SSL_load_error_strings();
#if 0
    global_ssl_context = SSL_CTX_new (TLSv1_client_method ());
#else
    /* Note: SSLv23_client_method() actually enables *all* protocols, including
     * SSLv(2|3) and TLSv1.(0|1|2), so we must switch all unsafe ones off */
    global_ssl_context = SSL_CTX_new (SSLv23_client_method ());
#ifdef ENABLE_SSL3
    SSL_CTX_set_options(global_ssl_context, SSL_OP_ALL|SSL_OP_NO_SSLv2);
#else
    SSL_CTX_set_options(global_ssl_context, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
#endif
#endif
    /* no client certificate password support yet
     * SSL_CTX_set_default_passwd_cb (ctx, ctx_password_cb);
     * SSL_CTX_set_default_passwd_cb_userdata (ctx, ctx_password_cb_arg); 
     */

    /* Load the trusted CAs here. We just trust the system CA for the
       moment but we could try to be compatible with libESMTP in this
       respect.
    */
   SSL_CTX_set_default_verify_paths (global_ssl_context);
  }
  g_mutex_unlock(&global_tls_lock);

  ssl = SSL_new(global_ssl_context);

  /* setup client certificates here */
  return ssl;
}
void PosixSslServerSocket::loadCertificates( const std::string & certificateFile,
                                             const std::string & keyFile ) {
    SSL_CTX * sslContext;
    int rc;

    sslContext = SSL_CTX_new(SSLv3_server_method());
    rc = SSL_CTX_load_verify_locations(sslContext,certificateFile.c_str(),keyFile.c_str());
    if( rc <= 0 )
        ERR_print_errors_fp(stdout);
    rc = SSL_CTX_set_default_verify_paths(sslContext);
    if( rc <= 0 )
        ERR_print_errors_fp(stdout);
    rc = SSL_CTX_use_certificate_file(sslContext,certificateFile.c_str(),SSL_FILETYPE_PEM);
    if( rc <= 0 )
        ERR_print_errors_fp(stdout);
    rc = SSL_CTX_use_PrivateKey_file(sslContext,keyFile.c_str(),SSL_FILETYPE_PEM);
    if( rc <= 0 )
        ERR_print_errors_fp(stdout);
    setSslContext(sslContext);
}