Exemple #1
0
void
lws_ssl_info_callback(const SSL *ssl, int where, int ret)
{
	struct lws *wsi;
	struct lws_context *context;
	struct lws_ssl_info si;

#ifndef USE_WOLFSSL
	context = (struct lws_context *)SSL_CTX_get_ex_data(
					SSL_get_SSL_CTX(ssl),
					openssl_SSL_CTX_private_data_index);
#else
	context = (struct lws_context *)SSL_CTX_get_ex_data(
					SSL_get_SSL_CTX((SSL*) ssl),
					openssl_SSL_CTX_private_data_index);
#endif
	if (!context)
		return;
	wsi = wsi_from_fd(context, SSL_get_fd(ssl));
	if (!wsi)
		return;

	if (!(where & wsi->vhost->tls.ssl_info_event_mask))
		return;

	si.where = where;
	si.ret = ret;

	if (user_callback_handle_rxflow(wsi->protocol->callback,
						   wsi, LWS_CALLBACK_SSL_INFO,
						   wsi->user_space, &si, 0))
		lws_set_timeout(wsi, PENDING_TIMEOUT_KILLED_BY_SSL_INFO, -1);
}
BOOL ssl_add_cert_auth_internal( int sslContextHandle, const char* certificate, 
	int cert_len, const char* szCertPwd )
{
    SSL *ssl = NULL;
    int ret = FALSE;
    
    if((sslContextHandle >= ARRAYSIZE(g_SSL_Driver.m_sslContextArray)) || (sslContextHandle < 0))
    {
        goto error;
    }

    ssl = (SSL*)g_SSL_Driver.m_sslContextArray[sslContextHandle].SslContext;
    if (ssl == NULL)
    {
        goto error;
    }

    // SSL_CTX_load_verify_locations is defined to accept a filename, however since
    // we do not support a filesystem the low level OpenSSL file access routines
    // have been written to fake file support via directly reading from a binary blob
    ret = SSL_CTX_load_verify_locations( SSL_get_SSL_CTX(ssl), certificate, NULL );

error:
	return ret;
}
Exemple #3
0
/**
 * Call Lua user function to get the DH key.
 */
static DH *dhparam_cb(SSL *ssl, int is_export, int keylength)
{
  BIO *bio;
  lua_State *L;
  DH *dh_tmp = NULL;
  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
  L = (lua_State*)SSL_CTX_get_app_data(ctx);

  /* Get the callback */
  luaL_getmetatable(L, "SSL:DH:Registry");
  lua_pushlightuserdata(L, (void*)ctx);
  lua_gettable(L, -2);

  /* Invoke the callback */
  lua_pushnumber(L, is_export);
  lua_pushnumber(L, keylength);
  lua_call(L, 2, 1);

  /* Load parameters from returned value */
  if (lua_type(L, -1) != LUA_TSTRING) {
    lua_pop(L, 2);  /* Remove values from stack */
    return NULL;
  }
  bio = BIO_new_mem_buf((void*)lua_tostring(L, -1), 
    lua_rawlen(L, -1));
  if (bio) {
    dh_tmp = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
    BIO_free(bio);
  }
  lua_pop(L, 2);    /* Remove values from stack */
  return dh_tmp;
}
Exemple #4
0
/**
 * This callback implements the "continue on error" flag and log the errors.
 */
static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
  int err;
  int verify;
  SSL *ssl;
  SSL_CTX *ctx;
  p_context pctx;
  lua_State *L;

  /* Short-circuit optimization */
  if (preverify_ok)
    return 1;

  ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
    SSL_get_ex_data_X509_STORE_CTX_idx());
  ctx = SSL_get_SSL_CTX(ssl);
  pctx = (p_context)SSL_CTX_get_app_data(ctx);
  L = pctx->L;

  /* Get verify flags */
  luaL_getmetatable(L, "SSL:Verify:Registry");
  lua_pushlightuserdata(L, (void*)ctx);
  lua_gettable(L, -2);
  verify = (int)lua_tonumber(L, -1);

  lua_pop(L, 2); /* Remove values from stack */

  err = X509_STORE_CTX_get_error(x509_ctx);
  if (err != X509_V_OK)
    add_cert_error(L, ssl, err, X509_STORE_CTX_get_error_depth(x509_ctx));

  return (verify & LSEC_VERIFY_CONTINUE ? 1 : preverify_ok);
}
Exemple #5
0
static int tlsext_servername_callback(SSL *ssl, int *ad, void *arg)
{
  SSL_CTX *newctx = NULL;
  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
  lua_State *L = SSL_CTX_get_app_data(ctx);
  const char *name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);

  /* No name, use default context */
  if (!name)
    return SSL_TLSEXT_ERR_NOACK;

  /* Search for the name in the map */
  openssl_getvalue(L, ctx, "tlsext_servername");
  if (lua_istable(L, -1))
  {
    lua_getfield(L, -1, name);
    if (auxiliar_isclass(L, "openssl.ssl_ctx", -1))
    {
      newctx = CHECK_OBJECT(-1, SSL_CTX, "openssl.ssl_ctx");
      SSL_set_SSL_CTX(ssl, newctx);
      lua_pop(L, 2);
      return SSL_TLSEXT_ERR_OK;
    }
  }
  else if (lua_isfunction(L, -1))
  {
  }
  else
  {
  }

  lua_pop(L, 1);
  return SSL_TLSEXT_ERR_ALERT_FATAL;
}
Exemple #6
0
static int ticket_cb(SSL *con, unsigned char name[], unsigned char iv[],
		          EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int create)
{
    static const EVP_MD *sha256;
    static const EVP_CIPHER *aes128;
    TLS_TICKET_KEY *key;
    TLS_SESS_STATE *TLScontext = SSL_get_ex_data(con, TLScontext_index);
    int     timeout = ((int) SSL_CTX_get_timeout(SSL_get_SSL_CTX(con))) / 2;

    if ((!sha256 && (sha256 = EVP_sha256()) == 0)
	|| (!aes128 && (aes128 = EVP_aes_128_cbc()) == 0)
	|| (key = tls_mgr_key(create ? 0 : name, timeout)) == 0
	|| (create && RAND_bytes(iv, TLS_TICKET_IVLEN) <= 0))
	return (create ? TLS_TKT_NOKEYS : TLS_TKT_STALE);

    HMAC_Init_ex(hctx, key->hmac, TLS_TICKET_MACLEN, sha256, NOENGINE);

    if (create) {
	EVP_EncryptInit_ex(ctx, aes128, NOENGINE, key->bits, iv);
	memcpy((char *) name, (char *) key->name, TLS_TICKET_NAMELEN);
	if (TLScontext->log_mask & TLS_LOG_CACHE)
	    msg_info("%s: Issuing session ticket, key expiration: %ld",
		     TLScontext->namaddr, (long) key->tout);
    } else {
	EVP_DecryptInit_ex(ctx, aes128, NOENGINE, key->bits, iv);
	if (TLScontext->log_mask & TLS_LOG_CACHE)
	    msg_info("%s: Decrypting session ticket, key expiration: %ld",
		     TLScontext->namaddr, (long) key->tout);
    }
    TLScontext->ticketed = 1;
    return (TLS_TKT_ACCEPT);
}
Exemple #7
0
int verify_cb(int ok, X509_STORE_CTX* store) {
	SSL* ssl = (SSL *)X509_STORE_CTX_get_app_data(store);
	SSL_CTX* ssl_ctx = ssl_ctx = SSL_get_SSL_CTX(ssl);
	void* p = SSL_CTX_get_ex_data(ssl_ctx, get_ssl_ctx_idx());
	// get the pointer to the go Ctx object and pass it back into the thunk
	return verify_cb_thunk(p, ok, store);
}
static int certVerifyCallback(int ok, X509_STORE_CTX* ctx)
{
    // whether the verification of the certificate in question was passed (preverify_ok=1) or not (preverify_ok=0)

    unsigned err = X509_STORE_CTX_get_error(ctx);
    if (!err)
        return 1;

    SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
    SSL_CTX* sslctx = SSL_get_SSL_CTX(ssl);
    ResourceHandle* job = reinterpret_cast<ResourceHandle*>(SSL_CTX_get_app_data(sslctx));
    String host = job->firstRequest().url().host();
    ResourceHandleInternal* d = job->getInternal();

    d->m_sslErrors = sslCertificateFlag(err);

#if PLATFORM(WIN)
    HashMap<String, ListHashSet<String>>::iterator it = allowedHosts.find(host);
    ok = (it != allowedHosts.end());
#else
    ListHashSet<String> certificates;
    if (!pemData(ctx, certificates))
        return 0;
    ok = sslIgnoreHTTPSCertificate(host.lower(), certificates);
#endif

    if (ok) {
        // if the host and the certificate are stored for the current handle that means is enabled,
        // so don't need to curl verifies the authenticity of the peer's certificate
        curl_easy_setopt(d->m_handle, CURLOPT_SSL_VERIFYPEER, false);
    }
    return ok;
}
Exemple #9
0
lws_tls_ctx *
lws_tls_ctx_from_wsi(struct lws *wsi)
{
	if (!wsi->tls.ssl)
		return NULL;

	return SSL_get_SSL_CTX(wsi->tls.ssl);
}
Exemple #10
0
int _qvd_verify_cert_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
  
  SSL    *ssl;
  SSL_CTX *sslctx;
  qvdclient *qvd ;

  ssl = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
  sslctx = SSL_get_SSL_CTX(ssl);
  qvd = SSL_CTX_get_ex_data(sslctx, _qvd_ssl_index); 
 
  X509 *cert = X509_STORE_CTX_get_current_cert(x509_ctx);
  int depth = X509_STORE_CTX_get_error_depth(x509_ctx);
  int err = X509_STORE_CTX_get_error(x509_ctx);

  /* save the certificate by incrementing the reference count and
   * keeping a pointer */
  if (depth < MAX_CERTS && !certificate[depth]) {
    certificate[depth] = cert;
    certificate_error[depth] = err;
    cert->references++;
  }

  /* See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html# */
  if (preverify_ok)
    {
      qvd_printf("_qvd_verify_cert_callback: Certificate was validated\n");
      return preverify_ok;
    }
  if (qvd->ssl_verify_callback == NULL)
    {
      qvd_printf("_qvd_verify_cert_callback: No callback specified returning false (specify if you wissh callbacks for unknown certs with qvd_set_unknown_cert_callback)\n");
      return 0;
    }

  BIO *bio_out = BIO_new(BIO_s_mem());
  BUF_MEM *biomem;
  int result;
  PEM_write_bio_X509(bio_out, certificate[depth]);
  BIO_get_mem_ptr(bio_out, &biomem);
  char cert_info[1024];
  char issuer[256], subject[256];
  X509_NAME_oneline(X509_get_issuer_name(certificate[depth]), issuer, 256);
  X509_NAME_oneline(X509_get_subject_name(certificate[depth]), subject, 256);

  snprintf(cert_info, 1023, "Serial: %lu\n\nIssuer: %s\n\nValidity:\n\tNot before: %s\n\tNot after: %s\n\nSubject: %s\n",
	   ASN1_INTEGER_get(X509_get_serialNumber(certificate[depth])), issuer, 
	   X509_get_notBefore(certificate[depth])->data, X509_get_notAfter(cert)->data, subject);
  cert_info[1023] = '\0';
  result = qvd->ssl_verify_callback(qvd, cert_info, biomem->data);
  if (result)
    {
      _qvd_save_certificate(qvd, certificate[depth], depth, biomem);
    }

  BIO_free(bio_out);
  return result;
}
Exemple #11
0
static int
lws_ssl_server_name_cb(SSL *ssl, int *ad, void *arg)
{
	struct lws_context *context;
	struct lws_vhost *vhost, *vh;
	const char *servername;
	int port;

	if (!ssl)
		return SSL_TLSEXT_ERR_NOACK;

	context = (struct lws_context *)SSL_CTX_get_ex_data(
					SSL_get_SSL_CTX(ssl),
					openssl_SSL_CTX_private_data_index);

	/*
	 * We can only get ssl accepted connections by using a vhost's ssl_ctx
	 * find out which listening one took us and only match vhosts on the
	 * same port.
	 */
	vh = context->vhost_list;
	while (vh) {
		if (!vh->being_destroyed && vh->ssl_ctx == SSL_get_SSL_CTX(ssl))
			break;
		vh = vh->vhost_next;
	}

	assert(vh); /* we cannot get an ssl without using a vhost ssl_ctx */
	port = vh->listen_port;

	servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);

	if (servername) {
		vhost = lws_select_vhost(context, port, servername);
		if (vhost) {
			lwsl_debug("SNI: Found: %s (port %d)\n",
				   servername, port);
			SSL_set_SSL_CTX(ssl, vhost->ssl_ctx);
			return SSL_TLSEXT_ERR_OK;
		}
		lwsl_err("SNI: Unknown ServerName: %s\n", servername);
	}

	return SSL_TLSEXT_ERR_OK;
}
Exemple #12
0
Fichier : io.c Projet : mbeck-/fdm
/* Close io sockets. */
void
io_close(struct io *io)
{
    if (io->ssl != NULL) {
        SSL_CTX_free(SSL_get_SSL_CTX(io->ssl));
        SSL_free(io->ssl);
    }
    close(io->fd);
}
Exemple #13
0
/* {{{ data_close
 */
databuf_t*
data_close(ftpbuf_t *ftp, databuf_t *data)
{
#if HAVE_OPENSSL_EXT
	SSL_CTX		*ctx;
#endif				
	if (data == NULL) {
		return NULL;
	}
	if (data->listener != -1) {
#if HAVE_OPENSSL_EXT
		if (data->ssl_active) {
		
			ctx = SSL_get_SSL_CTX(data->ssl_handle);
			SSL_CTX_free(ctx);

			SSL_shutdown(data->ssl_handle);
			SSL_free(data->ssl_handle);
			data->ssl_active = 0;
		}
#endif				
		closesocket(data->listener);
	}	
	if (data->fd != -1) {
#if HAVE_OPENSSL_EXT
		if (data->ssl_active) {
			ctx = SSL_get_SSL_CTX(data->ssl_handle);
			SSL_CTX_free(ctx);

			SSL_shutdown(data->ssl_handle);
			SSL_free(data->ssl_handle);
			data->ssl_active = 0;
		}
#endif				
		closesocket(data->fd);
	}	
	if (ftp) {
		ftp->data = NULL;
	}
	efree(data);
	return NULL;
}
Exemple #14
0
static int openssl_ssl_getpeerverification(lua_State *L)
{
  long err;
  SSL* ssl = CHECK_OBJECT(1, SSL, "openssl.ssl");
  SSL_CTX* ctx = SSL_get_SSL_CTX(ssl);

  err = SSL_get_verify_result(ssl);
  lua_pushboolean(L, err == X509_V_OK);
  openssl_getvalue(L, ssl, "verify_cert");
  return 2;
}
int SSLSessionCacheManager::newSessionCallback(SSL* ssl, SSL_SESSION* session) {
    SSLSessionCacheManager* manager = nullptr;
    SSL_CTX* ctx = SSL_get_SSL_CTX(ssl);
    manager = (SSLSessionCacheManager *)SSL_CTX_get_ex_data(ctx, sExDataIndex_);

    if (manager == nullptr) {
        LOG(FATAL) << "Null SSLSessionCacheManager in callback";
        return -1;
    }
    return manager->newSession(ssl, session);
}
int
TLSTicketKeyManager::callback(SSL* ssl, unsigned char* keyName,
                              unsigned char* iv,
                              EVP_CIPHER_CTX* cipherCtx,
                              HMAC_CTX* hmacCtx, int encrypt) {
  TLSTicketKeyManager* manager = nullptr;
  SSL_CTX* ctx = SSL_get_SSL_CTX(ssl);
  manager = (TLSTicketKeyManager *)SSL_CTX_get_ex_data(ctx, sExDataIndex_);

  if (manager == nullptr) {
    LOG(FATAL) << "Null TLSTicketKeyManager in callback" ;
  }
  return manager->processTicket(ssl, keyName, iv, cipherCtx, hmacCtx, encrypt);
}
SSL_SESSION* SSLSessionCacheManager::getSessionCallback(SSL* ssl,
        unsigned char* sess_id,
        int id_len,
        int* copyflag) {
    SSLSessionCacheManager* manager = nullptr;
    SSL_CTX* ctx = SSL_get_SSL_CTX(ssl);
    manager = (SSLSessionCacheManager *)SSL_CTX_get_ex_data(ctx, sExDataIndex_);

    if (manager == nullptr) {
        LOG(FATAL) << "Null SSLSessionCacheManager in callback";
        return nullptr;
    }
    return manager->getSession(ssl, sess_id, id_len, copyflag);
}
Exemple #18
0
static int
lws_ssl_server_name_cb(SSL *ssl, int *ad, void *arg)
{
	struct lws_context *context = (struct lws_context *)arg;
	struct lws_vhost *vhost, *vh;
	const char *servername;

	if (!ssl)
		return SSL_TLSEXT_ERR_NOACK;

	/*
	 * We can only get ssl accepted connections by using a vhost's ssl_ctx
	 * find out which listening one took us and only match vhosts on the
	 * same port.
	 */
	vh = context->vhost_list;
	while (vh) {
		if (!vh->being_destroyed &&
		    vh->tls.ssl_ctx == SSL_get_SSL_CTX(ssl))
			break;
		vh = vh->vhost_next;
	}

	if (!vh) {
		assert(vh); /* can't match the incoming vh? */
		return SSL_TLSEXT_ERR_OK;
	}

	servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
	if (!servername) {
		/* the client doesn't know what hostname it wants */
		lwsl_info("SNI: Unknown ServerName: %s\n", servername);

		return SSL_TLSEXT_ERR_OK;
	}

	vhost = lws_select_vhost(context, vh->listen_port, servername);
	if (!vhost) {
		lwsl_info("SNI: none: %s:%d\n", servername, vh->listen_port);

		return SSL_TLSEXT_ERR_OK;
	}

	lwsl_info("SNI: Found: %s:%d\n", servername, vh->listen_port);

	/* select the ssl ctx from the selected vhost for this conn */
	SSL_set_SSL_CTX(ssl, vhost->tls.ssl_ctx);

	return SSL_TLSEXT_ERR_OK;
}
Exemple #19
0
		bool SSLSocket::verifyKeyprint(const string& expKP, bool allowUntrusted) noexcept
		{
			if (!ssl)
				return true;
				
			if (expKP.empty() || expKP.find("/") == string::npos)
				return allowUntrusted;
				
			verifyData.reset(new CryptoManager::SSLVerifyData(allowUntrusted, expKP));
			SSL_set_ex_data(ssl, CryptoManager::idxVerifyData, verifyData.get());
			
			SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl);
			X509_STORE* store = X509_STORE_new();
			bool result = false;
			int err = SSL_get_verify_result(ssl);
			if (ssl_ctx && store)
			{
				X509_STORE_CTX* vrfy_ctx = X509_STORE_CTX_new();
				X509* cert = SSL_get_peer_certificate(ssl);
				
				if (vrfy_ctx && cert && X509_STORE_CTX_init(vrfy_ctx, store, cert, SSL_get_peer_cert_chain(ssl)))
				{
					X509_STORE_CTX_set_ex_data(vrfy_ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), ssl);
					X509_STORE_CTX_set_verify_cb(vrfy_ctx, SSL_CTX_get_verify_callback(ssl_ctx));
					
					int verify_result = 0;
					if ((verify_result = X509_verify_cert(vrfy_ctx)) >= 0)
					{
						err = X509_STORE_CTX_get_error(vrfy_ctx);
						
						// Watch out for weird library errors that might not set the context error code
						if (err == X509_V_OK && verify_result <= 0)
							err = X509_V_ERR_UNSPECIFIED;
							
						// This is for people who don't restart their clients and have low expiration time on their cert
						result = (err == X509_V_OK || err == X509_V_ERR_CERT_HAS_EXPIRED) || (allowUntrusted && err != X509_V_ERR_APPLICATION_VERIFICATION);
					}
				}
				
				if (cert) X509_free(cert);
				if (vrfy_ctx) X509_STORE_CTX_free(vrfy_ctx);
				if (store) X509_STORE_free(store);
			}
			
			// KeyPrint is a strong indicator of trust
			SSL_set_verify_result(ssl, err);
			
			return result;
		}
Exemple #20
0
extern "C" int32_t CryptoNative_SslAddExtraChainCert(SSL* ssl, X509* x509)
{
    if (!x509 || !ssl)
    {
        return 0;
    }

    SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl);
    if (SSL_CTX_add_extra_chain_cert(ssl_ctx, x509) == 1)
    {
        return 1;
    }

    return 0;
}
Exemple #21
0
static int openssl_ssl_ctx(lua_State*L)
{
  SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl");
  if (lua_isnoneornil(L, 2))
  {
    SSL_CTX *ctx = SSL_get_SSL_CTX(s);
    openssl_refrence(L, ctx, +1);
    PUSH_OBJECT(ctx, "openssl.ssl_ctx");
  }
  else
  {
    SSL_CTX *ctx = CHECK_OBJECT(2, SSL_CTX, "openssl.ssl_ctx");
    ctx = SSL_set_SSL_CTX(s, ctx);
    PUSH_OBJECT(ctx, "openssl.ssl_ctx");
  }
  return 1;
}
void ssl_clear_cert_auth_internal( int sslContextHandle )
{
    SSL *ssl = NULL;
    
    if((sslContextHandle >= ARRAYSIZE(g_SSL_Driver.m_sslContextArray)) || (sslContextHandle < 0))
    {
        return;
    }

    ssl = (SSL*)g_SSL_Driver.m_sslContextArray[sslContextHandle].SslContext;
    if (ssl == NULL)
    {
        return;
    }

    // Set a NULL cert store, SSL_CTX_set_cert_store will free the existing cert store
    SSL_CTX_set_cert_store( SSL_get_SSL_CTX(ssl), NULL );
}
Exemple #23
0
static int
lws_mbedtls_sni_cb(void *arg, mbedtls_ssl_context *mbedtls_ctx,
		   const unsigned char *servername, size_t len)
{
	SSL *ssl = SSL_SSL_from_mbedtls_ssl_context(mbedtls_ctx);
	struct lws_context *context = (struct lws_context *)arg;
	struct lws_vhost *vhost, *vh;

	lwsl_notice("%s: %s\n", __func__, servername);

	/*
	 * We can only get ssl accepted connections by using a vhost's ssl_ctx
	 * find out which listening one took us and only match vhosts on the
	 * same port.
	 */
	vh = context->vhost_list;
	while (vh) {
		if (!vh->being_destroyed &&
		    vh->ssl_ctx == SSL_get_SSL_CTX(ssl))
			break;
		vh = vh->vhost_next;
	}

	if (!vh) {
		assert(vh); /* can't match the incoming vh? */
		return 0;
	}

	vhost = lws_select_vhost(context, vh->listen_port,
				 (const char *)servername);
	if (!vhost) {
		lwsl_info("SNI: none: %s:%d\n", servername, vh->listen_port);

		return 0;
	}

	lwsl_info("SNI: Found: %s:%d at vhost '%s'\n", servername,
					vh->listen_port, vhost->name);

	/* select the ssl ctx from the selected vhost for this conn */
	SSL_set_SSL_CTX(ssl, vhost->ssl_ctx);

	return 0;
}
Exemple #24
0
/**
 * Call Lua user function to get the DH key.
 */
static DH *dhparam_cb(SSL *ssl, int is_export, int keylength)
{
  BIO *bio;
  lua_State *L;
  DH *dh_tmp = NULL;
  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);

  L = pctx->L;

  /* Get the callback */
  luaL_getmetatable(L, "SSL:DH:Registry");
  lua_pushlightuserdata(L, (void*)ctx);
  lua_gettable(L, -2);

  /* Invoke the callback */
  lua_pushboolean(L, is_export);
  lua_pushnumber(L, keylength);
  lua_call(L, 2, 1);

  /* Load parameters from returned value */
  if (lua_type(L, -1) != LUA_TSTRING) {
    lua_pop(L, 2);  /* Remove values from stack */
    return NULL;
  }
  bio = BIO_new_mem_buf((void*)lua_tostring(L, -1), 
    lua_rawlen(L, -1));
  if (bio) {
    dh_tmp = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
    BIO_free(bio);
  }

  /*
   * OpenSSL exepcts the callback to maintain a reference to the DH*.  So,
   * cache it here, and clean up the previous set of parameters.  Any remaining
   * set is cleaned up when destroying the LuaSec context.
   */
  if (pctx->dh_param)
    DH_free(pctx->dh_param);
  pctx->dh_param = dh_tmp;

  lua_pop(L, 2);    /* Remove values from stack */
  return dh_tmp;
}
Exemple #25
0
BOOL tls_send_alert(rdpTls* tls)
{
	if (!tls)
		return FALSE;

	if (!tls->ssl)
		return TRUE;

/**
 * FIXME: The following code does not work on OpenSSL > 1.1.0 because the
 *        SSL struct is opaqe now
 */

#if OPENSSL_VERSION_NUMBER < 0x10100000L
	if (tls->alertDescription != TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY)
	{
		/**
		 * OpenSSL doesn't really expose an API for sending a TLS alert manually.
		 *
		 * The following code disables the sending of the default "close notify"
		 * and then proceeds to force sending a custom TLS alert before shutting down.
		 *
		 * Manually sending a TLS alert is necessary in certain cases,
		 * like when server-side NLA results in an authentication failure.
		 */
		SSL_SESSION* ssl_session = SSL_get_session(tls->ssl);
		SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(tls->ssl);

		SSL_set_quiet_shutdown(tls->ssl, 1);

		if ((tls->alertLevel == TLS_ALERT_LEVEL_FATAL) && (ssl_session))
			SSL_CTX_remove_session(ssl_ctx, ssl_session);

		tls->ssl->s3->alert_dispatch = 1;
		tls->ssl->s3->send_alert[0] = tls->alertLevel;
		tls->ssl->s3->send_alert[1] = tls->alertDescription;

		if (tls->ssl->s3->wbuf.left == 0)
			tls->ssl->method->ssl_dispatch_alert(tls->ssl);
	}
#endif

	return TRUE;
}
Exemple #26
0
NOEXPORT SSL_SESSION *cache_get(SSL *ssl,
        const unsigned char *key, int key_len) {
    unsigned char *val, *val_tmp=NULL;
    ssize_t val_len=0;
    SSL_SESSION *sess;

    cache_transfer(SSL_get_SSL_CTX(ssl), CACHE_CMD_GET, 0,
        key, (size_t)key_len, NULL, 0, &val, (size_t *)&val_len);
    if(!val)
        return NULL;
    val_tmp=val;
    sess=d2i_SSL_SESSION(NULL,
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
        (const unsigned char **)
#endif /* OpenSSL version >= 0.8.0 */
        &val_tmp, (long)val_len);
    str_free(val);
    return sess;
}
Exemple #27
0
NOEXPORT SSL_SESSION *sess_get_cb(SSL *ssl,
        unsigned char *key, int key_len, int *do_copy) {
    unsigned char *val, *val_tmp=NULL;
    ssize_t val_len=0;
    SSL_SESSION *sess;

    *do_copy = 0; /* allow the session to be freed autmatically */
    cache_transfer(SSL_get_SSL_CTX(ssl), CACHE_CMD_GET, 0,
        key, (size_t)key_len, NULL, 0, &val, (size_t *)&val_len);
    if(!val)
        return NULL;
    val_tmp=val;
    sess=d2i_SSL_SESSION(NULL,
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
        (const unsigned char **)
#endif /* OpenSSL version >= 0.8.0 */
        &val_tmp, val_len);
    str_free(val);
    return sess;
}
Exemple #28
0
static int BSslCertVerifyCB(int iOK, X509_STORE_CTX *pXsCtx)
{
	int iError, iDepth;
	SSL *pSSL;
	SSL_CTX *pSCtx;
	SslServerBind const *pSSLB;
	X509 *pCert;

	iError = X509_STORE_CTX_get_error(pXsCtx);
	iDepth = X509_STORE_CTX_get_error_depth(pXsCtx);
	if ((pSSL = (SSL *)
	     X509_STORE_CTX_get_ex_data(pXsCtx, SSL_get_ex_data_X509_STORE_CTX_idx())) == NULL)
		return iOK;
	pSCtx = SSL_get_SSL_CTX(pSSL);
	pSSLB = (SslServerBind const *) SSL_CTX_get_app_data(pSCtx);
	pCert = X509_STORE_CTX_get_current_cert(pXsCtx);

#ifdef DEBUG_OSSL
	char *pszVal;

	pszVal = X509_NAME_oneline(X509_get_issuer_name(pCert), 0, 0);
	SysLogMessage(LOG_LEV_MESSAGE, "CERT Issuer: %s\n", pszVal);
	OPENSSL_free(pszVal);

	pszVal = X509_NAME_oneline(X509_get_subject_name(pCert), 0, 0);
	SysLogMessage(LOG_LEV_MESSAGE, "CERT Subject: %s\n", pszVal);
	OPENSSL_free(pszVal);
#endif

	if (!iOK) {
		SysLogMessage(LOG_LEV_MESSAGE, "CERT verify error: depth = %d error = '%s'\n",
			      iDepth, X509_verify_cert_error_string(iError));
		if (iError == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT &&
		    pSSLB->ulFlags & BSSLF_ALLOW_SEFLSIGNED) {
			SysLogMessage(LOG_LEV_MESSAGE, "Self signed CERT allowed (override)\n");
			iOK = 1;
		}
	}

	return iOK;
}
Exemple #29
0
static int meth_sni(lua_State *L)
{
  int strict;
  SSL_CTX *aux;
  const char *name;
  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl->ssl);
  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
  if (pctx->mode == LSEC_MODE_CLIENT) {
    name = luaL_checkstring(L, 2);
    SSL_set_tlsext_host_name(ssl->ssl, name);
    return 0;
  } else if (pctx->mode == LSEC_MODE_SERVER) {
    luaL_checktype(L, 2, LUA_TTABLE);
    strict = lua_toboolean(L, 3);
    /* Check if the table contains only (string -> context) */
    lua_pushnil(L);
    while (lua_next(L, 2)) {
      luaL_checkstring(L, -2);
      aux = lsec_checkcontext(L, -1);
      /* Set callback in every context */
      SSL_CTX_set_tlsext_servername_callback(aux, sni_cb);
      /* leave the next key on the stack */
      lua_pop(L, 1);
    }
    /* Save table in the register */
    luaL_getmetatable(L, "SSL:SNI:Registry");
    lua_pushlightuserdata(L, (void*)ssl->ssl);
    lua_newtable(L);
    lua_pushstring(L, "map");
    lua_pushvalue(L, 2);
    lua_settable(L, -3);
    lua_pushstring(L, "strict");
    lua_pushboolean(L, strict);
    lua_settable(L, -3);
    lua_settable(L, -3);
    /* Set callback in the default context */
    SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
  }
  return 0;
}
Exemple #30
0
NOEXPORT void cache_new(SSL *ssl, SSL_SESSION *sess) {
    unsigned char *val, *val_tmp;
    ssize_t val_len;
    const unsigned char *session_id;
    unsigned int session_id_length;

    val_len=i2d_SSL_SESSION(sess, NULL);
    val_tmp=val=str_alloc((size_t)val_len);
    i2d_SSL_SESSION(sess, &val_tmp);

#if OPENSSL_VERSION_NUMBER>=0x0090800fL
    session_id=SSL_SESSION_get_id(sess, &session_id_length);
#else
    session_id=(const unsigned char *)sess->session_id;
    session_id_length=sess->session_id_length;
#endif
    cache_transfer(SSL_get_SSL_CTX(ssl), CACHE_CMD_NEW,
        SSL_SESSION_get_timeout(sess),
        session_id, session_id_length, val, (size_t)val_len, NULL, NULL);
    str_free(val);
}