static int get_desc(str* res, sip_msg_t* msg) { static char buf[128]; struct tcp_connection* c; SSL* ssl; c = get_cur_connection(msg); if (!c) { INFO("TLS connection not found in select_desc\n"); goto err; } ssl = get_ssl(c); if (!ssl) goto err; buf[0] = '\0'; SSL_CIPHER_description(SSL_get_current_cipher(ssl), buf, 128); res->s = buf; res->len = strlen(buf); tcpconn_put(c); return 0; err: if (c) tcpconn_put(c); return -1; }
static const char * openssl_iostream_get_security_string(struct ssl_iostream *ssl_io) { const SSL_CIPHER *cipher; #ifdef HAVE_SSL_COMPRESSION const COMP_METHOD *comp; #endif const char *comp_str; int bits, alg_bits; if (!ssl_io->handshaked) return ""; cipher = SSL_get_current_cipher(ssl_io->ssl); bits = SSL_CIPHER_get_bits(cipher, &alg_bits); #ifdef HAVE_SSL_COMPRESSION comp = SSL_get_current_compression(ssl_io->ssl); comp_str = comp == NULL ? "" : t_strconcat(" ", SSL_COMP_get_name(comp), NULL); #else comp_str = ""; #endif return t_strdup_printf("%s with cipher %s (%d/%d bits)%s", SSL_get_version(ssl_io->ssl), SSL_CIPHER_get_name(cipher), bits, alg_bits, comp_str); }
int tlsops_cipher(struct sip_msg *msg, pv_param_t *param, pv_value_t *res) { str cipher; static char buf[1024]; struct tcp_connection* c; SSL* ssl; c = get_cur_connection(msg); if (!c) { LM_INFO("TLS connection not found in select_cipher\n"); goto err; } ssl = get_ssl(c); if (!ssl) goto err; cipher.s = (char*)SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)); cipher.len = cipher.s ? strlen(cipher.s) : 0; if (cipher.len >= 1024) { LM_ERR("cipher name too long\n"); goto err; } memcpy(buf, cipher.s, cipher.len); res->rs.s = buf; res->rs.len = cipher.len; res->flags = PV_VAL_STR; tcpconn_put(c); return 0; err: if (c) tcpconn_put(c); return pv_get_null(msg, param, res); }
size_t DTLS_get_data_mtu(const SSL *s) { size_t mac_overhead, int_overhead, blocksize, ext_overhead; const SSL_CIPHER *ciph = SSL_get_current_cipher(s); size_t mtu = s->d1->mtu; if (ciph == NULL) return 0; if (!ssl_cipher_get_overhead(ciph, &mac_overhead, &int_overhead, &blocksize, &ext_overhead)) return 0; if (SSL_USE_ETM(s)) ext_overhead += mac_overhead; else int_overhead += mac_overhead; /* Subtract external overhead (e.g. IV/nonce, separate MAC) */ if (ext_overhead + DTLS1_RT_HEADER_LENGTH >= mtu) return 0; mtu -= ext_overhead + DTLS1_RT_HEADER_LENGTH; /* Round encrypted payload down to cipher block size (for CBC etc.) * No check for overflow since 'mtu % blocksize' cannot exceed mtu. */ if (blocksize) mtu -= (mtu % blocksize); /* Subtract internal overhead (e.g. CBC padding len byte) */ if (int_overhead >= mtu) return 0; mtu -= int_overhead; return mtu; }
int tlsops_desc(struct sip_msg *msg, pv_param_t *param, pv_value_t *res) { static char buf[128]; struct tcp_connection* c; SSL* ssl; c = get_cur_connection(msg); if (!c) { LM_INFO("TLS connection not found in select_desc\n"); goto err; } ssl = get_ssl(c); if (!ssl) goto err; buf[0] = '\0'; SSL_CIPHER_description(SSL_get_current_cipher(ssl), buf, 128); res->rs.s = buf; res->rs.len = strlen(buf); res->flags = PV_VAL_STR; tcpconn_put(c); return 0; err: if (c) tcpconn_put(c); return pv_get_null(msg, param, res); }
static int get_cipher(str* res, sip_msg_t* msg) { str cipher; static char buf[1024]; struct tcp_connection* c; SSL* ssl; c = get_cur_connection(msg); if (!c) { INFO("TLS connection not found in select_cipher\n"); goto err; } ssl = get_ssl(c); if (!ssl) goto err; cipher.s = (char*)SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)); cipher.len = cipher.s ? strlen(cipher.s) : 0; if (cipher.len >= 1024) { ERR("Cipher name too long\n"); goto err; } memcpy(buf, cipher.s, cipher.len); res->s = buf; res->len = cipher.len; tcpconn_put(c); return 0; err: if (c) tcpconn_put(c); return -1; }
static int get_bits(str* res, int* i, sip_msg_t* msg) { str bits; int b; static char buf[1024]; struct tcp_connection* c; SSL* ssl; c = get_cur_connection(msg); if (!c) { INFO("TLS connection not found in select_bits\n"); goto err; } ssl = get_ssl(c); if (!ssl) goto err; b = SSL_CIPHER_get_bits(SSL_get_current_cipher(ssl), 0); bits.s = int2str(b, &bits.len); if (bits.len >= 1024) { ERR("Bits string too long\n"); goto err; } memcpy(buf, bits.s, bits.len); res->s = buf; res->len = bits.len; if (i) *i = b; tcpconn_put(c); return 0; err: if (c) tcpconn_put(c); return -1; }
static int ssl_socket_open (CONNECTION * conn) { sslsockdata *data; int maxbits; if (raw_socket_open (conn) < 0) return -1; data = (sslsockdata *) safe_calloc (1, sizeof (sslsockdata)); conn->sockdata = data; data->ctx = SSL_CTX_new (SSLv23_client_method ()); /* disable SSL protocols as needed */ if (!option(OPTTLSV1)) { SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1); } /* TLSv1.1/1.2 support was added in OpenSSL 1.0.1, but some OS distros such * as Fedora 17 are on OpenSSL 1.0.0. */ #ifdef SSL_OP_NO_TLSv1_1 if (!option(OPTTLSV1_1)) { SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_1); } #endif #ifdef SSL_OP_NO_TLSv1_2 if (!option(OPTTLSV1_2)) { SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_2); } #endif if (!option(OPTSSLV2)) { SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2); } if (!option(OPTSSLV3)) { SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv3); } ssl_get_client_cert(data, conn); data->ssl = SSL_new (data->ctx); SSL_set_fd (data->ssl, conn->fd); if (ssl_negotiate(conn, data)) { mutt_socket_close (conn); return -1; } data->isopen = 1; conn->ssf = SSL_CIPHER_get_bits (SSL_get_current_cipher (data->ssl), &maxbits); return 0; }
bool ConnSSL_GetCipherInfo(CONNECTION *c, char *buf, size_t len) { #ifdef HAVE_LIBSSL char *nl; SSL *ssl = c->ssl_state.ssl; if (!ssl) return false; *buf = 0; SSL_CIPHER_description(SSL_get_current_cipher(ssl), buf, len); nl = strchr(buf, '\n'); if (nl) *nl = 0; return true; #endif #ifdef HAVE_LIBGNUTLS if (Conn_OPTION_ISSET(c, CONN_SSL)) { const char *name_cipher, *name_mac, *name_proto, *name_keyexchange; unsigned keysize; gnutls_session_t sess = c->ssl_state.gnutls_session; gnutls_cipher_algorithm_t cipher = gnutls_cipher_get(sess); name_cipher = gnutls_cipher_get_name(cipher); name_mac = gnutls_mac_get_name(gnutls_mac_get(sess)); keysize = gnutls_cipher_get_key_size(cipher) * 8; name_proto = gnutls_protocol_get_name(gnutls_protocol_get_version(sess)); name_keyexchange = gnutls_kx_get_name(gnutls_kx_get(sess)); return snprintf(buf, len, "%s-%s%15s Kx=%s Enc=%s(%u) Mac=%s", name_cipher, name_mac, name_proto, name_keyexchange, name_cipher, keysize, name_mac) > 0; } return false; #endif }
static void print_ciphersuite_data(BIO *io, SSL *ssl, int js) { SSL_SESSION* session = SSL_get_session(ssl); long protocol = SSL_version(ssl); const char *protocol_name = get_protocol_name(protocol); const char *eol = js ? "\\n\\\n" : "\n"; if(BIO_printf(io, "Version: 0x%lx %s%s", protocol, protocol_name, eol) <= 0) err_exit("Write error"); if(BIO_printf(io, "Current cipher: %s%s", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)), eol) <= 0) err_exit("Write error"); STACK_OF(SSL_CIPHER) *ciphers = session->ciphers; SSL_CIPHER *c; int n = sk_SSL_CIPHER_num(ciphers); if(BIO_printf(io, "client sent %d ciphers%s", n, eol) <= 0) err_exit("Write error"); int i; for (i = 0; i < n; i++) { c = sk_SSL_CIPHER_value(ciphers, i); if(BIO_printf(io, "client [%2d of %2d]: %s%s", i, n, SSL_CIPHER_get_name(c), eol) <= 0) err_exit("Write error"); } }
static int openssl_ssl_current_cipher(lua_State *L) { SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl"); const SSL_CIPHER* c = SSL_get_current_cipher(s); if (c) { int bits, algbits; char err[LUAL_BUFFERSIZE] = {0};; lua_newtable(L); AUXILIAR_SET(L, -1, "name", SSL_CIPHER_get_name(c), string); AUXILIAR_SET(L, -1, "version", SSL_CIPHER_get_version(c), string); #if OPENSSL_VERSION_NUMBER > 0x10000000L AUXILIAR_SET(L, -1, "id", SSL_CIPHER_get_id(c), integer); #endif bits = SSL_CIPHER_get_bits(c, &algbits); AUXILIAR_SET(L, -1, "bits", bits, integer); AUXILIAR_SET(L, -1, "algbits", algbits, integer); AUXILIAR_SET(L, -1, "description", SSL_CIPHER_description((SSL_CIPHER*)c, err, sizeof(err)), string); return 1; } return 0; }
static int tlso_session_strength( tls_session *sess ) { tlso_session *s = (tlso_session *)sess; return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL); }
const char *OpenSSLQueryCipher(STREAM *S) { void *ptr; if (! S) return(NULL); ptr=STREAMGetItem(S,"LIBUSEFUL-SSL-CTX"); if (! ptr) return(NULL); #ifdef HAVE_LIBSSL const SSL_CIPHER *Cipher; char *Tempstr=NULL; Cipher=SSL_get_current_cipher((const SSL *) ptr); if (Cipher) { Tempstr=FormatStr(Tempstr,"%d bit %s",SSL_CIPHER_get_bits(Cipher,NULL), SSL_CIPHER_get_name(Cipher)); STREAMSetValue(S,"SSL-Cipher",Tempstr); Tempstr=SetStrLen(Tempstr,1024); Tempstr=SSL_CIPHER_description(Cipher, Tempstr, 1024); STREAMSetValue(S,"SSL-Cipher-Details",Tempstr); } DestroyString(Tempstr); return(STREAMGetValue(S,"SSL-Cipher")); #else return(NULL); #endif }
int pn_ssl_get_ssf(pn_ssl_t *ssl0) { const SSL_CIPHER *c; pni_ssl_t *ssl = get_ssl_internal(ssl0); if (ssl && ssl->ssl && (c = SSL_get_current_cipher( ssl->ssl ))) { return SSL_CIPHER_get_bits(c, NULL); } return 0; }
static void set_cipher_info(TLS_REC *tls, SSL *ssl) { g_return_if_fail(tls != NULL); g_return_if_fail(ssl != NULL); tls_rec_set_protocol_version(tls, SSL_get_version(ssl)); tls_rec_set_cipher(tls, SSL_CIPHER_get_name(SSL_get_current_cipher(ssl))); tls_rec_set_cipher_size(tls, SSL_get_cipher_bits(ssl, NULL)); }
MONO_API int mono_btls_ssl_get_cipher (MonoBtlsSsl *ptr) { const SSL_CIPHER *cipher; cipher = SSL_get_current_cipher (ptr->ssl); if (!cipher) return 0; return (uint16_t)SSL_CIPHER_get_id (cipher); }
void describeConnection(SSL* ssl) { char buff[128]; const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl); CHECK(cipher != NULL); char *desc = SSL_CIPHER_description(cipher,buff,128); CHECK(desc != NULL); fprintf(stderr,"renegotiation: %s\n", SSL_get_secure_renegotiation_support(ssl)?"allowed":"disallowed"); fprintf(stderr,"%s: %s", SSL_get_version(ssl), desc); }
const char* Connection::currentCipher() const { //char desc[512]; //SSL_CIPHER_description(c, desc, sizeof(desc)); //bits = SSL_CIPHER_get_bits(c, &usedBits); //name = SSL_CIPHER_get_name(c); //version = SSL_CIPHER_get_version(c); const SSL_CIPHER* c = SSL_get_current_cipher(_ssl); const char* name = SSL_CIPHER_get_name(c); return name; }
const SSL_CIPHER *RodsConnection::cipherInfo() const { // if we have a valid OpenSSL handle if (this->isSSL()) { // return pointer to OpenSSL cipher in use return (SSL_get_current_cipher(this->rodsCommPtr->ssl)); } // if no SSL, just return NULL return (NULL); }
int ssl_check_cert(SSL *ssl, struct conf **confs) { X509 *peer; char tmpbuf[256]=""; const char *ssl_peer_cn=get_string(confs[OPT_SSL_PEER_CN]); if(!ssl_peer_cn) { logp("ssl_peer_cn not set.\n"); return -1; } SSL_CIPHER_description(SSL_get_current_cipher(ssl), tmpbuf, sizeof(tmpbuf)); logp("SSL is using cipher: %s\n", tmpbuf); if(!(peer=SSL_get_peer_certificate(ssl))) { logp("Could not get peer certificate.\n"); return -1; } if(SSL_get_verify_result(ssl)!=X509_V_OK) { logp_ssl_err("Certificate doesn't verify.\n"); return -1; } X509_NAME_get_text_by_NID(X509_get_subject_name(peer), NID_commonName, tmpbuf, sizeof(tmpbuf)); if(strcasecmp(tmpbuf, ssl_peer_cn)) { logp("cert common name doesn't match configured ssl_peer_cn\n"); logp("'%s'!='%s'\n", tmpbuf, ssl_peer_cn); return -1; } #ifndef HAVE_WIN32 if(setenv_x509(X509_get_subject_name(peer), "PEER") || setenv_x509(X509_get_issuer_name(peer), "ISSUER")) return -1; if(setenv_x509_date(X509_get_notBefore(peer), "X509_PEER_NOT_BEFORE") || setenv_x509_date(X509_get_notAfter(peer), "X509_PEER_NOT_AFTER")) return -1; if(setenv_x509_serialnumber(X509_get_serialNumber(peer), "X509_PEER_SERIALNUMBER")) return -1; #endif //if((comp=SSL_get_current_compression(ssl))) // logp("SSL is using compression: %s\n", comp->name); return 0; }
int SecureSocket::secureConnect(int socket) { createSSL(); // attach the socket descriptor SSL_set_fd(m_ssl->m_ssl, socket); LOG((CLOG_DEBUG2 "connecting secure socket")); int r = SSL_connect(m_ssl->m_ssl); static int retry; checkResult(r, retry); if (isFatal()) { LOG((CLOG_ERR "failed to connect secure socket")); return -1; } // If we should retry, not ready and return 0 if (retry > 0) { LOG((CLOG_DEBUG2 "retry connect secure socket")); m_secureReady = false; return 0; } // No error, set ready, process and return ok m_secureReady = true; if (verifyCertFingerprint()) { LOG((CLOG_INFO "connected to secure socket")); if (!showCertificate()) { disconnect(); return -1;// Cert fail, error } } else { LOG((CLOG_ERR "failed to verify server certificate fingerprint")); disconnect(); return -1; // Fingerprint failed, error } LOG((CLOG_DEBUG2 "connected secure socket")); const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl->m_ssl); if(cipher != NULL) { char * cipherVersion = SSL_CIPHER_description(cipher, NULL, 0); if(cipherVersion != NULL) { LOG((CLOG_INFO "%s", cipherVersion)); OPENSSL_free(cipherVersion); } } return 1; }
CAMLprim value ocaml_ssl_get_current_cipher(value socket) { CAMLparam1(socket); SSL *ssl = SSL_val(socket); caml_enter_blocking_section(); SSL_CIPHER *cipher = (SSL_CIPHER*)SSL_get_current_cipher(ssl); caml_leave_blocking_section(); if (!cipher) caml_raise_constant(*caml_named_value("ssl_exn_cipher_error")); CAMLreturn((value)cipher); }
SCM scm_tls_get_cipher_info(SCM tls_smob){ scm_assert_smob_type(tls_tag, tls_smob); BIO *bio = (BIO*)SCM_SMOB_DATA(tls_smob); SSL *ssl; BIO_get_ssl(bio, &ssl); //I'm not sure if scheme copies c strings or not, so make this static //so it stays valid regardless. static char cipher_buf[128]; SSL_CIPHER *cipher = SSL_get_current_cipher(ssl); SSL_CIPHER_description(cipher, cipher_buf, 128); return scm_from_utf8_string(cipher_buf); }
const char * rb_ssl_get_cipher(rb_fde_t *F) { const SSL_CIPHER *sslciph; if(F == NULL || F->ssl == NULL) return NULL; if((sslciph = SSL_get_current_cipher(F->ssl)) == NULL) return NULL; return SSL_CIPHER_get_name(sslciph); }
const char *net_get_cipher(void) { if (_use_ssl) { const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl); if (cipher) return SSL_CIPHER_get_name(cipher); else return "unencrypted"; } else return "unencrypted"; }
static void benchmark(SSL *ssl, uint64_t send_bytes, uint64_t recv_bytes) { uint64_t bytes = 0; char buf[BENCH_CHUNK]; record_time_t t0, t1, t2; int sd; memset(buf, 'a', BENCH_CHUNK); record_time(&t0); if (SSL_connect(ssl) != 1) { ERR_print_errors_fp(stderr); goto out; } printf("cipher: %s\n", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl))); record_time(&t1); if (send_bytes) { while (bytes < send_bytes) { int to_send = (send_bytes - bytes > BENCH_CHUNK) ? BENCH_CHUNK : send_bytes - bytes; if (SSL_write_all(ssl, buf, to_send)) break; bytes += to_send; } } else { while (bytes < recv_bytes) { int to_recv = (recv_bytes - bytes > BENCH_CHUNK) ? BENCH_CHUNK : recv_bytes - bytes; int recved; recved = SSL_read(ssl, buf, sizeof(to_recv)); if (recved > 0) bytes += recved; else break; } } record_time(&t2); print_time((send_bytes > 0) ? "sending" : "receiving", (send_bytes > 0) ? send_bytes : recv_bytes, &t1, &t2); SSL_shutdown(ssl); out: sd = SSL_get_fd(ssl); SSL_free(ssl); close(sd); }
// Returns the names of the SSL cipher suites which are currently // enabled for use on this connection. char* SSLSocket::getEnabledCipherSuites() { char cipdesc[128]; const SSL_CIPHER *sslciph = SSL_get_current_cipher(_ssl); if (sslciph != NULL) { SSL_CIPHER_description(sslciph, cipdesc, sizeof(cipdesc)); return strdup(cipdesc); } else return NULL; }
std::string SSLSocket::getEncryptionInfo() const noexcept { if (!ssl) return Util::emptyString; const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl); if (!cipher) return Util::emptyString; char* buf = SSL_CIPHER_description(cipher, NULL, 0); StringTokenizer<std::string> st(buf, ' '); std::string ret = st.getTokens()[1] + " / " + st.getTokens()[0]; delete[] buf; return ret; }
int SecureSocket::secureAccept(int socket) { createSSL(); // set connection socket to SSL state SSL_set_fd(m_ssl->m_ssl, socket); LOG((CLOG_DEBUG2 "accepting secure socket")); int r = SSL_accept(m_ssl->m_ssl); static int retry; checkResult(r, retry); if (isFatal()) { // tell user and sleep so the socket isn't hammered. LOG((CLOG_ERR "failed to accept secure socket")); LOG((CLOG_INFO "client connection may not be secure")); m_secureReady = false; ARCH->sleep(1); return -1; // Failed, error out } // If not fatal and no retry, state is good if (retry == 0) { m_secureReady = true; LOG((CLOG_INFO "accepted secure socket")); const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl->m_ssl); if(cipher != NULL) { char * cipherVersion = SSL_CIPHER_description(cipher, NULL, 0); if(cipherVersion != NULL) { LOG((CLOG_INFO "%s", cipherVersion)); OPENSSL_free(cipherVersion); } } return 1; } // If not fatal and retry is set, not ready, and return retry if (retry > 0) { LOG((CLOG_DEBUG2 "retry accepting secure socket")); m_secureReady = false; return 0; } // no good state exists here LOG((CLOG_ERR "unexpected state attempting to accept connection")); return -1; }
bool pn_ssl_get_protocol_name(pn_ssl_t *ssl, char *buffer, size_t size ) { const SSL_CIPHER *c; *buffer = '\0'; if (ssl->ssl && (c = SSL_get_current_cipher( ssl->ssl ))) { const char *v = SSL_CIPHER_get_version(c); if (v) { snprintf( buffer, size, "%s", v ); return true; } } return false; }