static int tls_create_new_context(const char *cert_file,
const char *key_file)
{
# ifdef HAVE_TLS_SERVER_METHOD
if ((tls_ctx = SSL_CTX_new(TLS_server_method())) == NULL) {
tls_error(__LINE__, 0);
}
# else
if ((tls_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
tls_error(__LINE__, 0);
}
# endif
tls_init_options();
tls_init_cache();
tls_load_cert_file(cert_file, key_file);
if (ssl_verify_client_cert) {
tls_init_client_cert_verification(cert_file);
}
tls_init_ecdh_curve();
tls_init_dhparams();
return 0;
}
static
int tls_init_context(tls_t *tls, tls_issues_t const *ti)
{
int verify;
static int random_loaded;
ONCE_INIT(tls_init_once);
if (!random_loaded) {
random_loaded = 1;
if (ti->randFile &&
!RAND_load_file(ti->randFile, 1024 * 1024)) {
if (ti->configured > 1) {
SU_DEBUG_3(("%s: cannot open randFile %s\n",
"tls_init_context", ti->randFile));
tls_log_errors(3, "tls_init_context", 0);
}
/* errno = EIO; */
/* return -1; */
}
}
#if HAVE_SIGPIPE
/* Avoid possible SIGPIPE when sending close_notify */
signal(SIGPIPE, SIG_IGN);
#endif
if (tls->ctx == NULL)
if (!(tls->ctx = SSL_CTX_new((SSL_METHOD*)SSLv23_method()))) {
tls_log_errors(1, "SSL_CTX_new() failed", 0);
errno = EIO;
return -1;
}
if (!(ti->version & TPTLS_VERSION_SSLv2))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv2);
if (!(ti->version & TPTLS_VERSION_SSLv3))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv3);
if (!(ti->version & TPTLS_VERSION_TLSv1))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1);
if (!(ti->version & TPTLS_VERSION_TLSv1_1))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_1);
if (!(ti->version & TPTLS_VERSION_TLSv1_2))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_2);
SSL_CTX_sess_set_remove_cb(tls->ctx, NULL);
SSL_CTX_set_timeout(tls->ctx, ti->timeout);
/* Set callback if we have a passphrase */
if (ti->passphrase != NULL) {
SSL_CTX_set_default_passwd_cb(tls->ctx, passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(tls->ctx, (void *)ti);
}
if (!SSL_CTX_use_certificate_file(tls->ctx,
ti->cert,
SSL_FILETYPE_PEM)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid local certificate: %s\n",
"tls_init_context", ti->cert));
tls_log_errors(3, "tls_init_context", 0);
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
}
if (!SSL_CTX_use_PrivateKey_file(tls->ctx,
ti->key,
SSL_FILETYPE_PEM)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid private key: %s\n",
"tls_init_context", ti->key));
tls_log_errors(3, "tls_init_context(key)", 0);
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
}
if (!SSL_CTX_check_private_key(tls->ctx)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: private key does not match the certificate public key\n",
"tls_init_context"));
}
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
if (!SSL_CTX_load_verify_locations(tls->ctx,
ti->CAfile,
ti->CApath)) {
SU_DEBUG_1(("%s: error loading CA list: %s\n",
"tls_init_context", ti->CAfile));
if (ti->configured > 0)
tls_log_errors(3, "tls_init_context(CA)", 0);
errno = EIO;
return -1;
}
/* corresponds to (enum tport_tls_verify_policy) */
tls->verify_incoming = (ti->policy & 0x1) ? 1 : 0;
tls->verify_outgoing = (ti->policy & 0x2) ? 1 : 0;
tls->verify_subj_in = (ti->policy & 0x4) ? tls->verify_incoming : 0;
tls->verify_subj_out = (ti->policy & 0x8) ? tls->verify_outgoing : 0;
tls->verify_date = (ti->verify_date) ? 1 : 0;
if (tls->verify_incoming)
verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
else
verify = SSL_VERIFY_NONE;
SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);
SSL_CTX_set_verify(tls->ctx, verify, tls_verify_cb);
if (tls_init_ecdh_curve(tls) == 0) {
SU_DEBUG_3(("%s\n", "tls: initialized ECDH"));
} else {
SU_DEBUG_3(("%s\n", "tls: failed to initialize ECDH"));
}
if (!SSL_CTX_set_cipher_list(tls->ctx, ti->ciphers)) {
SU_DEBUG_1(("%s: error setting cipher list\n", "tls_init_context"));
tls_log_errors(3, "tls_init_context", 0);
errno = EIO;
return -1;
}
return 0;
}
int tls_init_library(void)
{
unsigned int rnd;
tls_cnx_handshook = 0;
tls_data_cnx_handshook = 0;
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
while (RAND_status() == 0) {
rnd = zrand();
RAND_seed(&rnd, (int) sizeof rnd);
}
if ((tls_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
tls_error(__LINE__, 0);
}
# ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
SSL_CTX_set_options(tls_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
# endif
# ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
SSL_CTX_set_options(tls_ctx,
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
# endif
SSL_CTX_set_options(tls_ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(tls_ctx, SSL_OP_NO_SSLv3);
# ifdef SSL_OP_NO_TLSv1
SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1);
# endif
# ifdef SSL_OP_NO_TLSv1_1
SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_1);
# endif
# ifdef SSL_OP_NO_TLSv1_2
SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_2);
# endif
if (tlsciphersuite != NULL) {
if (SSL_CTX_set_cipher_list(tls_ctx, tlsciphersuite) != 1) {
logfile(LOG_ERR, MSG_TLS_CIPHER_FAILED, tlsciphersuite);
_EXIT(EXIT_FAILURE);
}
}
if (SSL_CTX_use_certificate_chain_file(tls_ctx, cert_file) != 1) {
die(421, LOG_ERR,
MSG_FILE_DOESNT_EXIST ": [%s]", cert_file);
}
if (SSL_CTX_use_PrivateKey_file(tls_ctx, cert_file,
SSL_FILETYPE_PEM) != 1) {
tls_error(__LINE__, 0);
}
if (SSL_CTX_check_private_key(tls_ctx) != 1) {
tls_error(__LINE__, 0);
}
tls_init_cache();
# ifdef SSL_CTRL_SET_ECDH_AUTO
SSL_CTX_ctrl(tls_ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL);
# else
tls_init_ecdh_curve();
# endif
# ifdef SSL_CTRL_SET_DH_AUTO
if (tls_init_dhparams() != 0) {
SSL_CTX_ctrl(tls_ctx, SSL_CTRL_SET_DH_AUTO, 1, NULL);
}
# else
if (tls_init_dhparams() != 0) {
tls_init_dhparams_default();
}
# endif
# ifdef DISABLE_SSL_RENEGOTIATION
SSL_CTX_set_info_callback(tls_ctx, ssl_info_cb);
# endif
SSL_CTX_set_verify_depth(tls_ctx, 6);
if (ssl_verify_client_cert) {
SSL_CTX_set_verify(tls_ctx, SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
SSL_VERIFY_PEER, NULL);
if (SSL_CTX_load_verify_locations(tls_ctx, cert_file, NULL) != 1) {
tls_error(__LINE__, 0);
}
}
return 0;
}
