BOOL transport_attach(rdpTransport* transport, int sockfd)
{
BIO* socketBio = NULL;
BIO* bufferedBio;
socketBio = BIO_new(BIO_s_simple_socket());
if (!socketBio)
goto fail;
BIO_set_fd(socketBio, sockfd, BIO_CLOSE);
bufferedBio = BIO_new(BIO_s_buffered_socket());
if (!bufferedBio)
goto fail;
bufferedBio = BIO_push(bufferedBio, socketBio);
transport->frontBio = bufferedBio;
return TRUE;
fail:
if (socketBio)
BIO_free_all(socketBio);
else
close(sockfd);
return FALSE;
}
/* This should exactly match OpenSSL's SSL_set_fd except for using my BIO */
static int
my_SSL_set_fd(Port *port, int fd)
{
int ret = 0;
BIO *bio;
BIO_METHOD *bio_method;
bio_method = my_BIO_s_socket();
if (bio_method == NULL)
{
SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
goto err;
}
bio = BIO_new(bio_method);
if (bio == NULL)
{
SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
goto err;
}
BIO_set_data(bio, port);
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set_bio(port->ssl, bio, bio);
ret = 1;
err:
return ret;
}
status_t
BSecureSocket::_SetupCommon(const char* host)
{
// Do this only after BSocket::Connect has checked wether we're already
// connected. We don't want to kill an existing SSL session, as that would
// likely crash the protocol loop for it.
if (fPrivate->fSSL != NULL) {
SSL_free(fPrivate->fSSL);
}
fPrivate->fSSL = SSL_new(BSecureSocket::Private::Context());
if (fPrivate->fSSL == NULL) {
BSocket::Disconnect();
return B_NO_MEMORY;
}
BIO_set_fd(fPrivate->fBIO, fSocket, BIO_NOCLOSE);
SSL_set_bio(fPrivate->fSSL, fPrivate->fBIO, fPrivate->fBIO);
SSL_set_ex_data(fPrivate->fSSL, Private::sDataIndex, this);
if (host != NULL) {
BString hostString = host;
if (hostString != "")
SSL_set_tlsext_host_name(fPrivate->fSSL, host);
}
return B_OK;
}
BIO *BIO_new_fd(int fd,int close_flag)
{
BIO *ret;
ret=BIO_new(BIO_s_fd());
if (ret == NULL) return(NULL);
BIO_set_fd(ret,fd,close_flag);
return(ret);
}
BIO *BIO_new_fd(int fd, int close_flag) {
BIO *ret = BIO_new(BIO_s_fd());
if (ret == NULL) {
return NULL;
}
BIO_set_fd(ret, fd, close_flag);
return ret;
}
void OpenSSLUtils::setBioFd(BIO* b, int fd, int flags) {
#ifdef _WIN32
SOCKET sock = portability::sockets::fd_to_socket(fd);
#else
int sock = fd;
#endif
BIO_set_fd(b, sock, flags);
}
EXPORT_C BIO *BIO_new_dgram(int fd, int close_flag)
{
BIO *ret;
ret=BIO_new(BIO_s_datagram());
if (ret == NULL) return(NULL);
BIO_set_fd(ret,fd,close_flag);
return(ret);
}
BOOL rdg_tls_out_connect(rdpRdg* rdg, const char* hostname, UINT16 port, int timeout)
{
int sockfd = 0;
int status = 0;
BIO* socketBio = NULL;
BIO* bufferedBio = NULL;
rdpSettings* settings = rdg->settings;
assert(hostname != NULL);
sockfd = freerdp_tcp_connect(rdg->context, settings, settings->GatewayHostname,
settings->GatewayPort, timeout);
if (sockfd < 1)
{
return FALSE;
}
socketBio = BIO_new(BIO_s_simple_socket());
if (!socketBio)
{
closesocket(sockfd);
return FALSE;
}
BIO_set_fd(socketBio, sockfd, BIO_CLOSE);
bufferedBio = BIO_new(BIO_s_buffered_socket());
if (!bufferedBio)
{
BIO_free(socketBio);
return FALSE;
}
bufferedBio = BIO_push(bufferedBio, socketBio);
status = BIO_set_nonblock(bufferedBio, TRUE);
if (!status)
{
BIO_free_all(bufferedBio);
return FALSE;
}
rdg->tlsOut->hostname = settings->GatewayHostname;
rdg->tlsOut->port = settings->GatewayPort;
rdg->tlsOut->isGatewayTransport = TRUE;
status = tls_connect(rdg->tlsOut, bufferedBio);
if (status < 1)
{
return FALSE;
}
return TRUE;
}
X509 *SSL_read_X509(FILE *fp, X509 **x509, int (*cb)(char *, int, int, void*))
#endif
{
X509 *rc;
BIO *bioS;
BIO *bioF;
/* 1. try PEM (= DER+Base64+headers) */
#if SSL_LIBRARY_VERSION < 0x00904000
rc = PEM_read_X509(fp, x509, cb);
#else
rc = PEM_read_X509(fp, x509, cb, NULL);
#endif
if (rc == NULL) {
/* 2. try DER+Base64 */
fseek(fp, 0L, SEEK_SET);
if ((bioS = BIO_new(BIO_s_fd())) == NULL)
return NULL;
BIO_set_fd(bioS, fileno(fp), BIO_NOCLOSE);
if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
BIO_free(bioS);
return NULL;
}
bioS = BIO_push(bioF, bioS);
rc = d2i_X509_bio(bioS, NULL);
BIO_free_all(bioS);
if (rc == NULL) {
/* 3. try plain DER */
fseek(fp, 0L, SEEK_SET);
if ((bioS = BIO_new(BIO_s_fd())) == NULL)
return NULL;
BIO_set_fd(bioS, fileno(fp), BIO_NOCLOSE);
rc = d2i_X509_bio(bioS, NULL);
BIO_free(bioS);
}
}
if (rc != NULL && x509 != NULL) {
if (*x509 != NULL)
X509_free(*x509);
*x509 = rc;
}
return rc;
}
BIO *BIO_new_socket(int fd, int close_flag)
{
BIO *ret;
ret = BIO_new(BIO_s_socket());
if (ret == NULL)
return NULL;
BIO_set_fd(ret, fd, close_flag);
return ret;
}
EVP_PKEY *SSL_read_PrivateKey(FILE *fp, EVP_PKEY **key, int (*cb)(char *, int, int, void*))
#endif
{
EVP_PKEY *rc;
BIO *bioS;
BIO *bioF;
/* 1. try PEM (= DER+Base64+headers) */
#if SSL_LIBRARY_VERSION < 0x00904000
rc = PEM_read_PrivateKey(fp, key, cb);
#else
rc = PEM_read_PrivateKey(fp, key, cb, NULL);
#endif
if (rc == NULL) {
/* 2. try DER+Base64 */
fseek(fp, 0L, SEEK_SET);
if ((bioS = BIO_new(BIO_s_fd())) == NULL)
return NULL;
BIO_set_fd(bioS, fileno(fp), BIO_NOCLOSE);
if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
BIO_free(bioS);
return NULL;
}
bioS = BIO_push(bioF, bioS);
rc = d2i_PrivateKey_bio(bioS, NULL);
BIO_free_all(bioS);
if (rc == NULL) {
/* 3. try plain DER */
fseek(fp, 0L, SEEK_SET);
if ((bioS = BIO_new(BIO_s_fd())) == NULL)
return NULL;
BIO_set_fd(bioS, fileno(fp), BIO_NOCLOSE);
rc = d2i_PrivateKey_bio(bioS, NULL);
BIO_free(bioS);
}
}
if (rc != NULL && key != NULL) {
if (*key != NULL)
EVP_PKEY_free(*key);
*key = rc;
}
return rc;
}
static int uh_tls_client_ctx_setup(SSL *ssl, int socket)
{
BIO *b;
if (!(b = BIO_new(&uh_openssl_bio_methods)))
return 0;
BIO_set_fd(b, socket, BIO_NOCLOSE);
SSL_set_bio(ssl, b, b);
return 1;
}
BIO *BIO_new_tou_socket(int fd, int close_flag)
{
BIO *ret;
#ifdef DEBUG_TOU_BIO
fprintf(stderr, "BIO_new_tou_socket(%d)\n", fd);
#endif
ret=BIO_new(BIO_s_tou_socket());
if (ret == NULL) return(NULL);
BIO_set_fd(ret,fd,close_flag);
return(ret);
}
static int SSL_set_fd_bsd(SSL *s, int fd)
{
int result= -1;
BIO_METHOD *BIO_s_bsdsocket();
BIO *bio;
if ((bio= BIO_new(BIO_s_bsdsocket())))
{
result= BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set_bio(s, bio, bio);
}
return result;
}
void SecureSocketImpl::connectSSL(bool performHandshake)
{
poco_assert (!_pSSL);
poco_assert (_pSocket->initialized());
BIO* pBIO = BIO_new(BIO_s_socket());
if (!pBIO) throw SSLException("Cannot create SSL BIO object");
BIO_set_fd(pBIO, static_cast<int>(_pSocket->sockfd()), BIO_NOCLOSE);
_pSSL = SSL_new(_pContext->sslContext());
if (!_pSSL)
{
BIO_free(pBIO);
throw SSLException("Cannot create SSL object");
}
SSL_set_bio(_pSSL, pBIO, pBIO);
#if OPENSSL_VERSION_NUMBER >= 0x0908060L && !defined(OPENSSL_NO_TLSEXT)
if (!_peerHostName.empty())
{
SSL_set_tlsext_host_name(_pSSL, _peerHostName.c_str());
}
#endif
if (_pSession)
{
SSL_set_session(_pSSL, _pSession->sslSession());
}
try
{
if (performHandshake && _pSocket->getBlocking())
{
int ret = SSL_connect(_pSSL);
handleError(ret);
verifyPeerCertificate();
}
else
{
SSL_set_connect_state(_pSSL);
_needHandshake = true;
}
}
catch (...)
{
SSL_free(_pSSL);
_pSSL = 0;
throw;
}
}
BIO *BIO_new_fd(int fd,int close_flag)
#endif
{
BIO *ret;
#ifndef BIO_FD
ret=BIO_new(BIO_s_socket());
#else
ret=BIO_new(BIO_s_fd());
#endif
if (ret == NULL) return(NULL);
BIO_set_fd(ret,fd,close_flag);
return(ret);
}
int tcp_attach(rdpTcp* tcp, int sockfd)
{
tcp->sockfd = sockfd;
SetEventFileDescriptor(tcp->event, tcp->sockfd);
ringbuffer_commit_read_bytes(&tcp->xmitBuffer, ringbuffer_used(&tcp->xmitBuffer));
if (tcp->socketBio)
{
if (BIO_set_fd(tcp->socketBio, sockfd, 1) < 0)
return -1;
}
else
{
tcp->socketBio = BIO_new(BIO_s_simple_socket());
if (!tcp->socketBio)
return -1;
BIO_set_fd(tcp->socketBio, sockfd, BIO_CLOSE);
}
if (!tcp->bufferedBio)
{
tcp->bufferedBio = BIO_new(BIO_s_buffered_socket());
if (!tcp->bufferedBio)
return FALSE;
tcp->bufferedBio->ptr = tcp;
tcp->bufferedBio = BIO_push(tcp->bufferedBio, tcp->socketBio);
}
return 0;
}
/* we got a connection to the ocsp responder */
int
ocsp_receive_fd(struct iked *env, struct imsg *imsg)
{
struct iked_ocsp_entry *ioe = NULL;
struct iked_ocsp *ocsp = NULL;
struct iked_socket *sock;
char *path = NULL;
int ret = -1;
log_debug("%s: received socket fd %d", __func__, imsg->fd);
if ((ioe = TAILQ_FIRST(&env->sc_ocsp)) == NULL) {
log_debug("%s: oops, no request for", __func__);
close(imsg->fd);
return (-1);
}
TAILQ_REMOVE(&env->sc_ocsp, ioe, ioe_entry);
ocsp = ioe->ioe_ocsp;
free(ioe);
if ((sock = calloc(1, sizeof(*sock))) == NULL)
fatal("ocsp_receive_fd: calloc sock");
/* note that sock_addr is not set */
sock->sock_fd = imsg->fd;
sock->sock_env = env;
ocsp->ocsp_sock = sock;
/* fetch 'path' and 'fd' from imsg */
if ((path = get_string(imsg->data, IMSG_DATA_SIZE(imsg))) == NULL)
goto done;
BIO_set_fd(ocsp->ocsp_cbio, imsg->fd, BIO_NOCLOSE);
if ((ocsp->ocsp_req_ctx = OCSP_sendreq_new(ocsp->ocsp_cbio,
path, NULL, -1)) == NULL)
goto done;
if (!OCSP_REQ_CTX_set1_req(ocsp->ocsp_req_ctx, ocsp->ocsp_req))
goto done;
event_set(&sock->sock_ev, sock->sock_fd, EV_WRITE, ocsp_callback, ocsp);
event_add(&sock->sock_ev, NULL);
ret = 0;
done:
if (ret == -1)
ocsp_validate_finish(ocsp, 0); /* failed */
free(path);
return (ret);
}
int LLVMFuzzerTestOneInput(const uint8_t* buf, size_t len)
{
if (RAND_reset_for_fuzzing) {
RAND_reset_for_fuzzing();
}
SSL* server = SSL_new(ctx);
BIO* in = BIO_new(BIO_s_mem());
BIO_write(in, buf, len);
BIO* out = BIO_new(BIO_s_fd());
BIO_set_fd(out, 1, BIO_NOCLOSE);
SSL_set_bio(server, in, out);
if (SSL_accept(server) == 1) {
X509* peer;
if ((peer = SSL_get_peer_certificate(server)) != NULL) {
SSL_get_verify_result(server);
X509_free(peer);
}
uint8_t tmp[1024 * 1024];
for (;;) {
ssize_t r = SSL_read(server, tmp, sizeof(tmp));
if (r <= 0) {
SSL_shutdown(server);
break;
}
if (SSL_write(server, tmp, r) <= 0) {
SSL_shutdown(server);
break;
}
#ifndef OPENSSL_NO_HEARTBEATS
SSL_heartbeat(server);
#endif /* ifndef OPENSSL_NO_HEARTBEATS */
}
} else {
ERR_print_errors_fp(stderr);
}
SSL_free(server);
return 0;
}
connection::connection(int socketin,SSL_CTX* ctx,const unsigned int timeoutSec,const unsigned int timeoutMic)
{
socket = socketin;
timeout.tv_sec = timeoutSec;
timeout.tv_usec = timeoutMic;
int ssl_int;
if(setsockopt(socket,SOL_SOCKET,SO_RCVTIMEO,reinterpret_cast<char*>(&timeout),sizeof(timeout)) < 0)
throw connection_exception("Set sock opt failed");
ssl = SSL_new(ctx);
bio = BIO_new(BIO_s_socket());
BIO_set_fd(bio,socket,BIO_NOCLOSE);
SSL_set_bio(ssl,bio,bio);
if((ssl_int = SSL_accept(ssl)) < 1)
{
throw connection_exception("SSL Accept failed.");
}
}
void SecureSocketImpl::acceptSSL()
{
poco_assert (!_pSSL);
BIO* pBIO = BIO_new(BIO_s_socket());
if (!pBIO) throw SSLException("Cannot create BIO object");
BIO_set_fd(pBIO, static_cast<int>(_pSocket->sockfd()), BIO_NOCLOSE);
_pSSL = SSL_new(_pContext->sslContext());
if (!_pSSL)
{
BIO_free(pBIO);
throw SSLException("Cannot create SSL object");
}
SSL_set_bio(_pSSL, pBIO, pBIO);
SSL_set_accept_state(_pSSL);
_needHandshake = true;
}
ssl_server_con * ssl_server_accept(ssl_server_client * scli, int fd){
BIO_set_fd(SSL_get_rbio(scli->ssl), fd, BIO_NOCLOSE);
BIO_ctrl(SSL_get_rbio(scli->ssl), BIO_CTRL_DGRAM_SET_CONNECTED, 0, &scli->addr);
int ret = 0;
do{ret = SSL_accept(scli->ssl);}
while(ret == 0);
if(ret < 0){
handle_ssl_error(scli->ssl, ret);
return NULL;
}
ASSERT(ret > 0);
struct timeval timeout;
timeout.tv_sec = 5;
timeout.tv_usec = 0;
BIO_ctrl(SSL_get_rbio(scli->ssl), BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
ssl_server_con * con = alloc0(sizeof(ssl_server_con));
con->ssl = scli->ssl;
return con;
}
/* This should exactly match openssl's SSL_set_fd except for using my BIO */
static int
my_SSL_set_fd(SSL *s, int fd)
{
int ret = 0;
BIO *bio = NULL;
bio = BIO_new(my_BIO_s_socket());
if (bio == NULL)
{
SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
goto err;
}
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set_bio(s, bio, bio);
ret = 1;
err:
return ret;
}
static LUA_FUNCTION(openssl_bio_fd)
{
BIO* bio = CHECK_OBJECT(1, BIO, "openssl.bio");
int typ = BIO_method_type(bio);
if (typ & BIO_TYPE_FD)
{
int fd = -1;
if (!lua_isnoneornil(L, 2))
{
fd = lua_tointeger(L, 2);
BIO_set_fd(bio, fd, BIO_NOCLOSE);
}
else
fd = BIO_get_fd(bio, 0);
lua_pushinteger(L, fd);
}
else
luaL_error(L, "BIO type miss match");
return 1;
}
/* This should exactly match openssl's SSL_set_fd except for using my BIO */
static int
my_SSL_set_fd(Port *port, int fd)
{
int ret = 0;
BIO *bio = NULL;
bio = BIO_new(my_BIO_s_socket());
if (bio == NULL)
{
SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
goto err;
}
/* Use 'ptr' to store pointer to PGconn */
bio->ptr = port;
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set_bio(port->ssl, bio, bio);
ret = 1;
err:
return ret;
}
BOOL transport_attach(rdpTransport* transport, int sockfd)
{
BIO* socketBio;
BIO* bufferedBio;
socketBio = BIO_new(BIO_s_simple_socket());
if (!socketBio)
return FALSE;
BIO_set_fd(socketBio, sockfd, BIO_CLOSE);
bufferedBio = BIO_new(BIO_s_buffered_socket());
if (!bufferedBio)
return FALSE;
bufferedBio = BIO_push(bufferedBio, socketBio);
transport->frontBio = bufferedBio;
return TRUE;
}
int doit(io_channel chan, SSL_CTX *s_ctx )
{
int status, length, link_state;
struct rpc_msg msg;
static char cbuf[200],sbuf[200];
SSL *s_ssl=NULL;
BIO *c_to_s=NULL;
BIO *s_to_c=NULL;
BIO *c_bio=NULL;
BIO *s_bio=NULL;
int i;
int done=0;
s_ssl=SSL_new(s_ctx);
if (s_ssl == NULL) goto err;
c_to_s=BIO_new(BIO_s_rtcp());
s_to_c=BIO_new(BIO_s_rtcp());
if ((s_to_c == NULL) || (c_to_s == NULL)) goto err;
/* original, DRM 24-SEP-1997
BIO_set_fd ( c_to_s, "", chan );
BIO_set_fd ( s_to_c, "", chan );
*/
BIO_set_fd ( c_to_s, 0, chan );
BIO_set_fd ( s_to_c, 0, chan );
c_bio=BIO_new(BIO_f_ssl());
s_bio=BIO_new(BIO_f_ssl());
if ((c_bio == NULL) || (s_bio == NULL)) goto err;
SSL_set_accept_state(s_ssl);
SSL_set_bio(s_ssl,c_to_s,s_to_c);
BIO_set_ssl(s_bio,s_ssl,BIO_CLOSE);
/* We can always do writes */
printf("Begin doit main loop\n");
/*
* Link states: 0-idle, 1-read pending, 2-write pending, 3-closed.
*/
for (link_state = 0; link_state < 3; ) {
/*
* Wait for remote end to request data action on A channel.
*/
while ( link_state == 0 ) {
status = get ( chan, (char *) &msg, sizeof(msg), &length );
if ( (status&1) == 0 ) {
printf("Error in main loop get: %d\n", status );
link_state = 3;
break;
}
if ( length < RPC_HDR_SIZE ) {
printf("Error in main loop get size: %d\n", length );
break;
link_state = 3;
}
if ( msg.channel != 'A' ) {
printf("Error in main loop, unexpected channel: %c\n",
msg.channel );
break;
link_state = 3;
}
if ( msg.function == 'G' ) {
link_state = 1;
} else if ( msg.function == 'P' ) {
link_state = 2; /* write pending */
} else if ( msg.function == 'X' ) {
link_state = 3;
} else {
link_state = 3;
}
}
if ( link_state == 1 ) {
i = BIO_read ( s_bio, msg.data, msg.length );
if ( i < 0 ) link_state = 3;
else {
msg.channel = 'A';
msg.function = 'C'; /* confirm */
msg.length = i;
status = put ( chan, (char *) &msg, i+RPC_HDR_SIZE );
if ( (status&1) == 0 ) break;
link_state = 0;
}
} else if ( link_state == 2 ) {
i = BIO_write ( s_bio, msg.data, msg.length );
if ( i < 0 ) link_state = 3;
else {
msg.channel = 'A';
msg.function = 'C'; /* confirm */
msg.length = 0;
status = put ( chan, (char *) &msg, RPC_HDR_SIZE );
if ( (status&1) == 0 ) break;
link_state = 0;
}
}
}
fprintf(stdout,"DONE\n");
err:
/* We have to set the BIO's to NULL otherwise they will be
* free()ed twice. Once when th s_ssl is SSL_free()ed and
* again when c_ssl is SSL_free()ed.
* This is a hack required because s_ssl and c_ssl are sharing the same
* BIO structure and SSL_set_bio() and SSL_free() automatically
* BIO_free non NULL entries.
* You should not normally do this or be required to do this */
s_ssl->rbio=NULL;
s_ssl->wbio=NULL;
if (c_to_s != NULL) BIO_free(c_to_s);
if (s_to_c != NULL) BIO_free(s_to_c);
if (c_bio != NULL) BIO_free(c_bio);
if (s_bio != NULL) BIO_free(s_bio);
return(0);
}
idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection)
{
if (!connection || connection->ssl_data)
return IDEVICE_E_INVALID_ARG;
idevice_error_t ret = IDEVICE_E_SSL_ERROR;
uint32_t return_me = 0;
plist_t pair_record = NULL;
userpref_read_pair_record(connection->udid, &pair_record);
if (!pair_record) {
debug_info("ERROR: Failed enabling SSL. Unable to read pair record for udid %s.", connection->udid);
return ret;
}
#ifdef HAVE_OPENSSL
key_data_t root_cert = { NULL, 0 };
key_data_t root_privkey = { NULL, 0 };
pair_record_import_crt_with_name(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, &root_cert);
pair_record_import_key_with_name(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, &root_privkey);
if (pair_record)
plist_free(pair_record);
/* Set up OpenSSL */
if (openssl_init_done == 0) {
SSL_library_init();
openssl_init_done = 1;
}
BIO *ssl_bio = BIO_new(BIO_s_socket());
if (!ssl_bio) {
debug_info("ERROR: Could not create SSL bio.");
return ret;
}
BIO_set_fd(ssl_bio, (int)(long)connection->data, BIO_NOCLOSE);
//SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv3_method());
SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv3_client_method());
if (ssl_ctx == NULL) {
debug_info("ERROR: Could not create SSL context.");
BIO_free(ssl_bio);
return ret;
}
BIO* membp;
X509* rootCert = NULL;
membp = BIO_new_mem_buf(root_cert.data, root_cert.size);
PEM_read_bio_X509(membp, &rootCert, NULL, NULL);
BIO_free(membp);
if (SSL_CTX_use_certificate(ssl_ctx, rootCert) != 1) {
debug_info("WARNING: Could not load RootCertificate");
}
X509_free(rootCert);
free(root_cert.data);
RSA* rootPrivKey = NULL;
membp = BIO_new_mem_buf(root_privkey.data, root_privkey.size);
PEM_read_bio_RSAPrivateKey(membp, &rootPrivKey, NULL, NULL);
BIO_free(membp);
if (SSL_CTX_use_RSAPrivateKey(ssl_ctx, rootPrivKey) != 1) {
debug_info("WARNING: Could not load RootPrivateKey");
}
RSA_free(rootPrivKey);
free(root_privkey.data);
SSL *ssl = SSL_new(ssl_ctx);
if (!ssl) {
debug_info("ERROR: Could not create SSL object");
BIO_free(ssl_bio);
SSL_CTX_free(ssl_ctx);
return ret;
}
SSL_set_connect_state(ssl);
SSL_set_verify(ssl, 0, ssl_verify_callback);
SSL_set_bio(ssl, ssl_bio, ssl_bio);
return_me = SSL_do_handshake(ssl);
if (return_me != 1) {
debug_info("ERROR in SSL_do_handshake: %s", ssl_error_to_string(SSL_get_error(ssl, return_me)));
SSL_free(ssl);
SSL_CTX_free(ssl_ctx);
} else {
ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private));
ssl_data_loc->session = ssl;
ssl_data_loc->ctx = ssl_ctx;
connection->ssl_data = ssl_data_loc;
ret = IDEVICE_E_SUCCESS;
debug_info("SSL mode enabled, cipher: %s", SSL_get_cipher(ssl));
}
/* required for proper multi-thread clean up to prevent leaks */
#ifdef HAVE_ERR_REMOVE_THREAD_STATE
ERR_remove_thread_state(NULL);
#else
ERR_remove_state(0);
#endif
#else
ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private));
/* Set up GnuTLS... */
debug_info("enabling SSL mode");
errno = 0;
gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate);
gnutls_certificate_client_set_retrieve_function(ssl_data_loc->certificate, internal_cert_callback);
gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL);
gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate);
gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc);
gnutls_x509_crt_init(&ssl_data_loc->root_cert);
gnutls_x509_crt_init(&ssl_data_loc->host_cert);
gnutls_x509_privkey_init(&ssl_data_loc->root_privkey);
gnutls_x509_privkey_init(&ssl_data_loc->host_privkey);
pair_record_import_crt_with_name(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, ssl_data_loc->root_cert);
pair_record_import_crt_with_name(pair_record, USERPREF_HOST_CERTIFICATE_KEY, ssl_data_loc->host_cert);
pair_record_import_key_with_name(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, ssl_data_loc->root_privkey);
pair_record_import_key_with_name(pair_record, USERPREF_HOST_PRIVATE_KEY_KEY, ssl_data_loc->host_privkey);
if (pair_record)
plist_free(pair_record);
debug_info("GnuTLS step 1...");
gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection);
debug_info("GnuTLS step 2...");
gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write);
debug_info("GnuTLS step 3...");
gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read);
debug_info("GnuTLS step 4 -- now handshaking...");
if (errno) {
debug_info("WARNING: errno says %s before handshake!", strerror(errno));
}
return_me = gnutls_handshake(ssl_data_loc->session);
debug_info("GnuTLS handshake done...");
if (return_me != GNUTLS_E_SUCCESS) {
internal_ssl_cleanup(ssl_data_loc);
free(ssl_data_loc);
debug_info("GnuTLS reported something wrong.");
gnutls_perror(return_me);
debug_info("oh.. errno says %s", strerror(errno));
} else {
connection->ssl_data = ssl_data_loc;
ret = IDEVICE_E_SUCCESS;
debug_info("SSL mode enabled");
}
#endif
return ret;
}
BOOL tcp_connect(rdpTcp* tcp, const char* hostname, int port, int timeout)
{
int status;
UINT32 option_value;
socklen_t option_len;
if (!hostname)
return FALSE;
if (hostname[0] == '/')
{
tcp->sockfd = freerdp_uds_connect(hostname);
if (tcp->sockfd < 0)
return FALSE;
tcp->socketBio = BIO_new_fd(tcp->sockfd, 1);
if (!tcp->socketBio)
return FALSE;
}
else
{
fd_set cfds;
struct timeval tv;
tcp->socketBio = BIO_new(BIO_s_connect());
if (!tcp->socketBio)
return FALSE;
if (BIO_set_conn_hostname(tcp->socketBio, hostname) < 0 || BIO_set_conn_int_port(tcp->socketBio, &port) < 0)
return FALSE;
BIO_set_nbio(tcp->socketBio, 1);
status = BIO_do_connect(tcp->socketBio);
if ((status <= 0) && !BIO_should_retry(tcp->socketBio))
return FALSE;
tcp->sockfd = BIO_get_fd(tcp->socketBio, NULL);
if (tcp->sockfd < 0)
return FALSE;
if (status <= 0)
{
FD_ZERO(&cfds);
FD_SET(tcp->sockfd, &cfds);
tv.tv_sec = timeout;
tv.tv_usec = 0;
status = select(tcp->sockfd + 1, NULL, &cfds, NULL, &tv);
if (status == 0)
{
return FALSE; /* timeout */
}
}
BIO_set_close(tcp->socketBio, BIO_NOCLOSE);
BIO_free(tcp->socketBio);
tcp->socketBio = BIO_new(BIO_s_simple_socket());
if (!tcp->socketBio)
return -1;
BIO_set_fd(tcp->socketBio, tcp->sockfd, BIO_CLOSE);
}
SetEventFileDescriptor(tcp->event, tcp->sockfd);
tcp_get_ip_address(tcp);
tcp_get_mac_address(tcp);
option_value = 1;
option_len = sizeof(option_value);
if (setsockopt(tcp->sockfd, IPPROTO_TCP, TCP_NODELAY, (void*) &option_value, option_len) < 0)
fprintf(stderr, "%s: unable to set TCP_NODELAY\n", __FUNCTION__);
/* receive buffer must be a least 32 K */
if (getsockopt(tcp->sockfd, SOL_SOCKET, SO_RCVBUF, (void*) &option_value, &option_len) == 0)
{
if (option_value < (1024 * 32))
{
option_value = 1024 * 32;
option_len = sizeof(option_value);
if (setsockopt(tcp->sockfd, SOL_SOCKET, SO_RCVBUF, (void*) &option_value, option_len) < 0)
{
fprintf(stderr, "%s: unable to set receive buffer len\n", __FUNCTION__);
return FALSE;
}
}
}
if (!tcp_set_keep_alive_mode(tcp))
return FALSE;
tcp->bufferedBio = BIO_new(BIO_s_buffered_socket());
if (!tcp->bufferedBio)
return FALSE;
tcp->bufferedBio->ptr = tcp;
tcp->bufferedBio = BIO_push(tcp->bufferedBio, tcp->socketBio);
return TRUE;
}
static BOOL rdg_tls_connect(rdpRdg* rdg, rdpTls* tls, const char* peerAddress, int timeout)
{
int sockfd = 0;
int status = 0;
BIO* socketBio = NULL;
BIO* bufferedBio = NULL;
rdpSettings* settings = rdg->settings;
const char* peerHostname = settings->GatewayHostname;
UINT16 peerPort = settings->GatewayPort;
const char* proxyUsername, *proxyPassword;
BOOL isProxyConnection = proxy_prepare(settings, &peerHostname, &peerPort, &proxyUsername,
&proxyPassword);
sockfd = freerdp_tcp_connect(rdg->context, settings,
peerAddress ? peerAddress : peerHostname,
peerPort, timeout);
if (sockfd < 0)
{
return FALSE;
}
socketBio = BIO_new(BIO_s_simple_socket());
if (!socketBio)
{
closesocket(sockfd);
return FALSE;
}
BIO_set_fd(socketBio, sockfd, BIO_CLOSE);
bufferedBio = BIO_new(BIO_s_buffered_socket());
if (!bufferedBio)
{
closesocket(sockfd);
BIO_free(socketBio);
return FALSE;
}
bufferedBio = BIO_push(bufferedBio, socketBio);
status = BIO_set_nonblock(bufferedBio, TRUE);
if (isProxyConnection)
{
if (!proxy_connect(settings, bufferedBio, proxyUsername, proxyPassword, settings->GatewayHostname,
settings->GatewayPort))
return FALSE;
}
if (!status)
{
BIO_free_all(bufferedBio);
return FALSE;
}
tls->hostname = settings->GatewayHostname;
tls->port = settings->GatewayPort;
tls->isGatewayTransport = TRUE;
status = tls_connect(tls, bufferedBio);
return (status >= 1);
}
