SSL_CTX* EdSSLContext::buildCtx(int ver)
{
SSL_CTX *pctx;
const SSL_METHOD *method;
switch (ver)
{
case SSL_VER_TLSV1:
method = TLSv1_method();
break;
case SSL_VER_TLSV11:
method = TLSv1_1_method();
break;
case SSL_VER_V23:
method = SSLv23_method();
break;
case SSL_VER_V3:
method = SSLv3_method();
break;
case SSL_VER_DTLSV1:
method = DTLSv1_method();
break;
default:
method = NULL;
break;
}
if (method == NULL)
return NULL;
pctx = SSL_CTX_new(method);
return pctx;
}
// memory is only valid for duration of callback; must be copied if queueing
// is required
DtlsSocketContext::DtlsSocketContext() {
started = false;
mSocket = NULL;
receiver = NULL;
DtlsSocketContext::Init();
ELOG_DEBUG("Creating Dtls factory, Openssl v %s", OPENSSL_VERSION_TEXT);
mContext = SSL_CTX_new(DTLSv1_method());
assert(mContext);
int r = SSL_CTX_use_certificate(mContext, mCert);
assert(r == 1);
r = SSL_CTX_use_PrivateKey(mContext, privkey);
assert(r == 1);
SSL_CTX_set_cipher_list(mContext, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
SSL_CTX_set_info_callback(mContext, SSLInfoCallback);
SSL_CTX_set_verify(mContext, SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
SSLVerifyCallback);
// SSL_CTX_set_session_cache_mode(mContext, SSL_SESS_CACHE_OFF);
// SSL_CTX_set_options(mContext, SSL_OP_NO_TICKET);
// Set SRTP profiles
r = SSL_CTX_set_tlsext_use_srtp(mContext, DefaultSrtpProfile);
assert(r == 0);
SSL_CTX_set_verify_depth(mContext, 2);
SSL_CTX_set_read_ahead(mContext, 1);
ELOG_DEBUG("DtlsSocketContext %p created", this);
}
static SSL_METHOD *dtls1_get_method(int ver)
{
if (ver == DTLS1_VERSION)
return(DTLSv1_method());
else
return(NULL);
}
static int _tnet_transport_ssl_init(tnet_transport_t* transport)
{
if(!transport){
TSK_DEBUG_ERROR("Invalid parameter");
return -1;
}
#if HAVE_OPENSSL
{
tnet_socket_type_t type = tnet_transport_get_type(transport);
tsk_bool_t is_tls = (TNET_SOCKET_TYPE_IS_TLS(type) || TNET_SOCKET_TYPE_IS_WSS(type));
tsk_bool_t is_dtls = TNET_SOCKET_TYPE_IS_DTLS(type);
if(is_dtls && !tnet_dtls_is_supported()){
TSK_DEBUG_ERROR("Requesting to create DTLS transport but source code not built with support for this feature");
return -1;
}
if(is_tls && !tnet_tls_is_supported()){
TSK_DEBUG_ERROR("Requesting to create TLS transport but source code not built with support for this feature");
return -1;
}
if((transport->tls.enabled = is_tls)){
if(!transport->tls.ctx_client && !(transport->tls.ctx_client = SSL_CTX_new(SSLv23_client_method()))){
TSK_DEBUG_ERROR("Failed to create SSL client context");
return -2;
}
if(!transport->tls.ctx_server && !(transport->tls.ctx_server = SSL_CTX_new(SSLv23_server_method()))){
TSK_DEBUG_ERROR("Failed to create SSL server context");
return -3;
}
SSL_CTX_set_mode(transport->tls.ctx_client, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_mode(transport->tls.ctx_server, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(transport->tls.ctx_server, SSL_VERIFY_NONE, tsk_null); // to be updated by tnet_transport_tls_set_certs()
SSL_CTX_set_verify(transport->tls.ctx_client, SSL_VERIFY_NONE, tsk_null); // to be updated by tnet_transport_tls_set_certs()
if(SSL_CTX_set_cipher_list(transport->tls.ctx_client, TNET_CIPHER_LIST) <= 0 || SSL_CTX_set_cipher_list(transport->tls.ctx_server, TNET_CIPHER_LIST) <= 0){
TSK_DEBUG_ERROR("SSL_CTX_set_cipher_list failed [%s]", ERR_error_string(ERR_get_error(), tsk_null));
return -4;
}
}
#if HAVE_OPENSSL_DTLS
if((transport->dtls.enabled = is_dtls)){
if(!transport->dtls.ctx && !(transport->dtls.ctx = SSL_CTX_new(DTLSv1_method()))){
TSK_DEBUG_ERROR("Failed to create DTLSv1 context");
TSK_OBJECT_SAFE_FREE(transport);
return -5;
}
SSL_CTX_set_read_ahead(transport->dtls.ctx, 1);
// SSL_CTX_set_options(transport->dtls.ctx, SSL_OP_ALL);
// SSL_CTX_set_mode(transport->dtls.ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(transport->dtls.ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, tsk_null); // to be updated by tnet_transport_tls_set_certs()
if(SSL_CTX_set_cipher_list(transport->dtls.ctx, TNET_CIPHER_LIST) <= 0){
TSK_DEBUG_ERROR("SSL_CTX_set_cipher_list failed [%s]", ERR_error_string(ERR_get_error(), tsk_null));
return -6;
}
transport->dtls.activated = tsk_true;
}
#endif /* HAVE_OPENSSL_DTLS */
}
#endif /* HAVE_OPENSSL */
return 0;
}
struct dtls_context *
create_dtls_context(const char *common)
{
if (common == NULL)
return NULL;
struct dtls_context *context = (struct dtls_context *)calloc(1, sizeof *context);
if (context == NULL)
return NULL;
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_CTX *ctx = SSL_CTX_new(DTLSv1_method());
if (ctx == NULL)
goto ctx_err;
context->ctx = ctx;
// ALL:NULL:eNULL:aNULL
if (SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1)
goto ctx_err;
SSL_CTX_set_read_ahead(ctx, 1); // for DTLS
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_peer_certificate_cb);
EVP_PKEY *key = gen_key();
if (key == NULL)
goto ctx_err;
SSL_CTX_use_PrivateKey(ctx, key);
X509 *cert = gen_cert(key, common, 365);
if (cert == NULL)
goto ctx_err;
SSL_CTX_use_certificate(ctx, cert);
if (SSL_CTX_check_private_key(ctx) != 1)
goto ctx_err;
unsigned int len;
unsigned char buf[BUFFER_SIZE];
X509_digest(cert, EVP_sha256(), buf, &len);
char *p = context->fingerprint;
for (int i = 0; i < len; ++i) {
snprintf(p, 4, "%02X:", buf[i]);
p += 3;
}
*(p - 1) = 0;
if (0) {
ctx_err:
SSL_CTX_free(ctx);
free(context);
context = NULL;
}
return context;
}
__declspec(dllexport) void ILibWrapper_InitializeDTLS()
{
ctx = SSL_CTX_new(DTLSv1_method());
SSL_CTX_use_certificate(ctx, selftlscert.x509);
SSL_CTX_use_PrivateKey(ctx,selftlscert.pkey);
int l = 32;
X509_digest(selftlscert.x509, EVP_get_digestbyname("sha256"), (unsigned char*)tlsServerCertThumbprint, (unsigned int*)&l);
}
/*
* DTLS methods
*/
static const SSL_METHOD *dtls1_get_method(int ver)
{
if (ver == DTLS_ANY_VERSION)
return DTLS_method();
else if (ver == DTLS1_VERSION)
return DTLSv1_method();
else if (ver == DTLS1_2_VERSION)
return DTLSv1_2_method();
else
return NULL;
}
VALUE engine_init_client(VALUE klass) {
VALUE obj;
ms_conn* conn = engine_alloc(klass, &obj);
conn->ctx = SSL_CTX_new(DTLSv1_method());
conn->ssl = SSL_new(conn->ctx);
SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
SSL_set_bio(conn->ssl, conn->read, conn->write);
SSL_set_connect_state(conn->ssl);
return obj;
}
static const SSL_METHOD *swSSL_get_method(int method)
{
switch (method)
{
#ifndef OPENSSL_NO_SSL3_METHOD
case SW_SSLv3_METHOD:
return SSLv3_method();
case SW_SSLv3_SERVER_METHOD:
return SSLv3_server_method();
case SW_SSLv3_CLIENT_METHOD:
return SSLv3_client_method();
#endif
case SW_SSLv23_SERVER_METHOD:
return SSLv23_server_method();
case SW_SSLv23_CLIENT_METHOD:
return SSLv23_client_method();
case SW_TLSv1_METHOD:
return TLSv1_method();
case SW_TLSv1_SERVER_METHOD:
return TLSv1_server_method();
case SW_TLSv1_CLIENT_METHOD:
return TLSv1_client_method();
#ifdef TLS1_1_VERSION
case SW_TLSv1_1_METHOD:
return TLSv1_1_method();
case SW_TLSv1_1_SERVER_METHOD:
return TLSv1_1_server_method();
case SW_TLSv1_1_CLIENT_METHOD:
return TLSv1_1_client_method();
#endif
#ifdef TLS1_2_VERSION
case SW_TLSv1_2_METHOD:
return TLSv1_2_method();
case SW_TLSv1_2_SERVER_METHOD:
return TLSv1_2_server_method();
case SW_TLSv1_2_CLIENT_METHOD:
return TLSv1_2_client_method();
#endif
case SW_DTLSv1_METHOD:
return DTLSv1_method();
case SW_DTLSv1_SERVER_METHOD:
return DTLSv1_server_method();
case SW_DTLSv1_CLIENT_METHOD:
return DTLSv1_client_method();
case SW_SSLv23_METHOD:
default:
return SSLv23_method();
}
return SSLv23_method();
}
static const SSL_METHOD *swSSL_get_method(int method)
{
switch (method)
{
case SW_SSLv3_METHOD:
return SSLv3_method();
case SW_SSLv3_SERVER_METHOD:
return SSLv3_server_method();
case SW_SSLv3_CLIENT_METHOD:
return SSLv3_client_method();
case SW_SSLv23_SERVER_METHOD:
return SSLv23_server_method();
case SW_SSLv23_CLIENT_METHOD:
return SSLv23_client_method();
case SW_TLSv1_METHOD:
return TLSv1_method();
case SW_TLSv1_SERVER_METHOD:
return TLSv1_server_method();
case SW_TLSv1_CLIENT_METHOD:
return TLSv1_client_method();
case SW_TLSv1_1_METHOD:
return TLSv1_1_method();
case SW_TLSv1_1_SERVER_METHOD:
return TLSv1_1_server_method();
case SW_TLSv1_1_CLIENT_METHOD:
return TLSv1_1_client_method();
case SW_TLSv1_2_METHOD:
return TLSv1_2_method();
case SW_TLSv1_2_SERVER_METHOD:
return TLSv1_2_server_method();
case SW_TLSv1_2_CLIENT_METHOD:
return TLSv1_2_client_method();
case SW_DTLSv1_METHOD:
return DTLSv1_method();
case SW_DTLSv1_SERVER_METHOD:
return DTLSv1_server_method();
case SW_DTLSv1_CLIENT_METHOD:
return DTLSv1_client_method();
case SW_SSLv23_METHOD:
default:
return SSLv23_method();
}
return SSLv23_method();
}
static int openssl_ssl_ctx_new(lua_State*L)
{
const char* meth = luaL_optstring(L, 1, "TLSv1");
#if OPENSSL_VERSION_NUMBER >= 0x01000000L
const
#endif
SSL_METHOD* method = NULL;
const char* ciphers;
SSL_CTX* ctx;
if (strcmp(meth, "SSLv3") == 0)
method = SSLv3_method(); /* SSLv3 */
else if (strcmp(meth, "SSLv3_server") == 0)
method = SSLv3_server_method(); /* SSLv3 */
else if (strcmp(meth, "SSLv3_client") == 0)
method = SSLv3_client_method(); /* SSLv3 */
else if (strcmp(meth, "SSLv23") == 0)
method = SSLv23_method(); /* SSLv3 but can rollback to v2 */
else if (strcmp(meth, "SSLv23_server") == 0)
method = SSLv23_server_method(); /* SSLv3 but can rollback to v2 */
else if (strcmp(meth, "SSLv23_client") == 0)
method = SSLv23_client_method(); /* SSLv3 but can rollback to v2 */
else if (strcmp(meth, "TLSv1_1") == 0)
method = TLSv1_1_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_1_server") == 0)
method = TLSv1_1_server_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_1_client") == 0)
method = TLSv1_1_client_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_2") == 0)
method = TLSv1_2_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_2_server") == 0)
method = TLSv1_2_server_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_2_client") == 0)
method = TLSv1_2_client_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1") == 0)
method = TLSv1_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_server") == 0)
method = TLSv1_server_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_client") == 0)
method = TLSv1_client_method(); /* TLSv1.0 */
else if (strcmp(meth, "DTLSv1") == 0)
method = DTLSv1_method(); /* DTLSv1.0 */
else if (strcmp(meth, "DTLSv1_server") == 0)
method = DTLSv1_server_method(); /* DTLSv1.0 */
else if (strcmp(meth, "DTLSv1_client") == 0)
method = DTLSv1_client_method(); /* DTLSv1.0 */
#ifndef OPENSSL_NO_SSL2
#if OPENSSL_VERSION_NUMBER < 0x10100000L
else if (strcmp(meth, "SSLv2") == 0)
method = SSLv2_method(); /* SSLv2 */
else if (strcmp(meth, "SSLv2_server") == 0)
method = SSLv2_server_method(); /* SSLv2 */
else if (strcmp(meth, "SSLv2_client") == 0)
method = SSLv2_client_method();
#endif
#ifdef LOAD_SSL_CUSTOM
LOAD_SSL_CUSTOM
#endif
#endif
else
luaL_error(L, "#1:%s not supported\n"
"Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n",
"default is SSLv3",
meth);
ciphers = luaL_optstring(L, 2, SSL_DEFAULT_CIPHER_LIST);
ctx = SSL_CTX_new(method);
if (!ctx)
luaL_error(L, "#1:%s not supported\n"
"Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n",
"default is SSLv3",
meth);
openssl_newvalue(L, ctx);
SSL_CTX_set_cipher_list(ctx, ciphers);
PUSH_OBJECT(ctx, "openssl.ssl_ctx");
SSL_CTX_set_app_data(ctx, L);
return 1;
}
int krx_ssl_init(krx_ssl* k) {
int r = 0;
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
/* create a new context using DTLS */
k->ctx = SSL_CTX_new(DTLSv1_method());
if(!k->ctx) {
printf("Error: cannot create SSL_CTX.\n");
ERR_print_errors_fp(stderr);
return -1;
}
/* set our supported ciphers */
//r = SSL_CTX_set_cipher_list(k->ctx, "DHE-RSA-AES128-GCM-SHA:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256");
//r = SSL_CTX_set_cipher_list(k->ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
//r = SSL_CTX_set_cipher_list(k->ctx, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");
r = SSL_CTX_set_cipher_list(k->ctx, "RSA:kDHE");
if(r <= 0) {
printf("Error: cannot set the cipher list.\n");
ERR_print_errors_fp(stderr);
return -2;
}
/* the client doesn't have to send it's certificate */
SSL_CTX_set_verify(k->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, krx_ssl_verify);
//SSL_CTX_set_session_cache_mode(k->ctx, SSL_SESS_CACHE_OFF);
//SSL_CTX_set_verify_depth(k->ctx, 4);
SSL_CTX_set_mode(k->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_AUTO_RETRY);
/* enable srtp */
r = SSL_CTX_set_tlsext_use_srtp(k->ctx, "SRTP_AES128_CM_SHA1_80");
if(r != 0) {
printf("Error: cannot setup srtp.\n");
ERR_print_errors_fp(stderr);
return -3;
}
/* load certificate and key */
r = SSL_CTX_use_certificate_file(k->ctx, "./server-cert.pem", SSL_FILETYPE_PEM);
if(r <= 0) {
printf("Error: cannot load certificate file.\n");
ERR_print_errors_fp(stderr);
return -4;
}
r = SSL_CTX_use_PrivateKey_file(k->ctx, "./server-key.pem", SSL_FILETYPE_PEM);
if(r <= 0) {
printf("Error: cannot load private key file.\n");
ERR_print_errors_fp(stderr);
return -5;
}
r = SSL_CTX_check_private_key(k->ctx);
if(r == 0) {
printf("Error: checking the private key failed.\n");
return -6;
}
k->conn_initialized = false;
k->in_pos = 0;
k->in_len = 0;
k->in_buf = NULL;
k->out_pos = 0;
k->out_len = 0;
k->out_buf = NULL;
return 0;
}
void DtlsTransport::CreateSSL_CTX()
{
MS_TRACE();
std::string ssl_srtp_profiles;
EC_KEY* ecdh = nullptr;
int ret;
/* Set the global DTLS context. */
// - Both DTLS 1.0 and 1.2 (requires OpenSSL >= 1.1.0).
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
DtlsTransport::sslCtx = SSL_CTX_new(DTLS_method());
// - Just DTLS 1.0 (requires OpenSSL >= 1.0.1).
#elif (OPENSSL_VERSION_NUMBER >= 0x10001000L)
DtlsTransport::sslCtx = SSL_CTX_new(DTLSv1_method());
#else
#error "too old OpenSSL version"
#endif
if (!DtlsTransport::sslCtx)
{
LOG_OPENSSL_ERROR("SSL_CTX_new() failed");
goto error;
}
ret = SSL_CTX_use_certificate(DtlsTransport::sslCtx, DtlsTransport::certificate);
if (ret == 0)
{
LOG_OPENSSL_ERROR("SSL_CTX_use_certificate() failed");
goto error;
}
ret = SSL_CTX_use_PrivateKey(DtlsTransport::sslCtx, DtlsTransport::privateKey);
if (ret == 0)
{
LOG_OPENSSL_ERROR("SSL_CTX_use_PrivateKey() failed");
goto error;
}
ret = SSL_CTX_check_private_key(DtlsTransport::sslCtx);
if (ret == 0)
{
LOG_OPENSSL_ERROR("SSL_CTX_check_private_key() failed");
goto error;
}
// Set options.
SSL_CTX_set_options(DtlsTransport::sslCtx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_TICKET | SSL_OP_SINGLE_ECDH_USE);
// Don't use sessions cache.
SSL_CTX_set_session_cache_mode(DtlsTransport::sslCtx, SSL_SESS_CACHE_OFF);
// Read always as much into the buffer as possible.
// NOTE: This is the default for DTLS, but a bug in non latest OpenSSL
// versions makes this call required.
SSL_CTX_set_read_ahead(DtlsTransport::sslCtx, 1);
SSL_CTX_set_verify_depth(DtlsTransport::sslCtx, 4);
// Require certificate from peer.
SSL_CTX_set_verify(DtlsTransport::sslCtx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, on_ssl_certificate_verify);
// Set SSL info callback.
SSL_CTX_set_info_callback(DtlsTransport::sslCtx, on_ssl_info);
// Set ciphers.
ret = SSL_CTX_set_cipher_list(DtlsTransport::sslCtx, "ALL:!ADH:!LOW:!EXP:!MD5:!aNULL:!eNULL:@STRENGTH");
if (ret == 0)
{
LOG_OPENSSL_ERROR("SSL_CTX_set_cipher_list() failed");
goto error;
}
// Enable ECDH ciphers.
// DOC: http://en.wikibooks.org/wiki/OpenSSL/Diffie-Hellman_parameters
// NOTE: https://code.google.com/p/chromium/issues/detail?id=406458
// For OpenSSL >= 1.0.2:
#if (OPENSSL_VERSION_NUMBER >= 0x10002000L)
SSL_CTX_set_ecdh_auto(DtlsTransport::sslCtx, 1);
#else
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (!ecdh)
{
LOG_OPENSSL_ERROR("EC_KEY_new_by_curve_name() failed");
goto error;
}
if (SSL_CTX_set_tmp_ecdh(DtlsTransport::sslCtx, ecdh) != 1)
{
LOG_OPENSSL_ERROR("SSL_CTX_set_tmp_ecdh() failed");
goto error;
}
EC_KEY_free(ecdh);
ecdh = nullptr;
#endif
// Set the "use_srtp" DTLS extension.
for (auto it = DtlsTransport::srtpProfiles.begin(); it != DtlsTransport::srtpProfiles.end(); ++it)
{
if (it != DtlsTransport::srtpProfiles.begin())
ssl_srtp_profiles += ":";
SrtpProfileMapEntry* profile_entry = &(*it);
ssl_srtp_profiles += profile_entry->name;
}
MS_DEBUG("setting SRTP profiles for DTLS: %s", ssl_srtp_profiles.c_str());
// NOTE: This function returns 0 on success.
ret = SSL_CTX_set_tlsext_use_srtp(DtlsTransport::sslCtx, ssl_srtp_profiles.c_str());
if (ret != 0)
{
MS_ERROR("SSL_CTX_set_tlsext_use_srtp() failed when entering '%s'", ssl_srtp_profiles.c_str());
LOG_OPENSSL_ERROR("SSL_CTX_set_tlsext_use_srtp() failed");
goto error;
}
return;
error:
if (DtlsTransport::sslCtx)
{
SSL_CTX_free(DtlsTransport::sslCtx);
DtlsTransport::sslCtx = nullptr;
}
if (ecdh)
EC_KEY_free(ecdh);
MS_THROW_ERROR("SSL context creation failed");
}
int krx_ssl_ctx_init(krx* k, const char* keyname) {
int r = 0;
/* create a new context using DTLS */
k->ctx = SSL_CTX_new(DTLSv1_method());
if(!k->ctx) {
printf("Error: cannot create SSL_CTX.\n");
ERR_print_errors_fp(stderr);
return -1;
}
/* set our supported ciphers */
r = SSL_CTX_set_cipher_list(k->ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
if(r != 1) {
printf("Error: cannot set the cipher list.\n");
ERR_print_errors_fp(stderr);
return -2;
}
/* the client doesn't have to send it's certificate */
SSL_CTX_set_verify(k->ctx, SSL_VERIFY_PEER, krx_ssl_verify_peer);
/* enable srtp */
r = SSL_CTX_set_tlsext_use_srtp(k->ctx, "SRTP_AES128_CM_SHA1_80");
if(r != 0) {
printf("Error: cannot setup srtp.\n");
ERR_print_errors_fp(stderr);
return -3;
}
/* load key and certificate */
char certfile[1024];
char keyfile[1024];
sprintf(certfile, "./%s-cert.pem", keyname);
sprintf(keyfile, "./%s-key.pem", keyname);
/* certificate file; contains also the public key */
r = SSL_CTX_use_certificate_file(k->ctx, certfile, SSL_FILETYPE_PEM);
if(r != 1) {
printf("Error: cannot load certificate file.\n");
ERR_print_errors_fp(stderr);
return -4;
}
/* load private key */
r = SSL_CTX_use_PrivateKey_file(k->ctx, keyfile, SSL_FILETYPE_PEM);
if(r != 1) {
printf("Error: cannot load private key file.\n");
ERR_print_errors_fp(stderr);
return -5;
}
/* check if the private key is valid */
r = SSL_CTX_check_private_key(k->ctx);
if(r != 1) {
printf("Error: checking the private key failed. \n");
ERR_print_errors_fp(stderr);
return -6;
}
sprintf(k->name, "+ %s", keyname);
return 0;
}
/* DTLS-SRTP initialization */
gint janus_dtls_srtp_init(gchar *server_pem, gchar *server_key) {
ssl_ctx = SSL_CTX_new(DTLSv1_method());
if(!ssl_ctx) {
JANUS_LOG(LOG_FATAL, "Ops, error creating DTLS context?\n");
return -1;
}
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, janus_dtls_verify_callback);
SSL_CTX_set_tlsext_use_srtp(ssl_ctx, "SRTP_AES128_CM_SHA1_80"); /* FIXME Should we support something else as well? */
if(!server_pem || !SSL_CTX_use_certificate_file(ssl_ctx, server_pem, SSL_FILETYPE_PEM)) {
JANUS_LOG(LOG_FATAL, "Certificate error, does it exist?\n");
JANUS_LOG(LOG_FATAL, " %s\n", server_pem);
return -2;
}
if(!server_key || !SSL_CTX_use_PrivateKey_file(ssl_ctx, server_key, SSL_FILETYPE_PEM)) {
JANUS_LOG(LOG_FATAL, "Certificate key error, does it exist?\n");
JANUS_LOG(LOG_FATAL, " %s\n", server_key);
return -3;
}
if(!SSL_CTX_check_private_key(ssl_ctx)) {
JANUS_LOG(LOG_FATAL, "Certificate check error...\n");
return -4;
}
SSL_CTX_set_read_ahead(ssl_ctx,1);
BIO *certbio = BIO_new(BIO_s_file());
if(certbio == NULL) {
JANUS_LOG(LOG_FATAL, "Certificate BIO error...\n");
return -5;
}
if(BIO_read_filename(certbio, server_pem) == 0) {
JANUS_LOG(LOG_FATAL, "Error reading certificate...\n");
BIO_free_all(certbio);
return -6;
}
X509 *cert = PEM_read_bio_X509(certbio, NULL, 0, NULL);
if(cert == NULL) {
JANUS_LOG(LOG_FATAL, "Error reading certificate...\n");
BIO_free_all(certbio);
return -7;
}
unsigned int size;
unsigned char fingerprint[EVP_MAX_MD_SIZE];
if(X509_digest(cert, EVP_sha256(), (unsigned char *)fingerprint, &size) == 0) {
JANUS_LOG(LOG_FATAL, "Error converting X509 structure...\n");
X509_free(cert);
BIO_free_all(certbio);
return -7;
}
char *lfp = (char *)&local_fingerprint;
unsigned int i = 0;
for(i = 0; i < size; i++) {
g_snprintf(lfp, 4, "%.2X:", fingerprint[i]);
lfp += 3;
}
*(lfp-1) = 0;
JANUS_LOG(LOG_INFO, "Fingerprint of our certificate: %s\n", local_fingerprint);
X509_free(cert);
BIO_free_all(certbio);
SSL_CTX_set_cipher_list(ssl_ctx, DTLS_CIPHERS);
/* Initialize libsrtp */
if(srtp_init() != err_status_ok) {
JANUS_LOG(LOG_FATAL, "Ops, error setting up libsrtp?\n");
return 5;
}
return 0;
}
/**
* Allocate a new TLS context
*
* @param tlsp Pointer to allocated TLS context
* @param method TLS method
* @param keyfile Optional private key file
* @param pwd Optional password
*
* @return 0 if success, otherwise errorcode
*/
int tls_alloc(struct tls **tlsp, enum tls_method method, const char *keyfile,
const char *pwd)
{
struct tls *tls;
int r, err;
if (!tlsp)
return EINVAL;
tls = mem_zalloc(sizeof(*tls), destructor);
if (!tls)
return ENOMEM;
if (!tlsg.up) {
#ifdef SIGPIPE
/* Set up a SIGPIPE handler */
(void)signal(SIGPIPE, sigpipe_handle);
#endif
SSL_library_init();
tlsg.up = true;
}
if (tlsg.tlsc++ == 0) {
DEBUG_INFO("error strings loaded\n");
SSL_load_error_strings();
}
switch (method) {
case TLS_METHOD_SSLV23:
tls->ctx = SSL_CTX_new(SSLv23_method());
break;
#ifdef USE_OPENSSL_DTLS
case TLS_METHOD_DTLSV1:
tls->ctx = SSL_CTX_new(DTLSv1_method());
break;
#endif
default:
DEBUG_WARNING("tls method %d not supported\n", method);
err = ENOSYS;
goto out;
}
if (!tls->ctx) {
err = ENOMEM;
goto out;
}
#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
SSL_CTX_set_verify_depth(tls->ctx, 1);
#endif
if (method == TLS_METHOD_DTLSV1) {
SSL_CTX_set_read_ahead(tls->ctx, 1);
}
/* Load our keys and certificates */
if (keyfile) {
if (pwd) {
err = str_dup(&tls->pass, pwd);
if (err)
goto out;
SSL_CTX_set_default_passwd_cb(tls->ctx, password_cb);
SSL_CTX_set_default_passwd_cb_userdata(tls->ctx, tls);
}
r = SSL_CTX_use_certificate_chain_file(tls->ctx, keyfile);
if (r <= 0) {
DEBUG_WARNING("Can't read certificate file: %s (%d)\n",
keyfile, r);
err = EINVAL;
goto out;
}
r = SSL_CTX_use_PrivateKey_file(tls->ctx, keyfile,
SSL_FILETYPE_PEM);
if (r <= 0) {
DEBUG_WARNING("Can't read key file: %s (%d)\n",
keyfile, r);
err = EINVAL;
goto out;
}
}
err = 0;
out:
if (err)
mem_deref(tls);
else
*tlsp = tls;
return err;
}
const SSL_METHOD *DTLSv1_server_method(void) {
return DTLSv1_method();
}
int dtls_ctx_init(STREAM_DTLS_CTXT_T *pCtxt, const DTLS_CFG_T *pDtlsCfg, int dtls_srtp) {
int rc = 0;
const SSL_METHOD *method = NULL;
const char *srtpProfiles = NULL;
//const char *cipherList = NULL;
if(!pCtxt || !pDtlsCfg) {
return -1;
} else if(!pDtlsCfg->certpath) {
LOG(X_ERROR("DTLS certificate path not set"));
return -1;
} else if(!pDtlsCfg->privkeypath) {
LOG(X_ERROR("DTLS private key path not set"));
return -1;
}
//pthread_mutex_lock(&g_dtls_ctx_mtx);
pthread_mutex_lock(&g_ssl_mtx);
if((rc = sslutil_init()) >= 0) {
method = DTLSv1_method();
//method = DTLSv1_client_method();
//method = DTLSv1_servert_method();
}
if(rc >= 0 && (!method || !(pCtxt->pctx = SSL_CTX_new(method)))) {
LOG(X_ERROR("DTLS SSL_CTX_new failed"));
rc = -1;
}
//pthread_mutex_unlock(&g_dtls_ctx_mtx);
pthread_mutex_unlock(&g_ssl_mtx);
if(rc >= 0) {
SSL_CTX_set_mode(pCtxt->pctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(pCtxt->pctx, SSL_VERIFY_NONE, NULL);
//cipherList = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
//cipherList = "ALL";
if(SSL_CTX_set_cipher_list(pCtxt->pctx, DTLS_CIPHER_LIST) <= 0) {
LOG(X_ERROR("DTLS SSL_CTX_set_cipher_list '%s' failed"), ERR_reason_error_string(ERR_get_error()));
rc = -1;
}
}
pCtxt->dtls_srtp = dtls_srtp;
if(rc >= 0 && dtls_srtp) {
srtpProfiles = DTLS_SRTP_PROFILE;
if(SSL_CTX_set_tlsext_use_srtp(pCtxt->pctx, srtpProfiles) != 0) {
LOG(X_ERROR("DTLS SSL_CTX_set_tlsext_use_srtp failed: %s"), ERR_reason_error_string(ERR_get_error()));
rc = -1;
}
}
if(rc >= 0) {
SSL_CTX_set_verify_depth(pCtxt->pctx, 4);
}
if(rc >= 0 && SSL_CTX_use_certificate_file(pCtxt->pctx, pDtlsCfg->certpath, SSL_FILETYPE_PEM) != 1) {
LOG(X_ERROR("DTLS SSL_CTX_use_certificate_file '%s' failed: %s"),
pDtlsCfg->certpath, ERR_reason_error_string(ERR_get_error()));
rc = -1;
}
if(rc >= 0 && SSL_CTX_use_PrivateKey_file(pCtxt->pctx, pDtlsCfg->privkeypath, SSL_FILETYPE_PEM) != 1) {
LOG(X_ERROR("DTLS SSL_CTX_use_PrivateKey_file '%s' failed: %s"),
pDtlsCfg->privkeypath, ERR_reason_error_string(ERR_get_error()));
rc = -1;
}
if(rc >= 0 && SSL_CTX_check_private_key(pCtxt->pctx) != 1) {
LOG(X_ERROR("DTLS SSL_CTX_check_private_key failed: %s"), ERR_reason_error_string(ERR_get_error()));
rc = -1;
}
if(rc < 0) {
dtls_ctx_close(pCtxt);
} else {
pthread_mutex_init(&pCtxt->mtx, NULL);
pCtxt->pCfg = pDtlsCfg;
pCtxt->pDtlsShared = NULL;
pCtxt->haveRcvdData = 0;
pCtxt->active = 1;
LOG(X_DEBUG("Initialized DTLS%s %scontext cert-file: %s, key-file: %s"),
(pCtxt->dtls_srtp ? "-SRTP" : ""),
(pCtxt->dtls_srtp ? (pDtlsCfg->dtls_handshake_server ? "server key " : "client key ") : ""),
pDtlsCfg->certpath ? pDtlsCfg->certpath : "",
pDtlsCfg->privkeypath ? pDtlsCfg->privkeypath : "");
}
return rc;
}
/* DTLS-SRTP initialization */
gint janus_dtls_srtp_init(const char* server_pem, const char* server_key) {
/* FIXME First of all make OpenSSL thread safe (see note above on issue #316) */
janus_dtls_locks = g_malloc0(sizeof(*janus_dtls_locks) * CRYPTO_num_locks());
int l=0;
for(l = 0; l < CRYPTO_num_locks(); l++) {
janus_mutex_init(&janus_dtls_locks[l]);
}
CRYPTO_THREADID_set_callback(janus_dtls_cb_openssl_threadid);
CRYPTO_set_locking_callback(janus_dtls_cb_openssl_lock);
/* Go on and create the DTLS context */
ssl_ctx = SSL_CTX_new(DTLSv1_method());
if(!ssl_ctx) {
JANUS_LOG(LOG_FATAL, "Ops, error creating DTLS context?\n");
return -1;
}
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, janus_dtls_verify_callback);
SSL_CTX_set_tlsext_use_srtp(ssl_ctx, "SRTP_AES128_CM_SHA1_80"); /* FIXME Should we support something else as well? */
if (!server_pem && !server_key) {
JANUS_LOG(LOG_WARN, "No cert/key specified, autogenerating some...\n");
if (janus_dtls_generate_keys(&ssl_cert, &ssl_key) != 0) {
JANUS_LOG(LOG_FATAL, "Error generating DTLS key/certificate\n");
return -2;
}
} else if (!server_pem || !server_key) {
JANUS_LOG(LOG_FATAL, "DTLS certificate and key must be specified\n");
return -2;
} else if (janus_dtls_load_keys(server_pem, server_key, &ssl_cert, &ssl_key) != 0) {
return -3;
}
if(!SSL_CTX_use_certificate(ssl_ctx, ssl_cert)) {
JANUS_LOG(LOG_FATAL, "Certificate error (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -4;
}
if(!SSL_CTX_use_PrivateKey(ssl_ctx, ssl_key)) {
JANUS_LOG(LOG_FATAL, "Certificate key error (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -5;
}
if(!SSL_CTX_check_private_key(ssl_ctx)) {
JANUS_LOG(LOG_FATAL, "Certificate check error (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -6;
}
SSL_CTX_set_read_ahead(ssl_ctx,1);
unsigned int size;
unsigned char fingerprint[EVP_MAX_MD_SIZE];
if(X509_digest(ssl_cert, EVP_sha256(), (unsigned char *)fingerprint, &size) == 0) {
JANUS_LOG(LOG_FATAL, "Error converting X509 structure (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -7;
}
char *lfp = (char *)&local_fingerprint;
unsigned int i = 0;
for(i = 0; i < size; i++) {
g_snprintf(lfp, 4, "%.2X:", fingerprint[i]);
lfp += 3;
}
*(lfp-1) = 0;
JANUS_LOG(LOG_INFO, "Fingerprint of our certificate: %s\n", local_fingerprint);
SSL_CTX_set_cipher_list(ssl_ctx, DTLS_CIPHERS);
/* Initialize libsrtp */
if(srtp_init() != err_status_ok) {
JANUS_LOG(LOG_FATAL, "Ops, error setting up libsrtp?\n");
return 5;
}
return 0;
}
static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
SSL_CTX *ctx = NULL;
unsigned long error;
switch (type) {
#ifdef RADPROT_TLS
case RAD_TLS:
ctx = SSL_CTX_new(TLSv1_method());
break;
#endif
#ifdef RADPROT_DTLS
case RAD_DTLS:
ctx = SSL_CTX_new(DTLSv1_method());
SSL_CTX_set_read_ahead(ctx, 1);
break;
#endif
}
if (!ctx) {
debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name);
while ((error = ERR_get_error()))
debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
return NULL;
}
#ifdef DEBUG
SSL_CTX_set_info_callback(ctx, ssl_info_callback);
#endif
if (conf->certkeypwd) {
SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd);
SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
}
if (conf->certfile || conf->certkeyfile) {
if (!SSL_CTX_use_certificate_chain_file(ctx, conf->certfile) ||
!SSL_CTX_use_PrivateKey_file(ctx, conf->certkeyfile, SSL_FILETYPE_PEM) ||
!SSL_CTX_check_private_key(ctx)) {
while ((error = ERR_get_error()))
debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS (certfile issues) in TLS context %s", conf->name);
SSL_CTX_free(ctx);
return NULL;
}
}
if (conf->policyoids) {
if (!conf->vpm) {
conf->vpm = createverifyparams(conf->policyoids);
if (!conf->vpm) {
debug(DBG_ERR, "tlscreatectx: Failed to add policyOIDs in TLS context %s", conf->name);
SSL_CTX_free(ctx);
return NULL;
}
}
}
if (conf->cacertfile != NULL || conf->cacertpath != NULL)
if (!tlsaddcacrl(ctx, conf)) {
if (conf->vpm) {
X509_VERIFY_PARAM_free(conf->vpm);
conf->vpm = NULL;
}
SSL_CTX_free(ctx);
return NULL;
}
debug(DBG_DBG, "tlscreatectx: created TLS context %s", conf->name);
return ctx;
}
const SSL_METHOD *DTLSv1_client_method(void) {
return DTLSv1_method();
}
#ifndef OPENSSL_NO_DTLS
if (dtls1)
meth = DTLSv1_method();
else if (dtls12)
meth = DTLSv1_2_method();
else
#endif
#ifndef OPENSSL_NO_TLS1
if (tls1)
meth = TLSv1_method();
else
#endif
meth = SSLv23_method();
/* DTLS-SRTP initialization */
gint janus_dtls_srtp_init(const char *server_pem, const char *server_key, const char *password) {
const char *crypto_lib = NULL;
#if JANUS_USE_OPENSSL_PRE_1_1_API
#if defined(LIBRESSL_VERSION_NUMBER)
crypto_lib = "LibreSSL";
#else
crypto_lib = "OpenSSL pre-1.1.0";
#endif
/* First of all make OpenSSL thread safe (see note above on issue #316) */
janus_dtls_locks = g_malloc0(sizeof(*janus_dtls_locks) * CRYPTO_num_locks());
int l=0;
for(l = 0; l < CRYPTO_num_locks(); l++) {
janus_mutex_init(&janus_dtls_locks[l]);
}
CRYPTO_THREADID_set_callback(janus_dtls_cb_openssl_threadid);
CRYPTO_set_locking_callback(janus_dtls_cb_openssl_lock);
#else
crypto_lib = "OpenSSL >= 1.1.0";
#endif
#ifdef HAVE_BORINGSSL
crypto_lib = "BoringSSL";
#endif
JANUS_LOG(LOG_INFO, "Crypto: %s\n", crypto_lib);
#ifndef HAVE_SRTP_AESGCM
JANUS_LOG(LOG_WARN, "The libsrtp installation does not support AES-GCM profiles\n");
#endif
/* Go on and create the DTLS context */
#if JANUS_USE_OPENSSL_PRE_1_1_API
ssl_ctx = SSL_CTX_new(DTLSv1_method());
#else
ssl_ctx = SSL_CTX_new(DTLS_method());
#endif
if(!ssl_ctx) {
JANUS_LOG(LOG_FATAL, "Ops, error creating DTLS context?\n");
return -1;
}
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, janus_dtls_verify_callback);
SSL_CTX_set_tlsext_use_srtp(ssl_ctx,
#ifdef HAVE_SRTP_AESGCM
"SRTP_AEAD_AES_256_GCM:SRTP_AEAD_AES_128_GCM:SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32");
#else
"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32");
#endif
if(!server_pem && !server_key) {
JANUS_LOG(LOG_WARN, "No cert/key specified, autogenerating some...\n");
if(janus_dtls_generate_keys(&ssl_cert, &ssl_key) != 0) {
JANUS_LOG(LOG_FATAL, "Error generating DTLS key/certificate\n");
return -2;
}
} else if(!server_pem || !server_key) {
JANUS_LOG(LOG_FATAL, "DTLS certificate and key must be specified\n");
return -2;
} else if(janus_dtls_load_keys(server_pem, server_key, password, &ssl_cert, &ssl_key) != 0) {
return -3;
}
if(!SSL_CTX_use_certificate(ssl_ctx, ssl_cert)) {
JANUS_LOG(LOG_FATAL, "Certificate error (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -4;
}
if(!SSL_CTX_use_PrivateKey(ssl_ctx, ssl_key)) {
JANUS_LOG(LOG_FATAL, "Certificate key error (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -5;
}
if(!SSL_CTX_check_private_key(ssl_ctx)) {
JANUS_LOG(LOG_FATAL, "Certificate check error (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -6;
}
SSL_CTX_set_read_ahead(ssl_ctx,1);
unsigned int size;
unsigned char fingerprint[EVP_MAX_MD_SIZE];
if(X509_digest(ssl_cert, EVP_sha256(), (unsigned char *)fingerprint, &size) == 0) {
JANUS_LOG(LOG_FATAL, "Error converting X509 structure (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -7;
}
char *lfp = (char *)&local_fingerprint;
unsigned int i = 0;
for(i = 0; i < size; i++) {
g_snprintf(lfp, 4, "%.2X:", fingerprint[i]);
lfp += 3;
}
*(lfp-1) = 0;
JANUS_LOG(LOG_INFO, "Fingerprint of our certificate: %s\n", local_fingerprint);
SSL_CTX_set_cipher_list(ssl_ctx, DTLS_CIPHERS);
if(janus_dtls_bio_filter_init() < 0) {
JANUS_LOG(LOG_FATAL, "Error initializing BIO filter\n");
return -8;
}
/* Initialize libsrtp */
if(srtp_init() != srtp_err_status_ok) {
JANUS_LOG(LOG_FATAL, "Ops, error setting up libsrtp?\n");
return 5;
}
return 0;
}
