Esempio n. 1
0
static int test_v3(void)
{
    STACK_OF(SSL_CIPHER) *sk = NULL, *scsv = NULL;
    /* ECDHE-ECDSA-AES256GCM, ECDHE-ECDSA-CHACHAPOLY, DHE-RSA-AES256GCM,
     * EMPTY-RENEGOTIATION-INFO-SCSV, FALLBACK-SCSV */
    const unsigned char bytes[] = {0x00, 0x2f, 0x00, 0x33, 0x00, 0x9f, 0x00, 0xff,
                                   0x56, 0x00};
    int ret = 0;

    if (!SSL_bytes_to_cipher_list(s, bytes, sizeof(bytes), 0, &sk, &scsv)
            || !TEST_ptr(sk)
            || !TEST_int_eq(sk_SSL_CIPHER_num(sk), 3)
            || !TEST_ptr(scsv)
            || !TEST_int_eq(sk_SSL_CIPHER_num(scsv), 2)
            || !TEST_str_eq(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 0)),
                            "AES128-SHA")
            || !TEST_str_eq(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 1)),
                            "DHE-RSA-AES128-SHA")
            || !TEST_str_eq(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 2)),
                            "DHE-RSA-AES256-GCM-SHA384")
            || !TEST_str_eq(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(scsv, 0)),
                            "TLS_EMPTY_RENEGOTIATION_INFO_SCSV")
            || !TEST_str_eq(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(scsv, 1)),
                            "TLS_FALLBACK_SCSV"))
        goto err;

    ret = 1;
err:
    sk_SSL_CIPHER_free(sk);
    sk_SSL_CIPHER_free(scsv);
    return ret;
}
Esempio n. 2
0
static int test_v2(void)
{
    STACK_OF(SSL_CIPHER) *sk, *scsv;
    /* ECDHE-ECDSA-AES256GCM, SSL2_RC4_1238_WITH_MD5,
     * ECDHE-ECDSA-CHACHA20-POLY1305 */
    const unsigned char bytes[] = {0x00, 0x00, 0x35, 0x01, 0x00, 0x80,
                                   0x00, 0x00, 0x33};
    int ret = 0;

    if (!TEST_true(SSL_bytes_to_cipher_list(s, bytes, sizeof(bytes), 1,
                                            &sk, &scsv))
            || !TEST_ptr(sk)
            || !TEST_int_eq(sk_SSL_CIPHER_num(sk), 2)
            || !TEST_ptr(scsv)
            || !TEST_int_eq(sk_SSL_CIPHER_num(scsv), 0))
        goto err;
    if (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 0)),
               "AES256-SHA") != 0 ||
        strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 1)),
               "DHE-RSA-AES128-SHA") != 0)
        goto err;

    ret = 1;

err:
    sk_SSL_CIPHER_free(sk);
    sk_SSL_CIPHER_free(scsv);
    return ret;
}
Esempio n. 3
0
static void print_ciphersuite_data(BIO *io, SSL *ssl, int js)
{
	SSL_SESSION* session = SSL_get_session(ssl);
	long protocol = SSL_version(ssl);
	const char *protocol_name = get_protocol_name(protocol);

	const char *eol = js ? "\\n\\\n" : "\n";
	if(BIO_printf(io, "Version: 0x%lx %s%s", protocol, protocol_name, eol) <= 0)
		err_exit("Write error");

	if(BIO_printf(io, "Current cipher: %s%s", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)), eol) <= 0)
		err_exit("Write error");

	STACK_OF(SSL_CIPHER) *ciphers = session->ciphers;
	SSL_CIPHER *c;
	int n = sk_SSL_CIPHER_num(ciphers);
	if(BIO_printf(io, "client sent %d ciphers%s", n, eol) <= 0)
		err_exit("Write error");

	int i;
	for (i = 0; i < n; i++)
	{
		c = sk_SSL_CIPHER_value(ciphers, i);
		if(BIO_printf(io, "client [%2d of %2d]: %s%s", i, n, SSL_CIPHER_get_name(c), eol) <= 0)
			err_exit("Write error");
	}
}
Esempio n. 4
0
/** Return true iff the cipher list suggested by the client for <b>ssl</b> is
 * a list that indicates that the client knows how to do the v2 TLS connection
 * handshake. */
static int
tor_tls_client_is_using_v2_ciphers(const SSL *ssl, const char *address)
{
  int i;
  SSL_SESSION *session;
  /* If we reached this point, we just got a client hello.  See if there is
   * a cipher list. */
  if (!(session = SSL_get_session((SSL *)ssl))) {
    log_warn(LD_NET, "No session on TLS?");
    return 0;
  }
  if (!session->ciphers) {
    log_warn(LD_NET, "No ciphers on session");
    return 0;
  }
  /* Now we need to see if there are any ciphers whose presence means we're
   * dealing with an updated Tor. */
  for (i = 0; i < sk_SSL_CIPHER_num(session->ciphers); ++i) {
    SSL_CIPHER *cipher = sk_SSL_CIPHER_value(session->ciphers, i);
    const char *ciphername = SSL_CIPHER_get_name(cipher);
    if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
        strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
        strcmp(ciphername, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) &&
        strcmp(ciphername, "(NONE)")) {
      /* XXXX should be ld_debug */
      log_info(LD_NET, "Got a non-version-1 cipher called '%s'", ciphername);
      // return 1;
      goto dump_list;
    }
  }
  return 0;
 dump_list:
  {
    smartlist_t *elts = smartlist_create();
    char *s;
    for (i = 0; i < sk_SSL_CIPHER_num(session->ciphers); ++i) {
      SSL_CIPHER *cipher = sk_SSL_CIPHER_value(session->ciphers, i);
      const char *ciphername = SSL_CIPHER_get_name(cipher);
      smartlist_add(elts, (char*)ciphername);
    }
    s = smartlist_join_strings(elts, ":", 0, NULL);
    log_info(LD_NET, "Got a non-version-1 cipher list from %s.  It is: '%s'",
             address, s);
    tor_free(s);
    smartlist_free(elts);
  }
  return 1;
}
Esempio n. 5
0
int tlsops_cipher(struct sip_msg *msg, pv_param_t *param,
		pv_value_t *res)
{
	str cipher;
	static char buf[1024];

	struct tcp_connection* c;
	SSL* ssl;

	c = get_cur_connection(msg);
	if (!c) {
		LM_INFO("TLS connection not found in select_cipher\n");
		goto err;
	}
	ssl = get_ssl(c);
	if (!ssl) goto err;

	cipher.s = (char*)SSL_CIPHER_get_name(SSL_get_current_cipher(ssl));
	cipher.len = cipher.s ? strlen(cipher.s) : 0;
	if (cipher.len >= 1024) {
		LM_ERR("cipher name too long\n");
		goto err;
	}
	memcpy(buf, cipher.s, cipher.len);
	res->rs.s = buf;
	res->rs.len = cipher.len;
	res->flags = PV_VAL_STR;
	tcpconn_put(c);

	return 0;
err:
	if (c) tcpconn_put(c);
	return pv_get_null(msg, param, res);
}
Esempio n. 6
0
static int get_cipher(str* res, sip_msg_t* msg) 
{
	str cipher;
	static char buf[1024];

	struct tcp_connection* c;
	SSL* ssl;

	c = get_cur_connection(msg);
	if (!c) {
		INFO("TLS connection not found in select_cipher\n");
		goto err;
	}
	ssl = get_ssl(c);
	if (!ssl) goto err;

	cipher.s = (char*)SSL_CIPHER_get_name(SSL_get_current_cipher(ssl));
	cipher.len = cipher.s ? strlen(cipher.s) : 0;
	if (cipher.len >= 1024) {
		ERR("Cipher name too long\n");
		goto err;
	}
	memcpy(buf, cipher.s, cipher.len);
	res->s = buf;
	res->len = cipher.len;
	tcpconn_put(c);
	return 0;

 err:
	if (c) tcpconn_put(c);
	return -1;
}
Esempio n. 7
0
static std::unordered_map<uint16_t, std::string> getOpenSSLCipherNames() {
  std::unordered_map<uint16_t, std::string> ret;
  SSL_CTX* ctx = nullptr;
  SSL* ssl = nullptr;

  const SSL_METHOD* meth = SSLv23_server_method();
  OpenSSL_add_ssl_algorithms();

  if ((ctx = SSL_CTX_new(meth)) == nullptr) {
    return ret;
  }
  SCOPE_EXIT {
    SSL_CTX_free(ctx);
  };

  if ((ssl = SSL_new(ctx)) == nullptr) {
    return ret;
  }
  SCOPE_EXIT {
    SSL_free(ssl);
  };

  STACK_OF(SSL_CIPHER)* sk = SSL_get_ciphers(ssl);
  for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
    const SSL_CIPHER* c = sk_SSL_CIPHER_value(sk, i);
    unsigned long id = SSL_CIPHER_get_id(c);
    // OpenSSL 1.0.2 and prior does weird things such as stuff the SSL/TLS
    // version into the top 16 bits. Let's ignore those for now. This is
    // BoringSSL compatible (their id can be cast as uint16_t)
    uint16_t cipherCode = id & 0xffffL;
    ret[cipherCode] = SSL_CIPHER_get_name(c);
  }
  return ret;
}
Esempio n. 8
0
const char *OpenSSLQueryCipher(STREAM *S)
{
void *ptr;

if (! S) return(NULL);
ptr=STREAMGetItem(S,"LIBUSEFUL-SSL-CTX");
if (! ptr) return(NULL);

#ifdef HAVE_LIBSSL
const SSL_CIPHER *Cipher;
char *Tempstr=NULL;

Cipher=SSL_get_current_cipher((const SSL *) ptr);

if (Cipher)
{
Tempstr=FormatStr(Tempstr,"%d bit %s",SSL_CIPHER_get_bits(Cipher,NULL), SSL_CIPHER_get_name(Cipher));
STREAMSetValue(S,"SSL-Cipher",Tempstr);

Tempstr=SetStrLen(Tempstr,1024);
Tempstr=SSL_CIPHER_description(Cipher, Tempstr, 1024);


STREAMSetValue(S,"SSL-Cipher-Details",Tempstr);
}

DestroyString(Tempstr);
return(STREAMGetValue(S,"SSL-Cipher"));

#else
return(NULL);
#endif
}
Esempio n. 9
0
  bool Parser::extractKeyingMaterial() {

    int r = 0;

    if (!isHandshakeFinished()) {
      printf("dtls::Parser::extractKeyingMaterial()  - error: cannot extract keying material when the handshake isn't finished.\n");
      return false;
    }

    r = SSL_export_keying_material(ssl, 
                                   keying_material, 
                                   DTLS_SRTP_MASTER_LEN * 2,
                                   "EXTRACTOR-dtls_srtp",
                                   19,
                                   NULL, 
                                   0,
                                   0);
  
    if (r != 1) {
      printf("dtls::Parser::extractKeyingMaterial() - error: cannot export the keying material.\n");
      exit(1);
    }

    if (mode == DTLS_MODE_SERVER) {
      /* set the keying material in case we are a server. */
      remote_key = keying_material;
      local_key  = remote_key + DTLS_SRTP_MASTER_KEY_LEN;
      remote_salt = local_key + DTLS_SRTP_MASTER_KEY_LEN;
      local_salt = remote_salt + DTLS_SRTP_MASTER_SALT_LEN;

    }
    else if (mode == DTLS_MODE_CLIENT) {
      printf("dtls::Parser::extractKeyingMaterial() - error: client keying material not tested.\n");
      /* set the keying material in case we are a client. */
      local_key = keying_material;
      remote_key = local_key + DTLS_SRTP_MASTER_KEY_LEN;
      local_salt = remote_key + DTLS_SRTP_MASTER_KEY_LEN;
      remote_salt = local_salt + DTLS_SRTP_MASTER_SALT_LEN;
      exit(1);
    }
    else {
      printf("dtls::Parser::extractKeyingMaterial() - error: unhandled dtls::Parser mode!.\n");
      exit(1);
    }

#if 1
    /* show some debug info (p->name probably = SRTP_AES128_CM_SHA1_80) */
    SRTP_PROTECTION_PROFILE *p = SSL_get_selected_srtp_profile(ssl);
    if(!p) {
      printf("dtls::Parser::extractKeyingMaterial() - error: cannot extract the srtp_profile.\n");
      exit(1);
    }
    printf("dtls::Parser::extractKeyingMaterial() - verbose: protection profile: %s\n", p->name);

    /* cipher probably is AES256-SHA */
    printf("dtls::Parser::extractKeyingMaterial() - verbose: cipher: %s\n", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)));
#endif

    return true;
  }
Esempio n. 10
0
static int openssl_ssl_current_cipher(lua_State *L)
{
  SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl");
  const SSL_CIPHER* c = SSL_get_current_cipher(s);
  if (c)
  {
    int bits, algbits;
    char err[LUAL_BUFFERSIZE] = {0};;

    lua_newtable(L);

    AUXILIAR_SET(L, -1, "name",     SSL_CIPHER_get_name(c), string);
    AUXILIAR_SET(L, -1, "version",  SSL_CIPHER_get_version(c), string);

#if OPENSSL_VERSION_NUMBER > 0x10000000L
    AUXILIAR_SET(L, -1, "id", SSL_CIPHER_get_id(c), integer);
#endif
    bits = SSL_CIPHER_get_bits(c, &algbits);
    AUXILIAR_SET(L, -1, "bits", bits, integer);
    AUXILIAR_SET(L, -1, "algbits", algbits, integer);

    AUXILIAR_SET(L, -1, "description", SSL_CIPHER_description((SSL_CIPHER*)c, err, sizeof(err)), string);

    return 1;
  }
  return 0;
}
Esempio n. 11
0
static const char *
openssl_iostream_get_security_string(struct ssl_iostream *ssl_io)
{
    const SSL_CIPHER *cipher;
#ifdef HAVE_SSL_COMPRESSION
    const COMP_METHOD *comp;
#endif
    const char *comp_str;
    int bits, alg_bits;

    if (!ssl_io->handshaked)
        return "";

    cipher = SSL_get_current_cipher(ssl_io->ssl);
    bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
#ifdef HAVE_SSL_COMPRESSION
    comp = SSL_get_current_compression(ssl_io->ssl);
    comp_str = comp == NULL ? "" :
               t_strconcat(" ", SSL_COMP_get_name(comp), NULL);
#else
    comp_str = "";
#endif
    return t_strdup_printf("%s with cipher %s (%d/%d bits)%s",
                           SSL_get_version(ssl_io->ssl),
                           SSL_CIPHER_get_name(cipher),
                           bits, alg_bits, comp_str);
}
Esempio n. 12
0
/**
 * Adds Ciphers to the Cipher List structure
 *
 * @param options Options for this run
 * @param ssl_method SSL method to populate ciphers for.
 * @return Boolean: true = success | false = error
 */
int populate_ciphers(struct sslCheckOptions *options, const SSL_METHOD *ssl_method)
{
	struct sslCipher *cipher_ptr;
	int i;
	// STACK_OF is a sign that you should be using C++ :)
	STACK_OF(SSL_CIPHER) *cipher_list;
	SSL_CTX *ctx;
	SSL *ssl = NULL;

	ctx = SSL_CTX_new(ssl_method);
	if (ctx == NULL) {
		printf("%sERROR: Could not create CTX object.%s\n", COL_RED, RESET);
		return false;
	}

	SSL_CTX_set_cipher_list(ctx, "ALL:COMPLEMENTOFALL");

	ssl = SSL_new(ctx);
	if (ssl == NULL) {
		printf("%sERROR: Could not create SSL object.%s\n", COL_RED, RESET);
		SSL_CTX_free(ctx);
		return false;
	}

	cipher_list = SSL_get_ciphers(ssl);

	if (options->ciphers != NULL) {
		cipher_ptr = options->ciphers;
		while (cipher_ptr->next != NULL)
			cipher_ptr = cipher_ptr->next;
	}

	// Create Cipher Struct Entries...
	for (i = 0; i < sk_SSL_CIPHER_num(cipher_list); i++) {
		if (options->ciphers == NULL) {
			options->ciphers = malloc(sizeof(struct sslCipher));
			cipher_ptr = options->ciphers;
		} else {
			cipher_ptr->next = malloc(sizeof(struct sslCipher));
			cipher_ptr = cipher_ptr->next;
		}

		memset(cipher_ptr, 0, sizeof(struct sslCipher));
		cipher_ptr->next = NULL;

		// Add cipher information...
		cipher_ptr->sslMethod = ssl_method;
		cipher_ptr->name = SSL_CIPHER_get_name(sk_SSL_CIPHER_value(cipher_list, i));
		cipher_ptr->version = SSL_CIPHER_get_version(sk_SSL_CIPHER_value(cipher_list, i));
		SSL_CIPHER_description(sk_SSL_CIPHER_value(cipher_list, i), cipher_ptr->description, sizeof(cipher_ptr->description) - 1);
		cipher_ptr->bits = SSL_CIPHER_get_bits(sk_SSL_CIPHER_value(cipher_list, i), &cipher_ptr->alg_bits);
	}

	SSL_free(ssl);
	SSL_CTX_free(ctx);

	return true;
}
Esempio n. 13
0
static void set_cipher_info(TLS_REC *tls, SSL *ssl)
{
	g_return_if_fail(tls != NULL);
	g_return_if_fail(ssl != NULL);

	tls_rec_set_protocol_version(tls, SSL_get_version(ssl));

	tls_rec_set_cipher(tls, SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)));
	tls_rec_set_cipher_size(tls, SSL_get_cipher_bits(ssl, NULL));
}
Esempio n. 14
0
CAMLprim value ocaml_ssl_get_cipher_name(value vcipher)
{
  const char *name;
  SSL_CIPHER *cipher = (SSL_CIPHER*)vcipher;

  caml_enter_blocking_section();
  name = SSL_CIPHER_get_name(cipher);
  caml_leave_blocking_section();

  return caml_copy_string(name);
}
Esempio n. 15
0
const char* Connection::currentCipher() const
{
    //char desc[512];
    //SSL_CIPHER_description(c, desc, sizeof(desc));
    //bits = SSL_CIPHER_get_bits(c, &usedBits);
    //name = SSL_CIPHER_get_name(c);
    //version = SSL_CIPHER_get_version(c);

    const SSL_CIPHER* c = SSL_get_current_cipher(_ssl);
    const char* name = SSL_CIPHER_get_name(c);
    return name;
}
Esempio n. 16
0
const char *
rb_ssl_get_cipher(rb_fde_t *F)
{
	const SSL_CIPHER *sslciph; 

	if(F == NULL || F->ssl == NULL)
		return NULL;

	if((sslciph = SSL_get_current_cipher(F->ssl)) == NULL)
		return NULL;

	return SSL_CIPHER_get_name(sslciph);
}
Esempio n. 17
0
const char *net_get_cipher(void)
{
  if (_use_ssl) {
    const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl);
    if (cipher)
      return SSL_CIPHER_get_name(cipher);
    else
      return "unencrypted";
  }
  else
    return "unencrypted";

}
Esempio n. 18
0
bool pn_ssl_get_cipher_name(pn_ssl_t *ssl, char *buffer, size_t size )
{
  const SSL_CIPHER *c;

  *buffer = '\0';
  if (ssl->ssl && (c = SSL_get_current_cipher( ssl->ssl ))) {
    const char *v = SSL_CIPHER_get_name(c);
    if (v) {
      snprintf( buffer, size, "%s", v );
      return true;
    }
  }
  return false;
}
Esempio n. 19
0
static void benchmark(SSL *ssl, uint64_t send_bytes, uint64_t recv_bytes)
{
	uint64_t bytes = 0;
	char buf[BENCH_CHUNK];
	record_time_t t0, t1, t2;
	int sd;

	memset(buf, 'a', BENCH_CHUNK);

	record_time(&t0);

	if (SSL_connect(ssl) != 1) {
		ERR_print_errors_fp(stderr);
		goto out;
	}

	printf("cipher: %s\n", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)));

	record_time(&t1);

	if (send_bytes) {
		while (bytes < send_bytes) {
			int to_send = (send_bytes - bytes > BENCH_CHUNK) ? BENCH_CHUNK : send_bytes - bytes;
			if (SSL_write_all(ssl, buf, to_send))
				break;
			bytes += to_send;
		}
	} else {
		while (bytes < recv_bytes) {
			int to_recv = (recv_bytes - bytes > BENCH_CHUNK) ? BENCH_CHUNK : recv_bytes - bytes;
			int recved;
			recved = SSL_read(ssl, buf, sizeof(to_recv));
			if (recved > 0)
				bytes += recved;
			else
				break;
		}
	}

	record_time(&t2);
	print_time((send_bytes > 0) ? "sending" : "receiving",
	           (send_bytes > 0) ? send_bytes : recv_bytes,
	           &t1, &t2);

	SSL_shutdown(ssl);
out:
	sd = SSL_get_fd(ssl);
	SSL_free(ssl);
	close(sd);
}
Esempio n. 20
0
int tls_init_data_session(const int fd, const int passive)
{
    const SSL_CIPHER *cipher;
    int ret;
    int ret_;

    (void) passive;
    if (tls_ctx == NULL) {
        logfile(LOG_ERR, MSG_TLS_NO_CTX);
        tls_error(__LINE__, 0);
    }
    if (tls_data_cnx != NULL) {
        tls_close_session(&tls_data_cnx);
    } else if ((tls_data_cnx = SSL_new(tls_ctx)) == NULL) {
        tls_error(__LINE__, 0);
    }
    if (SSL_set_fd(tls_data_cnx, fd) != 1) {
        tls_error(__LINE__, 0);
    }
    SSL_set_accept_state(tls_data_cnx);
    for (;;) {
        ret = SSL_accept(tls_data_cnx);
        if (ret <= 0) {
            ret_ = SSL_get_error(tls_data_cnx, ret);
            if (ret == -1 && (ret_ == SSL_ERROR_WANT_READ ||
                              ret_ == SSL_ERROR_WANT_WRITE)) {
                continue;
            }
            logfile(LOG_INFO, MSG_LOGOUT);
            _EXIT(EXIT_FAILURE);
        }
        break;
    }
# if ONLY_ACCEPT_REUSED_SSL_SESSIONS
    if (broken_client_compat == 0 && SSL_session_reused(tls_data_cnx) == 0) {
        tls_error(__LINE__, 0);
    }
# endif
    if ((cipher = SSL_get_current_cipher(tls_data_cnx)) != NULL) {
        int strength_bits = SSL_CIPHER_get_bits(cipher, NULL);

        logfile(LOG_INFO, MSG_TLS_INFO, SSL_CIPHER_get_version(cipher),
                SSL_CIPHER_get_name(cipher), strength_bits);
        if (strength_bits < MINIMAL_CIPHER_STRENGTH_BITS) {
            die(534, LOG_ERR, MSG_TLS_WEAK);
        }
    }
    return 0;
}
Esempio n. 21
0
/* SSL info callback, this is used to trace engine state changes
 * and to check when the handshake is finished, so we can display
 * some cipher and session information and process callbacks.
 */
void ssl_info(SSL *ssl, int where, int ret)
{
  int sock;
  X509 *cert;
  char buf[256];
  ssl_appdata *data;
  SSL_CIPHER *cipher;
  int secret, processed;
  
  /* We're doing non-blocking IO, so we check here if the handshake has
     finished */
  if (where & SSL_CB_HANDSHAKE_DONE) {
    if (!(data = (ssl_appdata *) SSL_get_app_data(ssl)))
      return;
    /* Callback for completed handshake. Cheaper and more convenient than
       using H_tls */
    sock = SSL_get_fd(ssl);    
    if (data->cb)
      data->cb(sock);
    /* Call TLS binds. We allow scripts to take over or disable displaying of
       certificate information. */
    if (check_tcl_tls(sock))
      return;

    putlog(data->loglevel, "*", "TLS: handshake successful. Secure connection "
           "established.");

    if ((cert = SSL_get_peer_certificate(ssl))) 
      ssl_showcert(cert, data->loglevel);
    else
      putlog(data->loglevel, "*", "TLS: peer did not present a certificate");

    /* Display cipher information */
    cipher = SSL_get_current_cipher(ssl);
    processed = SSL_CIPHER_get_bits(cipher, &secret);
    putlog(data->loglevel, "*", "TLS: cipher used: %s %s; %d bits (%d secret)",
           SSL_CIPHER_get_name(cipher), SSL_CIPHER_get_version(cipher),
           processed, secret);
    /* secret are the actually secret bits. If processed and secret differ,
       the rest of the bits are fixed, i.e. for limited export ciphers */

    /* More verbose information, for debugging only */
    SSL_CIPHER_description(cipher, buf, sizeof buf);
    debug1("TLS: cipher details: %s", buf);
  }

  /* Display the state of the engine for debugging purposes */
  debug1("TLS: state change: %s", SSL_state_string_long(ssl));
}
Esempio n. 22
0
static VALUE
ossl_ssl_cipher_to_ary(SSL_CIPHER *cipher)
{
    VALUE ary;
    int bits, alg_bits;

    ary = rb_ary_new2(4);
    rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_name(cipher)));
    rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_version(cipher)));
    bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
    rb_ary_push(ary, INT2FIX(bits));
    rb_ary_push(ary, INT2FIX(alg_bits));

    return ary;
}
Esempio n. 23
0
struct chiper_info *
_SSL_get_cipher_info (SSL * ssl)
{
	SSL_CIPHER *c;


	c = SSL_get_current_cipher (ssl);
	strncpy (chiper_info.version, SSL_CIPHER_get_version (c),
				sizeof (chiper_info.version));
	strncpy (chiper_info.chiper, SSL_CIPHER_get_name (c),
				sizeof (chiper_info.chiper));
	SSL_CIPHER_get_bits (c, &chiper_info.chiper_bits);

	return (&chiper_info);
}
Esempio n. 24
0
return the certificate even if it wasn't validated.");

static PyObject *PySSL_cipher (PySSLObject *self) {

	PyObject *retval, *v;
	SSL_CIPHER *current;
	char *cipher_name;
	char *cipher_protocol;

	if (self->ssl == NULL)
		return Py_None;
	current = SSL_get_current_cipher(self->ssl);
	if (current == NULL)
		return Py_None;

	retval = PyTuple_New(3);
	if (retval == NULL)
		return NULL;

	cipher_name = (char *) SSL_CIPHER_get_name(current);
	if (cipher_name == NULL) {
		PyTuple_SET_ITEM(retval, 0, Py_None);
	} else {
		v = PyUnicode_FromString(cipher_name);
		if (v == NULL)
			goto fail0;
		PyTuple_SET_ITEM(retval, 0, v);
	}
	cipher_protocol = SSL_CIPHER_get_version(current);
	if (cipher_protocol == NULL) {
		PyTuple_SET_ITEM(retval, 1, Py_None);
	} else {
		v = PyUnicode_FromString(cipher_protocol);
		if (v == NULL)
			goto fail0;
		PyTuple_SET_ITEM(retval, 1, v);
	}
	v = PyLong_FromLong(SSL_CIPHER_get_bits(current, NULL));
	if (v == NULL)
		goto fail0;
	PyTuple_SET_ITEM(retval, 2, v);
	return retval;

  fail0:
	Py_DECREF(retval);
	return NULL;
}
Esempio n. 25
0
int main(void)
{
    SSL_CTX *ctx = SSL_CTX_new(DTLS_method());
    STACK_OF(SSL_CIPHER) *ciphers;
    int i, rv = 0;

    SSL_CTX_set_psk_server_callback(ctx, srvr_psk_callback);
    SSL_CTX_set_psk_client_callback(ctx, clnt_psk_callback);
    SSL_CTX_set_security_level(ctx, 0);

    /* We only care about iterating over each enc/mac; we don't
     * want to repeat the test for each auth/kx variant.
     * So keep life simple and only do (non-DH) PSK. */
    if (!SSL_CTX_set_cipher_list(ctx, "PSK")) {
        fprintf(stderr, "Failed to set PSK cipher list\n");
        goto out;
    }

    ciphers = SSL_CTX_get_ciphers(ctx);
    for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
        const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
        const char *cipher_name = SSL_CIPHER_get_name(cipher);

        /* As noted above, only one test for each enc/mac variant. */
        if (strncmp(cipher_name, "PSK-", 4))
            continue;

        rv = mtu_test(ctx, cipher_name, 0);
        if (!rv)
            break;

        printf("DTLS MTU test OK for %s\n", cipher_name);
        if (rv == 1)
            continue;

        /* mtu_test() returns 2 if it used Encrypt-then-MAC */
        rv = mtu_test(ctx, cipher_name, 1);
        if (!rv)
            break;

        printf("DTLS MTU test OK for %s without Encrypt-then-MAC\n", cipher_name);
    }
 out:
    SSL_CTX_free(ctx);

    return !rv;
}
Esempio n. 26
0
void SSLGetSessionCipher(SSL* pSSLSession,
                         char* pszBuffer,
                         int iBufferSize)
{
    SSL_CIPHER* pCipher = SSL_get_current_cipher(pSSLSession);
    SetEmptyString(pszBuffer);

    if(pCipher)
    {
        SysSNPrintf(pszBuffer,
                    iBufferSize,
                    "protocol=%s, cipher=%s(%d)",
                    SSL_CIPHER_get_version(pCipher),
                    SSL_CIPHER_get_name(pCipher),
                    SSL_CIPHER_get_bits(pCipher, NULL));
    }
}
Esempio n. 27
0
static void print_details(SSL *c_ssl, const char *prefix)
	{
	SSL_CIPHER *ciph;
	X509 *cert;
		
	ciph=SSL_get_current_cipher(c_ssl);
	BIO_printf(bio_stdout,"%s%s, cipher %s %s",
		prefix,
		SSL_get_version(c_ssl),
		SSL_CIPHER_get_version(ciph),
		SSL_CIPHER_get_name(ciph));
	cert=SSL_get_peer_certificate(c_ssl);
	if (cert != NULL)
		{
		EVP_PKEY *pkey = X509_get_pubkey(cert);
		if (pkey != NULL)
			{
			if (0) 
				;
#ifndef OPENSSL_NO_RSA
			else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
				&& pkey->pkey.rsa->n != NULL)
				{
				BIO_printf(bio_stdout, ", %d bit RSA",
					BN_num_bits(pkey->pkey.rsa->n));
				}
#endif
#ifndef OPENSSL_NO_DSA
			else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
				&& pkey->pkey.dsa->p != NULL)
				{
				BIO_printf(bio_stdout, ", %d bit DSA",
					BN_num_bits(pkey->pkey.dsa->p));
				}
#endif
			EVP_PKEY_free(pkey);
			}
		X509_free(cert);
		}
	/* The SSL API does not allow us to look at temporary RSA/DH keys,
	 * otherwise we should print their lengths too */
	BIO_printf(bio_stdout,"\n");
	}
Esempio n. 28
0
int ipfix_ssl_init_con( SSL *con )
{
    extern FILE *mlog_fp; // todo: see if this is working
    int i;
    char *str;
    long verify_error;
    char buf[100];

    if ((i=SSL_accept(con)) <= 0) {
        if (BIO_sock_should_retry(i)) {
            mlogf( 0, "[ipfix_ssl_init] DELAY\n");
            return -1;
        }

        mlogf( 0, "[ipfix_ssl_init] ERROR\n");
        verify_error=SSL_get_verify_result( con );
        if (verify_error != X509_V_OK) {
            mlogf( 0, "[ipfix_ssl_init] verify error: %s\n",
                   X509_verify_cert_error_string(verify_error));
        }
        else
            ERR_print_errors_fp( mlog_fp );

        return -1;
    }

    if ( 1 <= mlog_get_vlevel() ) {
        PEM_write_SSL_SESSION( mlog_fp, SSL_get_session(con));

        if ( SSL_get_shared_ciphers(con, buf, sizeof buf) != NULL) {
            mlogf( 3, "[ipfix] Shared ciphers:%s\n", buf);
        }
        str=(char*)SSL_CIPHER_get_name( SSL_get_current_cipher(con) );
        mlogf( 3,  "[ipfix] CIPHER is %s\n",(str != NULL)?str:"(NONE)");
        if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
            TLS1_FLAGS_TLS_PADDING_BUG) {
            mlogf( 1, "[ipfix] Peer has incorrect TLSv1 block padding\n");
        }
    }

    return 0;
}
Esempio n. 29
0
  void handle_handshake(const boost::system::error_code& error)
  {
    if (!error)
    {
		std::cout << SSL_CIPHER_get_name(SSL_get_current_cipher(socket_.native_handle())) << std::endl;
		std::cout << "Enter message: ";
		std::cin.getline(request_, max_length);
		size_t request_length = strlen(request_);

		boost::asio::async_write(socket_,
			boost::asio::buffer(request_, request_length),
			boost::bind(&client::handle_write, this,
			boost::asio::placeholders::error,
			boost::asio::placeholders::bytes_transferred));
    }
    else
    {
      std::cout << "Handshake failed: " << error << "\n";
    }
  }
Esempio n. 30
0
/* **************************************
 *
 * Information functions
 *
 * Print information for the end user.
 *
 ***************************************/
void
print_details (struct key_state_ssl * ks_ssl, const char *prefix)
{
  const SSL_CIPHER *ciph;
  X509 *cert;
  char s1[256];
  char s2[256];

  s1[0] = s2[0] = 0;
  ciph = SSL_get_current_cipher (ks_ssl->ssl);
  openvpn_snprintf (s1, sizeof (s1), "%s %s, cipher %s %s",
		    prefix,
		    SSL_get_version (ks_ssl->ssl),
		    SSL_CIPHER_get_version (ciph),
		    SSL_CIPHER_get_name (ciph));
  cert = SSL_get_peer_certificate (ks_ssl->ssl);
  if (cert != NULL)
    {
      EVP_PKEY *pkey = X509_get_pubkey (cert);
      if (pkey != NULL)
	{
	  if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
	      && pkey->pkey.rsa->n != NULL)
	    {
	      openvpn_snprintf (s2, sizeof (s2), ", %d bit RSA",
				BN_num_bits (pkey->pkey.rsa->n));
	    }
	  else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
		   && pkey->pkey.dsa->p != NULL)
	    {
	      openvpn_snprintf (s2, sizeof (s2), ", %d bit DSA",
				BN_num_bits (pkey->pkey.dsa->p));
	    }
	  EVP_PKEY_free (pkey);
	}
      X509_free (cert);
    }
  /* The SSL API does not allow us to look at temporary RSA/DH keys,
   * otherwise we should print their lengths too */
  msg (D_HANDSHAKE, "%s%s", s1, s2);
}