int
ssl_ctx_use_private_key(SSL_CTX *ctx, char *buf, off_t len)
{
int ret;
BIO *in;
EVP_PKEY *pkey;
ret = 0;
if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
return 0;
}
pkey = PEM_read_bio_PrivateKey(in, NULL,
ctx->default_passwd_callback,
ctx->default_passwd_callback_userdata);
if (pkey == NULL) {
SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_PEM_LIB);
goto end;
}
ret = SSL_CTX_use_PrivateKey(ctx, pkey);
EVP_PKEY_free(pkey);
end:
if (in != NULL)
BIO_free(in);
return ret;
}
int
ssl_ctx_fake_private_key(SSL_CTX *ctx, const void *data, size_t datalen,
char *buf, off_t len, X509 **x509ptr, EVP_PKEY **pkeyptr)
{
int ret = 0;
EVP_PKEY *pkey = NULL;
X509 *x509 = NULL;
if (!ssl_load_pkey(data, datalen, buf, len, &x509, &pkey))
return (0);
/*
* Use the public key as the "private" key - the secret key
* parameters are hidden in an extra process that will be
* contacted by the RSA engine. The SSL/TLS library needs at
* least the public key parameters in the current process.
*/
ret = SSL_CTX_use_PrivateKey(ctx, pkey);
if (!ret)
SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_SSL_LIB);
if (pkeyptr != NULL)
*pkeyptr = pkey;
else if (pkey != NULL)
EVP_PKEY_free(pkey);
if (x509ptr != NULL)
*x509ptr = x509;
else if (x509 != NULL)
X509_free(x509);
return (ret);
}
// memory is only valid for duration of callback; must be copied if queueing
// is required
DtlsSocketContext::DtlsSocketContext() {
started = false;
mSocket = NULL;
receiver = NULL;
DtlsSocketContext::Init();
ELOG_DEBUG("Creating Dtls factory, Openssl v %s", OPENSSL_VERSION_TEXT);
mContext = SSL_CTX_new(DTLSv1_method());
assert(mContext);
int r = SSL_CTX_use_certificate(mContext, mCert);
assert(r == 1);
r = SSL_CTX_use_PrivateKey(mContext, privkey);
assert(r == 1);
SSL_CTX_set_cipher_list(mContext, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
SSL_CTX_set_info_callback(mContext, SSLInfoCallback);
SSL_CTX_set_verify(mContext, SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
SSLVerifyCallback);
// SSL_CTX_set_session_cache_mode(mContext, SSL_SESS_CACHE_OFF);
// SSL_CTX_set_options(mContext, SSL_OP_NO_TICKET);
// Set SRTP profiles
r = SSL_CTX_set_tlsext_use_srtp(mContext, DefaultSrtpProfile);
assert(r == 0);
SSL_CTX_set_verify_depth(mContext, 2);
SSL_CTX_set_read_ahead(mContext, 1);
ELOG_DEBUG("DtlsSocketContext %p created", this);
}
void SSLContext::loadPrivateKeyFromBufferPEM(folly::StringPiece pkey) {
if (pkey.data() == nullptr) {
throw std::invalid_argument("loadPrivateKey: <pkey> is nullptr");
}
ssl::BioUniquePtr bio(BIO_new(BIO_s_mem()));
if (bio == nullptr) {
throw std::runtime_error("BIO_new: " + getErrors());
}
int written = BIO_write(bio.get(), pkey.data(), pkey.size());
if (written <= 0 || static_cast<unsigned>(written) != pkey.size()) {
throw std::runtime_error("BIO_write: " + getErrors());
}
ssl::EvpPkeyUniquePtr key(
PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
if (key == nullptr) {
throw std::runtime_error("PEM_read_bio_PrivateKey: " + getErrors());
}
if (SSL_CTX_use_PrivateKey(ctx_, key.get()) == 0) {
throw std::runtime_error("SSL_CTX_use_PrivateKey: " + getErrors());
}
}
/**
* @brief load private key into the SSL context
*/
int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
const unsigned char *d, long len)
{
int ret;
EVP_PKEY *pk;
pk = d2i_PrivateKey(0, NULL, &d, len);
if (!pk) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_PrivateKey() return NULL");
goto failed1;
}
ret = SSL_CTX_use_PrivateKey(ctx, pk);
if (!ret) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_CTX_use_PrivateKey() return %d", ret);
goto failed2;
}
return 1;
failed2:
EVP_PKEY_free(pk);
failed1:
return 0;
}
void ContextImpl::setIdentity(const Certificate& cert)
{
if( ! cert.impl()->pkey() )
throw InvalidCertificate("invalid certificate");
if(_pkey)
EVP_PKEY_free(_pkey);
_pkey = 0;
if(_x509)
X509_free(_x509);
_x509 = 0;
_x509 = copyX509( cert.impl()->x509() );
_pkey = copyPrivateKey( cert.impl()->pkey() );
if( ! SSL_CTX_use_certificate(_ctx, _x509) )
{
throw InvalidCertificate("invalid certificate");
}
if( ! SSL_CTX_use_PrivateKey( _ctx, _pkey ) )
{
throw InvalidCertificate("invalid certificate");
}
// openssl will not check the private key of this context against the
// certifictate. TO do so call SSL_CTX_check_private_key(_ctx)
}
int CSSLClient::SSL_CTX_use_PrivateKey_file_pass(SSL_CTX *ctx,const char *pFileName,char *pPass)
{
EVP_PKEY *pkey = NULL;
BIO *pBIO = NULL;
pBIO = BIO_new(BIO_s_file());
BIO_read_filename(pBIO, pFileName);
pkey = PEM_read_bio_PrivateKey(pBIO, NULL, NULL, pPass);
if(pkey == NULL)
{
printf("PEM_read_bio_PrivateKey err");
return -1;
}
if (SSL_CTX_use_PrivateKey(ctx,pkey) <= 0)
{
printf("SSL_CTX_use_PrivateKey err\n");
return -1;
}
BIO_free(pBIO);
return 1;
}
bool VSslServer::setKeyCrtStuff(VError& error, SSL_CTX* ctx, EVP_PKEY* key, X509* crt)
{
LOG_ASSERT(key != NULL);
LOG_ASSERT(crt != NULL);
int res = SSL_CTX_use_certificate(ctx, crt);
if (res <= 0)
{
error = VSslError(QString("SSL_CTX_use_certificate return %1").arg(res), VSslError::IN_SSL_CTX_USE_CERTIFICATE);
return false;
}
res = SSL_CTX_use_PrivateKey(ctx, key);
if (res <= 0)
{
error = VSslError(QString("SSL_CTX_use_PrivateKey return %1").arg(res), VSslError::SSL_CTX_USER_PRIVATEKEY);
return false;
}
res = SSL_CTX_check_private_key(ctx);
if (!res)
{
error = VSslError(QString("SSL_CTX_check_private_key return %1").arg(res), VSslError::SSL_CTX_CHECK_PRIVATEKEY);
return false;
}
return true;
}
bool
SSLContext::Init(X509 *pCert, EVP_PKEY *pPrivatekey){
int nLockCt = CRYPTO_num_locks();
InitializeCryptoLocks(nLockCt);
#ifdef _DEBUG
CRYPTO_malloc_debug_init();
CRYPTO_dbg_set_options (V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl (CRYPTO_MEM_CHECK_ON);
#endif
CRYPTO_set_locking_callback (&ssl_lock_callback);
CRYPTO_set_dynlock_create_callback (&ssl_lock_dyn_create_callback);
CRYPTO_set_dynlock_lock_callback (&ssl_lock_dyn_callback);
CRYPTO_set_dynlock_destroy_callback (&ssl_lock_dyn_destroy_callback);
SSL_load_error_strings ();
SSL_library_init ();
// Initialize and verify SSL context. {{
const SSL_METHOD* meth = SSLv23_method();
m_pssl_ctx = SSL_CTX_new(meth);
SSL_CTX_set_verify(m_pssl_ctx, SSL_VERIFY_NONE, nullptr);
// }}
#ifdef _SERVER
SSL_CTX_set_options(m_pssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
#endif
if( pCert )
SSL_CTX_use_certificate (m_pssl_ctx, pCert);
if( pPrivatekey )
SSL_CTX_use_PrivateKey (m_pssl_ctx, pPrivatekey);
return true;
}
int SSL_CTX_use_PrivateKey_file_pass (SSL_CTX * ctx, char *filename, char *pass)
{
EVP_PKEY *pkey = NULL;
BIO *key = NULL;
key = BIO_new (BIO_s_file ());
BIO_read_filename (key, filename);
pkey = PEM_read_bio_PrivateKey (key, NULL, NULL, pass);
if (pkey == NULL)
{
printf ("PEM_read_bio_PrivateKey err");
return -1;
}
//加载客户端私钥
if (SSL_CTX_use_PrivateKey (ctx, pkey) <= 0)
{
printf ("SSL_CTX_use_PrivateKey err\n");
return -1;
}
BIO_free (key);
return 1;
}
int
set_cert_key_stuff(SSL_CTX * ctx, X509 * cert, EVP_PKEY * key)
{
if (cert == NULL)
return 1;
if (SSL_CTX_use_certificate(ctx, cert) <= 0) {
BIO_printf(bio_err, "error setting certificate\n");
ERR_print_errors(bio_err);
return 0;
}
if (SSL_CTX_use_PrivateKey(ctx, key) <= 0) {
BIO_printf(bio_err, "error setting private key\n");
ERR_print_errors(bio_err);
return 0;
}
/*
* Now we know that a key and cert have been set against the SSL
* context
*/
if (!SSL_CTX_check_private_key(ctx)) {
BIO_printf(bio_err,
"Private key does not match the certificate public key\n");
return 0;
}
return 1;
}
static CURLcode sslctxfun( CURL * curl, void * sslctx, void * parm ) {
sslctxparm * p = (sslctxparm *) parm;
SSL_CTX * ctx = (SSL_CTX *) sslctx ;
if ( !SSL_CTX_use_certificate( ctx,p->usercert ) ) {
BIO_printf( p->errorbio, "SSL_CTX_use_certificate problem\n" ); goto err;
}
if ( !SSL_CTX_use_PrivateKey( ctx,p->pkey ) ) {
BIO_printf( p->errorbio, "SSL_CTX_use_PrivateKey\n" ); goto err;
}
if ( !SSL_CTX_check_private_key( ctx ) ) {
BIO_printf( p->errorbio, "SSL_CTX_check_private_key\n" ); goto err;
}
SSL_CTX_set_quiet_shutdown( ctx,1 );
SSL_CTX_set_cipher_list( ctx,"RC4-MD5" );
SSL_CTX_set_mode( ctx, SSL_MODE_AUTO_RETRY );
X509_STORE_add_cert( ctx->cert_store,sk_X509_value( p->ca,sk_X509_num( p->ca ) - 1 ) );
SSL_CTX_set_verify_depth( ctx,2 );
SSL_CTX_set_verify( ctx,SSL_VERIFY_PEER,NULL );
SSL_CTX_set_cert_verify_callback( ctx, ssl_app_verify_callback, parm );
return CURLE_OK ;
err:
ERR_print_errors( p->errorbio );
return CURLE_SSL_CERTPROBLEM;
}
static int
tls_sc_set_key(lua_State *L) {
tls_sc_t *ctx;
EVP_PKEY* key;
BIO *bio;
const char *passpharse = NULL;
const char *keystr = NULL;
size_t klen = 0;
size_t plen = 0;
ctx = getSC(L);
keystr = luaL_checklstring(L, 2, &klen);
passpharse = luaL_optlstring(L, 3, NULL, &plen);
bio = str2bio(keystr, klen);
if (!bio) {
return luaL_error(L, "tls_sc_set_key: Failed to convert Key into a BIO");
}
ERR_clear_error();
/* If the 3rd arg is NULL, the 4th arg is treated as a const char* istead of void* */
key = PEM_read_bio_PrivateKey(bio, NULL, NULL, (void*)passpharse);
if (!key) {
return tls_fatal_error(L);
}
SSL_CTX_use_PrivateKey(ctx->ctx, key);
EVP_PKEY_free(key);
BIO_free(bio);
return 0;
}
static int
use_inline_PrivateKey_file (SSL_CTX *ctx, const char *key_string)
{
BIO *in = NULL;
EVP_PKEY *pkey = NULL;
int ret = 0;
in = BIO_new_mem_buf ((char *)key_string, -1);
if (!in)
goto end;
pkey = PEM_read_bio_PrivateKey (in,
NULL,
ctx->default_passwd_callback,
ctx->default_passwd_callback_userdata);
if (!pkey)
goto end;
ret = SSL_CTX_use_PrivateKey (ctx, pkey);
end:
if (pkey)
EVP_PKEY_free (pkey);
if (in)
BIO_free (in);
return ret;
}
int
useCertFile(SSL_CTX* ctx, const char* path, const char* passphrase, const char* cacertfile)
{
FILE *p12_file;
PKCS12 *p12_cert = NULL;
EVP_PKEY *pkey;
X509 *x509_cert;
p12_file = fopen(path, "r");
if (!p12_file)
{
timestamp_f(stderr);
perror(path);
return -1;
}
d2i_PKCS12_fp(p12_file, &p12_cert);
fclose(p12_file);
if (!PKCS12_parse(p12_cert, passphrase, &pkey, &x509_cert, NULL))
{
int error = ERR_get_error();
timestamp_f(stderr);
fprintf(stderr, "failed to parse p12 file; error %d\n", error);
PKCS12_free(p12_cert);
return -1;
}
PKCS12_free(p12_cert);
if (!SSL_CTX_use_certificate(ctx, x509_cert))
{
int error = ERR_get_error();
timestamp_f(stderr);
fprintf(stderr, "failed to set cert for SSL context; error %d\n", error);
X509_free(x509_cert);
EVP_PKEY_free(pkey);
return -1;
}
X509_free(x509_cert);
if (!SSL_CTX_use_PrivateKey(ctx, pkey))
{
int error = ERR_get_error();
timestamp_f(stderr);
fprintf(stderr, "failed to set private key for SSL context; error %d\n", error);
EVP_PKEY_free(pkey);
return -1;
}
EVP_PKEY_free(pkey);
if (cacertfile && *cacertfile && !SSL_CTX_load_verify_locations(ctx, cacertfile, NULL))
{
timestamp_f(stderr);
fprintf(stderr, "failed to load root cert for verification from %s\n", cacertfile);
return -1;
}
return 0;
}
struct dtls_context *
create_dtls_context(const char *common)
{
if (common == NULL)
return NULL;
struct dtls_context *context = (struct dtls_context *)calloc(1, sizeof *context);
if (context == NULL)
return NULL;
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_CTX *ctx = SSL_CTX_new(DTLSv1_method());
if (ctx == NULL)
goto ctx_err;
context->ctx = ctx;
// ALL:NULL:eNULL:aNULL
if (SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1)
goto ctx_err;
SSL_CTX_set_read_ahead(ctx, 1); // for DTLS
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_peer_certificate_cb);
EVP_PKEY *key = gen_key();
if (key == NULL)
goto ctx_err;
SSL_CTX_use_PrivateKey(ctx, key);
X509 *cert = gen_cert(key, common, 365);
if (cert == NULL)
goto ctx_err;
SSL_CTX_use_certificate(ctx, cert);
if (SSL_CTX_check_private_key(ctx) != 1)
goto ctx_err;
unsigned int len;
unsigned char buf[BUFFER_SIZE];
X509_digest(cert, EVP_sha256(), buf, &len);
char *p = context->fingerprint;
for (int i = 0; i < len; ++i) {
snprintf(p, 4, "%02X:", buf[i]);
p += 3;
}
*(p - 1) = 0;
if (0) {
ctx_err:
SSL_CTX_free(ctx);
free(context);
context = NULL;
}
return context;
}
static int load_tpm_certificate(struct openconnect_info *vpninfo)
{
ENGINE *e;
EVP_PKEY *key;
UI_METHOD *meth = NULL;
int ret = 0;
ENGINE_load_builtin_engines();
e = ENGINE_by_id("tpm");
if (!e) {
vpn_progress(vpninfo, PRG_ERR, _("Can't load TPM engine.\n"));
openconnect_report_ssl_errors(vpninfo);
return -EINVAL;
}
if (!ENGINE_init(e) || !ENGINE_set_default_RSA(e) ||
!ENGINE_set_default_RAND(e)) {
vpn_progress(vpninfo, PRG_ERR, _("Failed to init TPM engine\n"));
openconnect_report_ssl_errors(vpninfo);
ENGINE_free(e);
return -EINVAL;
}
if (vpninfo->cert_password) {
if (!ENGINE_ctrl_cmd(e, "PIN", strlen(vpninfo->cert_password),
vpninfo->cert_password, NULL, 0)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to set TPM SRK password\n"));
openconnect_report_ssl_errors(vpninfo);
}
vpninfo->cert_password = NULL;
free(vpninfo->cert_password);
} else {
/* Provide our own UI method to handle the PIN callback. */
meth = create_openssl_ui(vpninfo);
}
key = ENGINE_load_private_key(e, vpninfo->sslkey, meth, NULL);
if (meth)
UI_destroy_method(meth);
if (!key) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to load TPM private key\n"));
openconnect_report_ssl_errors(vpninfo);
ret = -EINVAL;
goto out;
}
if (!SSL_CTX_use_PrivateKey(vpninfo->https_ctx, key)) {
vpn_progress(vpninfo, PRG_ERR, _("Add key from TPM failed\n"));
openconnect_report_ssl_errors(vpninfo);
ret = -EINVAL;
}
EVP_PKEY_free(key);
out:
ENGINE_finish(e);
ENGINE_free(e);
return ret;
}
__declspec(dllexport) void ILibWrapper_InitializeDTLS()
{
ctx = SSL_CTX_new(DTLSv1_method());
SSL_CTX_use_certificate(ctx, selftlscert.x509);
SSL_CTX_use_PrivateKey(ctx,selftlscert.pkey);
int l = 32;
X509_digest(selftlscert.x509, EVP_get_digestbyname("sha256"), (unsigned char*)tlsServerCertThumbprint, (unsigned int*)&l);
}
bool OpenSSLIdentity::ConfigureIdentity(SSL_CTX* ctx) {
// 1 is the documented success return code.
if (SSL_CTX_use_certificate(ctx, certificate_->x509()) != 1 ||
SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) {
LogSSLErrors("Configuring key and certificate");
return false;
}
return true;
}
SSL_CTX *
evssl_init()
{
DH *dh;
SSL_CTX *ctx;
SSL_load_error_strings();
SSL_library_init();
RAND_poll();
if ((passport = pki_passport_load_from_file(cfg->cert,
cfg->pkey, cfg->tcert)) == NULL) {
return NULL;
}
if ((ctx = SSL_CTX_new(TLSv1_2_client_method())) == NULL) {
jlog(L_ERROR, "SSL_CTX_new failed");
return NULL;
}
if ((dh = get_dh_1024()) == NULL) {
jlog(L_ERROR, "get_dh_1024 failed");
goto out;
}
if ((SSL_CTX_set_tmp_dh(ctx, dh)) == 0) {
jlog(L_ERROR, "SSL_CTX_set_tmp_dh failed");
goto out;
}
//SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-AES256-GCM-SHA384");
if ((SSL_CTX_set_cipher_list(ctx, "AES256-GCM-SHA384")) == 0) {
jlog(L_ERROR, "SSL_CTX_set_cipher failed");
goto out;
}
SSL_CTX_set_cert_store(ctx, passport->cacert_store);
if ((SSL_CTX_use_certificate(ctx, passport->certificate)) == 0) {
jlog(L_ERROR, "SSL_CTX_use_certificate failed");
goto out;
}
if ((SSL_CTX_use_PrivateKey(ctx, passport->keyring)) == 0) {
jlog(L_ERROR, "SSL_CTX_use_PrivateKey failed");
goto out;
}
DH_free(dh);
return ctx;
out:
DH_free(dh);
SSL_CTX_free(ctx);
return NULL;
}
int
tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
#if ENABLE_INLINE_FILES
, const char *priv_key_file_inline
#endif
)
{
int status;
SSL_CTX *ssl_ctx = NULL;
BIO *in = NULL;
EVP_PKEY *pkey = NULL;
int ret = 1;
ASSERT(NULL != ctx);
ssl_ctx = ctx->ctx;
#if ENABLE_INLINE_FILES
if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_file_inline)
in = BIO_new_mem_buf ((char *)priv_key_file_inline, -1);
else
#endif /* ENABLE_INLINE_FILES */
in = BIO_new_file (priv_key_file, "r");
if (!in)
goto end;
pkey = PEM_read_bio_PrivateKey (in, NULL,
ssl_ctx->default_passwd_callback,
ssl_ctx->default_passwd_callback_userdata);
if (!pkey)
goto end;
if (!SSL_CTX_use_PrivateKey (ssl_ctx, pkey))
{
#ifdef ENABLE_MANAGEMENT
if (management && (ERR_GET_REASON (ERR_peek_error()) == EVP_R_BAD_DECRYPT))
management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
#endif
msg (M_WARN|M_SSL, "Cannot load private key file %s", priv_key_file);
goto end;
}
warn_if_group_others_accessible (priv_key_file);
/* Check Private Key */
if (!SSL_CTX_check_private_key (ssl_ctx))
msg (M_SSLERR, "Private key does not match the certificate");
ret = 0;
end:
if (pkey)
EVP_PKEY_free (pkey);
if (in)
BIO_free (in);
return ret;
}
static CURLcode sslctx_function(CURL * curl, void * sslctx, void * parm)
{
SSL_CTX* ctx = (SSL_CTX*)sslctx;
if(!SSL_CTX_use_certificate(ctx, g_Cert))
printf("SSL_CTX_use_certificate problem\n");
if(!SSL_CTX_use_PrivateKey(ctx, g_PrivateKey))
printf("Use Key failed\n");
return CURLE_OK;
}
bool SslContext::UseCertificate(String certdata, String pkeydata, bool cert_asn1)
{
ASSERT(ssl_ctx);
if(IsNull(certdata) || IsNull(pkeydata))
return false;
SslCertificate cert;
SslKey pkey;
if(!cert.Load(certdata, cert_asn1) || !pkey.Load(pkeydata))
return false;
if(!SSL_CTX_use_certificate(ssl_ctx, cert) || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
return false;
if(!SSL_CTX_check_private_key(ssl_ctx))
return false;
return true;
}
SSL_CTX *
InitCTX (void)
{
SSL_METHOD *method;
X509 *cert;
EVP_PKEY *key;
SSL_library_init ();
OpenSSL_add_all_algorithms (); /* Load cryptos, et.al. */
SSL_load_error_strings (); /* Bring in and register error messages */
method = SSLv3_server_method ();
ctx = SSL_CTX_new (method); /* Create new context */
if (ctx == NULL) {
#ifdef DEBUG
ERR_print_errors_fp (stderr);
#endif
abort ();
}
SSL_CTX_set_options (ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
SSL_CTX_set_cipher_list (ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
if (gen_cert (&cert, &key) == 0) {
#ifdef DEBUG
printf ("Error w/ gen_cert()\n");
#endif
exit (1);
}
if (SSL_CTX_use_certificate (ctx, cert) != 1) {
#ifdef DEBUG
fprintf (stderr, "SSL_CTX_use_certificate failed.\n");
#endif
exit (1);
}
if (SSL_CTX_use_PrivateKey (ctx, key) != 1) {
#ifdef DEBUG
fprintf (stderr, "SSL_CTX_use_PrivateKey failed.\n");
#endif
exit (1);
}
X509_free (cert);
EVP_PKEY_free (key);
return ctx;
}
int
SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
long len)
{
int ret;
EVP_PKEY *pkey;
if ((pkey = d2i_PrivateKey(type, NULL, &d, (long)len)) == NULL) {
SSLerrorx(ERR_R_ASN1_LIB);
return (0);
}
ret = SSL_CTX_use_PrivateKey(ctx, pkey);
EVP_PKEY_free(pkey);
return (ret);
}
int SSL_CTX_use_PrivateKey_file (SSL_CTX * ctx, const char *file, int type)
{
int j, ret = 0;
BIO *in;
EVP_PKEY *pkey = NULL;
in = BIO_new (BIO_s_file_internal ());
if (in == NULL)
{
SSLerr (SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
goto end;
}
if (BIO_read_filename (in, file) <= 0)
{
SSLerr (SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
goto end;
}
if (type == SSL_FILETYPE_PEM)
{
j = ERR_R_PEM_LIB;
pkey = PEM_read_bio_PrivateKey (in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
}
else if (type == SSL_FILETYPE_ASN1)
{
j = ERR_R_ASN1_LIB;
pkey = d2i_PrivateKey_bio (in, NULL);
}
else
{
SSLerr (SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
goto end;
}
if (pkey == NULL)
{
SSLerr (SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j);
goto end;
}
ret = SSL_CTX_use_PrivateKey (ctx, pkey);
EVP_PKEY_free (pkey);
end:
if (in != NULL)
BIO_free (in);
return (ret);
}
static void Init() {
ctx = SSL_CTX_new(SSLv23_method());
const uint8_t *bufp = kRSAPrivateKeyDER;
RSA *privkey = d2i_RSAPrivateKey(NULL, &bufp, sizeof(kRSAPrivateKeyDER));
OPENSSL_assert(privkey != NULL);
EVP_PKEY *pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, privkey);
int ret = SSL_CTX_use_PrivateKey(ctx, pkey);
OPENSSL_assert(ret == 1);
EVP_PKEY_free(pkey);
bufp = kCertificateDER;
X509 *cert = d2i_X509(NULL, &bufp, sizeof(kCertificateDER));
OPENSSL_assert(cert != NULL);
ret = SSL_CTX_use_certificate(ctx, cert);
OPENSSL_assert(ret == 1);
X509_free(cert);
}
int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *d,
long len) {
int ret;
const uint8_t *p;
EVP_PKEY *pkey;
p = d;
pkey = d2i_PrivateKey(type, NULL, &p, (long)len);
if (pkey == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
return 0;
}
ret = SSL_CTX_use_PrivateKey(ctx, pkey);
EVP_PKEY_free(pkey);
return ret;
}
int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
const unsigned char *d, long len)
{
int ret;
const unsigned char *p;
EVP_PKEY *pkey;
p = d;
if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {
SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
return (0);
}
ret = SSL_CTX_use_PrivateKey(ctx, pkey);
EVP_PKEY_free(pkey);
return (ret);
}
SSLStream::SSLStream(Stream::ptr parent, bool client, bool own, SSL_CTX *ctx)
: MutatingFilterStream(parent, own)
{
MORDOR_ASSERT(parent);
clearSSLError();
if (ctx)
m_ctx.reset(ctx, &nop<SSL_CTX *>);
else
m_ctx.reset(SSL_CTX_new(client ? SSLv23_client_method() :
SSLv23_server_method()), &SSL_CTX_free);
if (!m_ctx) {
MORDOR_ASSERT(hasOpenSSLError());
MORDOR_THROW_EXCEPTION(OpenSSLException(getOpenSSLErrorMessage()))
// << boost::errinfo_api_function("SSL_CTX_new");
;
}
// Auto-generate self-signed server cert
if (!ctx && !client) {
std::shared_ptr<X509> cert;
std::shared_ptr<EVP_PKEY> pkey;
mkcert(cert, pkey, 1024, rand(), 365);
SSL_CTX_use_certificate(m_ctx.get(), cert.get());
SSL_CTX_use_PrivateKey(m_ctx.get(), pkey.get());
}
m_ssl.reset(SSL_new(m_ctx.get()), &SSL_free);
if (!m_ssl) {
MORDOR_ASSERT(hasOpenSSLError());
MORDOR_THROW_EXCEPTION(OpenSSLException(getOpenSSLErrorMessage()))
// << boost::errinfo_api_function("SSL_CTX_new");
;
}
m_readBio = BIO_new(BIO_s_mem());
m_writeBio = BIO_new(BIO_s_mem());
if (!m_readBio || !m_writeBio) {
if (m_readBio) BIO_free(m_readBio);
if (m_writeBio) BIO_free(m_writeBio);
MORDOR_ASSERT(hasOpenSSLError());
MORDOR_THROW_EXCEPTION(OpenSSLException(getOpenSSLErrorMessage()))
// << boost::errinfo_api_function("BIO_new");
;
}
BIO_set_mem_eof_return(m_readBio, -1);
SSL_set_bio(m_ssl.get(), m_readBio, m_writeBio);
}
