int main(int argc, char *argv[])
{
SSL_CTX *ctx;
const SSL_METHOD *method = SSLv3_client_method();
int client_fd;
char *host;
char *portnum;
int bench_send = 0;
int bench_recv = 0;
int i;
enum cipher_choice cipher_choice = CIPHER_ALL;
if (argc < 3) {
printf("Usage: %s <host_ip> <portnum> [opts]\n", argv[0]);
exit(-1);
}
host = argv[1];
portnum = argv[2];
lib_init();
for (i = 3; i < argc; i++) {
if (strcmp("tls-1.2", argv[i]) == 0) {
method = TLSv1_2_client_method();
} else if (strcmp("tls-1.1", argv[i]) == 0) {
method = TLSv1_1_client_method();
} else if (strcmp("tls-1.0", argv[i]) == 0) {
method = TLSv1_client_method();
} else if (strcmp("ssl-3.0", argv[i]) == 0) {
method = SSLv3_client_method();
} else if (strcmp("bench-send", argv[i]) == 0) {
bench_send = atoi(argv[++i]);
} else if (strcmp("bench-recv", argv[i]) == 0) {
bench_recv = atoi(argv[++i]);
} else {
printf("warning: unknown option: \"%s\"\n", argv[i]);
}
}
ctx = client_init(method, cipher_choice);
client_fd = connect_socket(host, atoi(portnum));
printf("[status] connected. handshaking\n");
SSL *ssl;
ssl = SSL_new(ctx);
SSL_set_fd(ssl, client_fd);
if (bench_send > 0 || bench_recv > 0)
benchmark(ssl, bench_send, bench_recv);
else
process(ssl);
close(client_fd);
SSL_CTX_free(ctx);
return 0;
}
const SSL_METHOD *anubis_string_to_SSL_METOHD(const char *method, int role) {
if(!method)
return NULL;
if(!strcasecmp(method, "SSLv23"))
return role == ANUBIS_ROLE_SERVER ?
SSLv23_server_method() :
role == ANUBIS_ROLE_CLIENT ? SSLv23_client_method() : NULL;
#ifndef OPENSSL_NO_SSL2_METHOD
if(!strcasecmp(method, "SSLv2"))
return role == ANUBIS_ROLE_SERVER ?
SSLv3_server_method() :
role == ANUBIS_ROLE_CLIENT ? SSLv3_client_method() : NULL;
#endif
#ifndef OPENSSL_NO_SSL3_METHOD
if(!strcasecmp(method, "SSLv3"))
return role == ANUBIS_ROLE_SERVER ?
SSLv3_server_method() :
role == ANUBIS_ROLE_CLIENT ? SSLv3_client_method() : NULL;
#endif
if(!strcasecmp(method, "TLSv1.0"))
return role == ANUBIS_ROLE_SERVER ?
TLSv1_server_method() :
role == ANUBIS_ROLE_CLIENT ? TLSv1_client_method() : NULL;
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
if(!strcasecmp(method, "TLSv1.1"))
return role == ANUBIS_ROLE_SERVER ?
TLSv1_1_server_method() :
role == ANUBIS_ROLE_CLIENT ? TLSv1_1_client_method() : NULL;
if(!strcasecmp(method, "TLSv1.2"))
return role == ANUBIS_ROLE_SERVER ?
TLSv1_2_server_method() :
role == ANUBIS_ROLE_CLIENT ? TLSv1_2_client_method() : NULL;
#endif
/*
if(!strcasecmp(method, "DTLS1.0"))
return role == ANUBIS_ROLE_SERVER ?
DTLSv1_server_method() :
role == ANUBIS_ROLE_CLIENT ? DTLSv1_client_method() : NULL;
if(!strcasecmp(method, "DTLS1.2"))
return role == ANUBIS_ROLE_SERVER ?
DTLSv1_2_server_method() :
role == ANUBIS_ROLE_CLIENT ? DTLSv1_2_client_method() : NULL;
if(!strcasecmp(method, "DTLS"))
return role == ANUBIS_ROLE_SERVER ?
DTLS_server_method() :
role == ANUBIS_ROLE_CLIENT ? DTLS_client_method() : NULL;
*/
return NULL;
}//end anubis_string_to_SSL_METOHD
/* Initiate an SSL handshake on this stream and encrypt all subsequent data */
int stream_enable_ssl(PTSTREAM *pts) {
#ifdef USE_SSL
SSL *ssl;
SSL_CTX *ctx;
int ret;
/* Initialise the connection */
SSLeay_add_ssl_algorithms();
SSL_load_error_strings();
ctx = SSL_CTX_new (SSLv3_client_method());
ssl = SSL_new (ctx);
if (args_info.verbose_flag) {
message("Set SNI hostname to %s\n", args_info.proxyhost_arg);
}
ret = SSL_set_tlsext_host_name(ssl, args_info.proxyhost_arg);
if (!ret) {
message("TLS SNI error, giving up: SSL_set_tlsext_host_name failed\n");
exit(1);
}
SSL_set_rfd (ssl, stream_get_incoming_fd(pts));
SSL_set_wfd (ssl, stream_get_outgoing_fd(pts));
SSL_connect (ssl);
/* Store ssl and ctx parameters */
pts->ssl = ssl;
pts->ctx = ctx;
#else
message("Warning: stream_open(): SSL stream requested but no SSL support available; using unencrypted connection");
#endif /* USE_SSL */
return 1;
}
int
init_ssl(char *cert_file_svr, char *key_file_svr, char *cert_file_clt,
char *key_file_clt)
{
int rc = 0;
SSLeay_add_ssl_algorithms();
//ssl_client_meth = SSLv2_client_method();
ssl_client_meth = SSLv3_client_method();
ssl_client_ctx = SSL_CTX_new(ssl_client_meth);
ssl_server_meth = SSLv23_server_method();
ssl_server_ctx = SSL_CTX_new(ssl_server_meth);
SSL_load_error_strings();
if(!ssl_client_ctx || !ssl_server_ctx) {
ERR_print_errors_fp(stderr);
return -1;
}
debug(DBG_SSL, 1, "Loading the key/cert for the client SSL context...");
rc = load_ssl_ctx_certkey(ssl_client_ctx, cert_file_clt, key_file_clt);
if(rc < 0) {
return rc - 10;
}
debug(DBG_SSL, 1, "SSL client context successfully loaded");
debug(DBG_SSL, 1, "Loading the key/cert for the server SSL context...");
rc = load_ssl_ctx_certkey(ssl_server_ctx, cert_file_svr, key_file_svr);
if(rc < 0) {
return rc - 20;
}
debug(DBG_SSL, 1, "SSL server context successfully loaded");
return 0;
}
void init_options(void)
{
if((option.cafiles = malloc(sizeof(char *) * 1)) == (char **) 0)
{
fprintf(stderr, "malloc: %.100s (%i)\n", strerror(errno), errno);
exit(EXIT_FAILURE);
}
option.cafiles[0] = 0;
if((option.log_servers = malloc(sizeof(char *) * 1)) == (char **) 0)
{
fprintf(stderr, "malloc: %.100s (%i)\n", strerror(errno), errno);
exit(EXIT_FAILURE);
}
option.log_servers[0] = 0;
/* default options */
option.port = 5554;
option.banner_pause = -1;
option.facility = LOG_AUTH;
option.priority = LOG_INFO;
option.method = SSLv3_client_method();
option.pemfile = "/etc/eas/certs/client.pem";
option.egdfile = 0;
option.randomfile = 0;
option.cipher = "HIGH:MEDIUM";
option.method = 0;
option.default_shell = "/bin/sh";
option.banner = 0;
option.tcptimeout = 2;
return;
}
int get_ssl_method_name(const SSL_METHOD *ssl_method, char *name, size_t len)
{
len--;
name[len] = '\0';
#ifndef OPENSSL_NO_SSL2
if (ssl_method == SSLv2_client_method()) {
strncpy(name, "SSLv2", len);
return 1;
}
#endif // #ifndef OPENSSL_NO_SSL2
if (ssl_method == SSLv3_client_method()) {
strncpy(name, "SSLv3", len);
return 2;
}
if (ssl_method == TLSv1_client_method()) {
strncpy(name, "TLSv1", len);
return 3;
}
#if OPENSSL_VERSION_NUMBER >= 0x1000008fL || OPENSSL_VERSION_NUMBER >= 0x1000100fL
if (ssl_method == TLSv1_1_client_method()) {
strncpy(name, "TLS11", len);
return 4;
}
if (ssl_method == TLSv1_2_client_method())
{
strncpy(name, "TLS12", len);
return 5;
}
#endif // #if OPENSSL_VERSION_NUMBER >= 0x1000008fL || OPENSSL_VERSION_NUMBER >= 0x1000100fL
return 0;
}
SSL_CTX *
_SSL_context_init (void (*info_cb_func), int server)
{
SSL_CTX *ctx;
#ifdef WIN32
int i, r;
#endif
SSLeay_add_ssl_algorithms ();
SSL_load_error_strings ();
ctx = SSL_CTX_new (server ? SSLv3_server_method() : SSLv3_client_method ());
SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
SSL_CTX_set_timeout (ctx, 300);
/* used in SSL_connect(), SSL_accept() */
SSL_CTX_set_info_callback (ctx, info_cb_func);
#ifdef WIN32
/* under win32, OpenSSL needs to be seeded with some randomness */
for (i = 0; i < 128; i++)
{
r = rand ();
RAND_seed ((unsigned char *)&r, sizeof (r));
}
#endif
return(ctx);
}
SSL_METHOD *sycSSLv3_client_method(void) {
SSL_METHOD *result;
Debug("SSLv3_client_method()");
result = SSLv3_client_method();
Debug1("SSLv3_client_method() -> %p", result);
return result;
}
/*
* initialize ssl methods
*/
static void
init_ssl_methods(void)
{
LM_DBG("entered\n");
#ifndef OPENSSL_NO_SSL2
ssl_methods[TLS_USE_SSLv2_cli - 1] = (SSL_METHOD*)SSLv2_client_method();
ssl_methods[TLS_USE_SSLv2_srv - 1] = (SSL_METHOD*)SSLv2_server_method();
ssl_methods[TLS_USE_SSLv2 - 1] = (SSL_METHOD*)SSLv2_method();
#endif
ssl_methods[TLS_USE_SSLv3_cli - 1] = (SSL_METHOD*)SSLv3_client_method();
ssl_methods[TLS_USE_SSLv3_srv - 1] = (SSL_METHOD*)SSLv3_server_method();
ssl_methods[TLS_USE_SSLv3 - 1] = (SSL_METHOD*)SSLv3_method();
ssl_methods[TLS_USE_TLSv1_cli - 1] = (SSL_METHOD*)TLSv1_client_method();
ssl_methods[TLS_USE_TLSv1_srv - 1] = (SSL_METHOD*)TLSv1_server_method();
ssl_methods[TLS_USE_TLSv1 - 1] = (SSL_METHOD*)TLSv1_method();
ssl_methods[TLS_USE_SSLv23_cli - 1] = (SSL_METHOD*)SSLv23_client_method();
ssl_methods[TLS_USE_SSLv23_srv - 1] = (SSL_METHOD*)SSLv23_server_method();
ssl_methods[TLS_USE_SSLv23 - 1] = (SSL_METHOD*)SSLv23_method();
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
ssl_methods[TLS_USE_TLSv1_2_cli - 1] = (SSL_METHOD*)TLSv1_2_client_method();
ssl_methods[TLS_USE_TLSv1_2_srv - 1] = (SSL_METHOD*)TLSv1_2_server_method();
ssl_methods[TLS_USE_TLSv1_2 - 1] = (SSL_METHOD*)TLSv1_2_method();
#endif
}
int sock_SSL_connect(SSL **ssl_con, int sockfd)
{
int ssl_err;
SSL_CTX *ssl_ctx = NULL;
ssl_ctx = SSL_CTX_new(SSLv3_client_method());
if(!ssl_ctx) {
net_log(NET_LOG_ERR, "sock_SSL_connect: !ssl_ctx\n");
return WSOCK_ERROR;
}
*ssl_con = SSL_new(ssl_ctx);
if(!(*ssl_con)) {
net_log(NET_LOG_ERR, "sock_SSL_connect: SSL_new() failed.\n");
SSL_CTX_free(ssl_ctx);
return WSOCK_ERROR;
}
SSL_set_fd (*ssl_con, sockfd);
SSL_set_connect_state(*ssl_con);
ssl_err = SSL_connect(*ssl_con);
if(ssl_err < 0)
SSL_set_shutdown(*ssl_con,SSL_SENT_SHUTDOWN);
if(ssl_err <= 0) {
net_log(NET_LOG_ERR, "sock_SSL_connect: SSL_connect() failed.\n");
SSL_free(*ssl_con);
SSL_CTX_free(ssl_ctx);
return WSOCK_ERROR;
}
return WSOCK_OK;
}
SSL_CTX* EdSSLContext::buildClientCtx(int ver)
{
SSL_CTX *pctx;
const SSL_METHOD *method;
switch (ver)
{
case SSL_VER_TLSV1:
method = TLSv1_method();
break;
case SSL_VER_TLSV11:
method = TLSv1_1_client_method();
break;
case SSL_VER_V23:
method = SSLv23_client_method();
break;
case SSL_VER_V3:
method = SSLv3_client_method();
break;
case SSL_VER_DTLSV1:
method = DTLSv1_client_method();
break;
default:
method = NULL;
break;
}
if (method == NULL)
return NULL;
pctx = SSL_CTX_new(method);
return pctx;
}
void
SockSSLConnect( struct Sock* out_sock )
{
#ifdef TK_CONFIG_SOCK_SSL_ENABLE
SSL_CTX* ctx;
SSL* ssl;
SSL_load_error_strings();
VCK( SSL_library_init() != 1 ,return);
ctx = SSL_CTX_new (SSLv3_client_method());
VCK( ctx == NULL ,return);
ssl = SSL_new (ctx);
VCK( ssl == NULL ,return);
VCK( SSL_set_fd ( ssl, out_sock->socket ) != 1 , return);
//enable socket SSL
VCK( SSL_connect (ssl) != 1 ,
TK_EXCEPTION("SSLConnect failed or be shutdown");
return);
//connect SSL
out_sock->ctx = ctx;
out_sock->ssl = ssl;
#endif
}
const SSL_METHOD * hb_ssl_method_id_to_ptr( int n )
{
const SSL_METHOD * p;
switch( n )
{
#if OPENSSL_VERSION_NUMBER < 0x10000000L
case HB_SSL_CTX_NEW_METHOD_SSLV2: p = SSLv2_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV2_SERVER: p = SSLv2_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV2_CLIENT: p = SSLv2_client_method(); break;
#endif
case HB_SSL_CTX_NEW_METHOD_SSLV3: p = SSLv3_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV3_SERVER: p = SSLv3_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV3_CLIENT: p = SSLv3_client_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1: p = TLSv1_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1_SERVER: p = TLSv1_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1_CLIENT: p = TLSv1_client_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV23: p = SSLv23_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV23_SERVER: p = SSLv23_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV23_CLIENT: p = SSLv23_client_method(); break;
default: p = SSLv23_method();
}
return p;
}
/*
* This test attempts to create a SSL 3.0 connection
* with the EST server. This should fail, as TLS 1.0
* is not allowed.
*/
static void us1190_test1 (void)
{
LOG_FUNC_NM
;
us1190_test_sslversion(SSLv3_client_method(), 1);
}
bool SSLSocket::setupCrypto(SSLSocket *session /* = NULL */) {
if (m_handle) {
raise_warning("SSL/TLS already set-up for this stream");
return false;
}
/* need to do slightly different things, based on client/server method,
* so lets remember which method was selected */
#if OPENSSL_VERSION_NUMBER < 0x00909000L
SSL_METHOD *smethod;
#else
const SSL_METHOD *smethod;
#endif
switch (m_method) {
case ClientSSLv23: m_client = true; smethod = SSLv23_client_method(); break;
case ClientSSLv3: m_client = true; smethod = SSLv3_client_method(); break;
case ClientTLS: m_client = true; smethod = TLSv1_client_method(); break;
case ServerSSLv23: m_client = false; smethod = SSLv23_server_method(); break;
case ServerSSLv3: m_client = false; smethod = SSLv3_server_method(); break;
/* SSLv2 protocol might be disabled in the OpenSSL library */
#ifndef OPENSSL_NO_SSL2
case ClientSSLv2: m_client = true; smethod = SSLv2_client_method(); break;
case ServerSSLv2: m_client = false; smethod = SSLv2_server_method(); break;
#else
case ClientSSLv2:
case ServerSSLv2:
raise_warning("OpenSSL library does not support SSL2 protocol");
return false;
break;
#endif
case ServerTLS: m_client = false; smethod = TLSv1_server_method(); break;
default:
return false;
}
SSL_CTX *ctx = SSL_CTX_new(smethod);
if (ctx == nullptr) {
raise_warning("failed to create an SSL context");
return false;
}
SSL_CTX_set_options(ctx, SSL_OP_ALL);
m_handle = createSSL(ctx);
if (m_handle == nullptr) {
raise_warning("failed to create an SSL handle");
SSL_CTX_free(ctx);
return false;
}
if (!SSL_set_fd(m_handle, m_fd)) {
handleError(0, true);
}
if (session) {
SSL_copy_session_id(m_handle, session->m_handle);
}
return true;
}
bool CSSLClient::Initial(unsigned long encryptionType)
{
//初始SSL
s_Lock.Lock();
if (0 == s_objectCount)
{
SSL_library_init();
const SSL_METHOD * pSSLMethod = NULL;
if (TVT_ENCRYPTION_SSL == encryptionType)
{
pSSLMethod = TLSv1_client_method();
}
else if(TVT_ENCRYPTION_TLS == encryptionType)
{
pSSLMethod = SSLv3_client_method();
}
SSL_load_error_strings();
s_SSLCTX = SSL_CTX_new(pSSLMethod);
if(NULL == s_SSLCTX)
{
int errNum = ERR_get_error();
printf("%s:%s:%d, ssl connect error:%s\n", __FUNCTION__, __FILE__, __LINE__, ERR_reason_error_string(errNum));
printf("%s:%s:%d, error function=%s\n", __FUNCTION__, __FILE__, __LINE__, ERR_func_error_string(errNum));
s_Lock.UnLock();
return false;
}
/* if (SSL_CTX_use_certificate_file(s_SSLCTX, CA_CERT_FILE, SSL_FILETYPE_PEM) <= 0)
{
printf("Error: %s\n", ERR_reason_error_string(ERR_get_error()));
s_Lock.UnLock();
return false;
}
if (SSL_CTX_use_PrivateKey_file_pass(s_SSLCTX, CA_KEY_FILE, "123456") <= 0)
{
printf("use_PrivateKey_file err\n");
s_Lock.UnLock();
return false;
}
*/
for (int i=0; i < CRYPTO_num_locks(); ++i)
{
CPUB_Lock *pLock = new CPUB_Lock;
s_vecLock.push_back(pLock);
}
CRYPTO_set_id_callback(GetThreadId);
CRYPTO_set_locking_callback(pthreads_locking_callback);
s_bHasInitial = true;
}
s_objectCount++;
s_Lock.UnLock();
return true;
}
/*
** Create an SSL application context if not already done
*/
PUBLIC BOOL HTSSL_init (void)
{
char rnd_filename[HT_MAX_PATH];
/*
** Initialise OpenSSL 0.9.5 random number generator.
** The random generator of OpenSSL had to be initialised on platforms
** that do not support /dev/random, like Compaq True64 Unix.
** This is done in the default way, and means that the user of the
** libwww-ssl library needs to have a .rnd file in his/her home-directory.
*/
RAND_file_name(rnd_filename, sizeof(rnd_filename));
RAND_load_file(rnd_filename, -1);
if (!app_ctx) {
SSL_METHOD * meth = NULL;
SSLeay_add_ssl_algorithms();
/* Seems to provide English error messages */
SSL_load_error_strings();
/* select the protocol method */
switch (ssl_prot_method) {
case HTSSL_V2:
meth = SSLv2_client_method();
break;
case HTSSL_V3:
meth = SSLv3_client_method();
break;
case HTSSL_V23:
meth = SSLv23_client_method();
break;
default:
case HTTLS_V1:
meth = TLSv1_client_method();
break;
}
/* set up the application context */
if ((app_ctx = SSL_CTX_new(meth)) == NULL) {
HTTRACE(PROT_TRACE, "HTSSLContext Could not create context\n");
return NO;
}
HTTRACE(PROT_TRACE, "HTSSLContext Created context %p" _ app_ctx);
/* See the SSL states in our own callback */
#ifdef HTDEBUG
SSL_CTX_set_info_callback(app_ctx, apps_ssl_info_callback);
#endif
/* Set the certificate verification callback */
SSL_CTX_set_verify(app_ctx, SSL_VERIFY_PEER, verify_callback);
/* Not sure what this does */
SSL_CTX_set_session_cache_mode(app_ctx, SSL_SESS_CACHE_CLIENT);
}
return YES;
}
static void sl_ssl_client (void){
// create an ssl object and return the memory managed type back to
// SLang. It needs the file descriptor of the object upon which
// communication will occur, and the protocol to use.
//
SSL_CTX *ctx;
SSL *ssl;
int proto, cret;
SLang_MMT_Type *mmt, *sslmmt;
SLsslctx_Type *slctx;
char *cadir=NULL, *cafile=NULL;
if (SLang_Num_Function_Args == 3)
if (SLang_pop_slstring(&cadir) == -1)
return;
if (SLang_Num_Function_Args > 1)
if (SLANG_NULL_TYPE==SLang_peek_at_stack())
SLdo_pop();
else if (SLang_pop_slstring(&cafile) == -1)
goto free;
if (SLang_pop_integer(&proto) == -1)
goto free;
if (proto==SSL_PROTO_SSL2)
ctx = SSL_CTX_new(SSLv23_client_method());
else if (proto==SSL_PROTO_SSL3)
ctx = SSL_CTX_new(SSLv3_client_method());
else if (proto==SSL_PROTO_TLS1)
ctx = SSL_CTX_new(TLSv1_client_method());
else if (proto==SSL_PROTO_ANY)
ctx = SSL_CTX_new(SSLv23_client_method());
cret = SSL_CTX_load_verify_locations(ctx, cafile, cadir);
if (cret == 0 && SLang_Num_Function_Args > 1){
SLang_verror(SL_APPLICATION_ERROR, "Failed to load CA file or path");
goto free;
}
slctx = (SLsslctx_Type *)malloc(sizeof(SLsslctx_Type));
slctx->is_server = 0;
slctx->ctx = (void *)ctx;
sslmmt = SLang_create_mmt(SLsslctx_Type_Id, (VOID_STAR) slctx);
if (0!=SLang_push_mmt(sslmmt))
SLang_free_mmt(sslmmt);
free:
if (NULL!=cadir)
SLang_free_slstring(cadir);
if (NULL!=cafile)
SLang_free_slstring(cafile);
}
SSL_CTX* InitCTX(void)
{ SSL_METHOD *method;
SSL_CTX *ctx;
OpenSSL_add_all_algorithms(); /* Load cryptos, et.al. */
SSL_load_error_strings(); /* Bring in and register error messages */
method = SSLv3_client_method(); /* Create new client-method instance */
ctx = SSL_CTX_new(method); /* Create new context */
return ctx;
}
SSLContext::SSLContext(int _method){
#ifdef USE_EMBEDDED_CLASSNAMES
setClassName(__xvr2_Net_SSLContext);
#endif
__init_ssl_library(this);
pem = 0;
method = _method;
ctx = 0;
mydata = 0;
switch(method){
case SSL_V2:
ctx = SSL_CTX_new(SSLv2_method());
break;
case SSL_V2_CLIENT:
ctx = SSL_CTX_new(SSLv2_client_method());
break;
case SSL_V2_SERVER:
ctx = SSL_CTX_new(SSLv2_server_method());
break;
case SSL_V3:
ctx = SSL_CTX_new(SSLv3_method());
break;
case SSL_V3_CLIENT:
ctx = SSL_CTX_new(SSLv3_client_method());
break;
case SSL_V3_SERVER:
ctx = SSL_CTX_new(SSLv3_server_method());
break;
case SSL_V23_CLIENT:
ctx = SSL_CTX_new(SSLv23_client_method());
break;
case SSL_V23_SERVER:
ctx = SSL_CTX_new(SSLv23_server_method());
break;
case SSL_V23:
default:
ctx = SSL_CTX_new(SSLv23_method());
}
if(ctx == 0){
throw SSLContextCreation();
}
//Initialize password callback
__ssl_ctx_cb_args *x;
x = new __ssl_ctx_cb_args(this, 0, 0);
mydata = x;
#ifdef USE_DEBUG
debugmsgln(this, "Initializing password callback...");
#endif
SSL_CTX_set_default_passwd_cb((SSL_CTX *)ctx, passwdCB);
#ifdef USE_DEBUG
debugmsgln(this, "Initializing default password callback userdata...");
#endif
SSL_CTX_set_default_passwd_cb_userdata((SSL_CTX *)ctx, mydata);
}
static int _init_client(OpenSSL * openssl, char const * name)
{
if((openssl->ssl_ctx = SSL_CTX_new(SSLv3_client_method())) == NULL
|| SSL_CTX_set_cipher_list(openssl->ssl_ctx,
SSL_DEFAULT_CIPHER_LIST) != 1
|| (openssl->ssl = SSL_new(openssl->ssl_ctx)) == NULL)
return -_openssl_error_ssl(1);
if((openssl->fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
return -_openssl_error("socket", 1);
/* FIXME implement the rest */
return -1;
}
/*
* Negotiate SSL on the socket.
*/
static BOOL server_negotiate_ssl(Remote *remote)
{
BOOL success = TRUE;
SOCKET fd = 0;
DWORD ret = 0;
lock_acquire( remote->lock );
do
{
fd = remote_get_fd(remote);
remote->meth = SSLv3_client_method();
remote->ctx = SSL_CTX_new(remote->meth);
SSL_CTX_set_mode(remote->ctx, SSL_MODE_AUTO_RETRY);
remote->ssl = SSL_new(remote->ctx);
SSL_set_verify(remote->ssl, SSL_VERIFY_NONE, NULL);
if( SSL_set_fd(remote->ssl, remote->fd) == 0 )
{
dprintf("[SERVER] set fd failed");
success = FALSE;
break;
}
if( (ret = SSL_connect(remote->ssl)) != 1 )
{
dprintf("[SERVER] connect failed %d\n", SSL_get_error(remote->ssl, ret));
success = FALSE;
break;
}
dprintf("[SERVER] Sending a HTTP GET request to the remote side...");
if( (ret = SSL_write(remote->ssl, "GET /123456789 HTTP/1.0\r\n\r\n", 27)) <= 0 )
{
dprintf("[SERVER] SSL write failed during negotiation with return: %d (%d)", ret, SSL_get_error(remote->ssl, ret));
}
} while(0);
lock_release( remote->lock );
dprintf("[SERVER] Completed writing the HTTP GET request: %d", ret);
if( ret < 0 )
success = FALSE;
return success;
}
static const SSL_METHOD *ssl23_get_client_method(int ver)
{
#ifndef OPENSSL_NO_SSL2
if (ver == SSL2_VERSION)
return(SSLv2_client_method());
#endif
if (ver == SSL3_VERSION)
return(SSLv3_client_method());
else if (ver == TLS1_VERSION)
return(TLSv1_client_method());
else
return(NULL);
}
static SSL_METHOD *ssl23_get_client_method(int ver)
{
#ifdef CONFIG_SSL2
if (ver == SSL2_VERSION)
return(SSLv2_client_method());
#endif
if (ver == SSL3_VERSION)
return(SSLv3_client_method());
else if (ver == TLS1_VERSION)
return(TLSv1_client_method());
else
return(NULL);
}
static const SSL_METHOD *
ssl23_get_client_method(int ver)
{
if (ver == SSL3_VERSION)
return (SSLv3_client_method());
if (ver == TLS1_VERSION)
return (TLSv1_client_method());
if (ver == TLS1_1_VERSION)
return (TLSv1_1_client_method());
if (ver == TLS1_2_VERSION)
return (TLSv1_2_client_method());
return (NULL);
}
static int ssl_init(GF_DownloadManager *dm, u32 mode)
{
SSL_METHOD *meth;
if (!dm) return 0;
/* The SSL has already been initialized. */
if (dm->ssl_ctx) return 1;
/* Init the PRNG. If that fails, bail out. */
init_prng();
if (RAND_status() != 1) goto error;
SSL_library_init();
SSL_load_error_strings();
SSLeay_add_all_algorithms();
SSLeay_add_ssl_algorithms();
switch (mode) {
case 0:
meth = SSLv23_client_method();
break;
case 1:
meth = SSLv2_client_method();
break;
case 2:
meth = SSLv3_client_method();
break;
case 3:
meth = TLSv1_client_method();
break;
default:
goto error;
}
dm->ssl_ctx = SSL_CTX_new(meth);
if (!dm->ssl_ctx) goto error;
SSL_CTX_set_default_verify_paths(dm->ssl_ctx);
SSL_CTX_load_verify_locations (dm->ssl_ctx, NULL, NULL);
/* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the
certificate is invalid. We verify the certificate separately in
ssl_check_certificate, which provides much better diagnostics
than examining the error stack after a failed SSL_connect. */
SSL_CTX_set_verify(dm->ssl_ctx, SSL_VERIFY_NONE, NULL);
/* Since fd_write unconditionally assumes partial writes (and handles them correctly),
allow them in OpenSSL. */
SSL_CTX_set_mode(dm->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
return 1;
error:
if (dm->ssl_ctx) SSL_CTX_free(dm->ssl_ctx);
dm->ssl_ctx = NULL;
return 0;
}
static const SSL_METHOD *swSSL_get_method(int method)
{
switch (method)
{
#ifndef OPENSSL_NO_SSL3_METHOD
case SW_SSLv3_METHOD:
return SSLv3_method();
case SW_SSLv3_SERVER_METHOD:
return SSLv3_server_method();
case SW_SSLv3_CLIENT_METHOD:
return SSLv3_client_method();
#endif
case SW_SSLv23_SERVER_METHOD:
return SSLv23_server_method();
case SW_SSLv23_CLIENT_METHOD:
return SSLv23_client_method();
case SW_TLSv1_METHOD:
return TLSv1_method();
case SW_TLSv1_SERVER_METHOD:
return TLSv1_server_method();
case SW_TLSv1_CLIENT_METHOD:
return TLSv1_client_method();
#ifdef TLS1_1_VERSION
case SW_TLSv1_1_METHOD:
return TLSv1_1_method();
case SW_TLSv1_1_SERVER_METHOD:
return TLSv1_1_server_method();
case SW_TLSv1_1_CLIENT_METHOD:
return TLSv1_1_client_method();
#endif
#ifdef TLS1_2_VERSION
case SW_TLSv1_2_METHOD:
return TLSv1_2_method();
case SW_TLSv1_2_SERVER_METHOD:
return TLSv1_2_server_method();
case SW_TLSv1_2_CLIENT_METHOD:
return TLSv1_2_client_method();
#endif
case SW_DTLSv1_METHOD:
return DTLSv1_method();
case SW_DTLSv1_SERVER_METHOD:
return DTLSv1_server_method();
case SW_DTLSv1_CLIENT_METHOD:
return DTLSv1_client_method();
case SW_SSLv23_METHOD:
default:
return SSLv23_method();
}
return SSLv23_method();
}
/**
* @desc Initialize OpenSSL lib
* @throw Char *
*/
void IOSocketSSL::initSSL(const bool force_server_method = false) {
TRACE_CALL();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
OpenSSL_add_ssl_algorithms();
switch (socket_t) {
case IOSOCKET_LISTEN_T:
ctx = SSL_CTX_new(SSLv3_server_method());
break;
case IOSOCKET_CONNECT_T:
if (force_server_method)
ctx = SSL_CTX_new(SSLv3_server_method());
else
ctx = SSL_CTX_new(SSLv3_client_method());
break;
default:
/* Shouln't happen, mother class constructor should have thrown
* an exception earlier */
throw("Unknown socket type");
break;
}
/**
* Should use a loop on ERR_get_error()
* to retrieve the whole error process
*/
if (ctx == NULL)
throw(new_SSL_error("initializing ssl context"));
if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) != 1)
throw(new_SSL_error("loading cert file"));
if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) != 1)
throw(new_SSL_error("loading private key file"));
if (SSL_CTX_check_private_key(ctx) != 1)
throw(new_SSL_error("verifying private key"));
/* Don't bother with renego */
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
init_ssl = true;
}
SSL_CTX* InitCTX(void)
{ SSL_METHOD *method;
SSL_CTX *ctx;
OpenSSL_add_all_algorithms(); /* Load cryptos, et.al. */
SSL_load_error_strings(); /* Bring in and register error messages */
method = const_cast<SSL_METHOD*>(SSLv3_client_method()); /* Create new client-method instance */
ctx = SSL_CTX_new(method); /* Create new context */
if ( ctx == NULL )
{
ERR_print_errors_fp(stderr);
abort();
}
return ctx;
}
int hipCfgFiles::loadCfg(struct hip_conf *hc)
{
const char *fnName = "hipCfgFiles::loadCfg: ";
SSL_CTX *ctx = NULL;
if (hc == NULL)
{
cout << "loadCfg: ERROR: HCNF not set" << endl;
return(-1);
}
_hcfg = hc;
/* SSL context. */
SSL_library_init();
SSL_load_error_strings();
ctx = SSL_CTX_new(SSLv3_client_method());
if (ctx == NULL)
{
cerr << fnName << "Error creating SSL context" << endl;
return(-1);
}
_ssl = SSL_new(ctx);
if (_ssl == NULL)
{
cerr << fnName << "Error open SSL connect" << endl;
return(-1);
}
/* Don't need x509 store since not handling certs
* _store = X509_STORE_new();
* if(!_store){
* cerr << fnName << "error calling X509_STORE_new" << endl;
* return -1;
* }
*
* X509_STORE_set_verify_cb_func(_store, hipCfgFiles::callb);
* X509_STORE_set_default_paths(_store);
*/
hc->use_my_identities_file = 1;
if (getEndboxMapsFromLocalFile() < 0)
{
return(-1);
}
return(0);
}
