bool Socket::create(int timeout_sec) {
#if defined(unix) || defined(__unix__) || defined(__unix)
m_sock = socket(AF_INET,
SOCK_STREAM,
0);
#endif
if (!is_valid())
return false;
// TIME_WAIT - argh
int on = 1;
#if defined(unix) || defined(__unix__) || defined(__unix)
if (setsockopt(m_sock, SOL_SOCKET, SO_REUSEADDR,
(const char*) &on, sizeof ( on)) == -1)
return false;
struct timeval timeout;
timeout.tv_sec = timeout_sec;
timeout.tv_usec = 0;
if (setsockopt(m_sock, SOL_SOCKET, SO_RCVTIMEO, (char *) &timeout, sizeof (timeout)) < 0)
return false;
if (setsockopt(m_sock, SOL_SOCKET, SO_SNDTIMEO, (char *) &timeout, sizeof (timeout)) < 0)
return false;
#endif
if (socketType == Socket::TLS1_1) {
InitializeSSL();
#if defined(__APPLE__)
sslctx = SSL_CTX_new(TLSv1_1_method());
#elif defined(unix) || defined(__unix__) || defined(__unix)
sslctx = SSL_CTX_new(TLSv1_1_method());
#endif
#if defined(unix) || defined(__unix__) || defined(__unix)
SSL_CTX_set_options(sslctx, SSL_OP_SINGLE_DH_USE);
/*----- Load a client certificate into the SSL_CTX structure -----*/
if (SSL_CTX_use_certificate_file(sslctx,
(char*) CLIENT_CERT.c_str(), SSL_FILETYPE_PEM) <= 0
) {
ERR_print_errors_fp(stderr);
exit(1);
}
/*----- Load a private-key into the SSL_CTX structure -----*/
if (SSL_CTX_use_PrivateKey_file(sslctx, (char*) CLIENT_KEY.c_str(), SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(1);
}
int CA = SSL_CTX_load_verify_locations(sslctx, (char*) CA_FILE.c_str(), NULL);
SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_set_verify_depth(sslctx, 1);
cSSL = SSL_new(sslctx);
int sssfd = SSL_set_fd(cSSL, m_sock);
#endif
}
return true;
}
SSL_CTX* EdSSLContext::buildCtx(int ver)
{
SSL_CTX *pctx;
const SSL_METHOD *method;
switch (ver)
{
case SSL_VER_TLSV1:
method = TLSv1_method();
break;
case SSL_VER_TLSV11:
method = TLSv1_1_method();
break;
case SSL_VER_V23:
method = SSLv23_method();
break;
case SSL_VER_V3:
method = SSLv3_method();
break;
case SSL_VER_DTLSV1:
method = DTLSv1_method();
break;
default:
method = NULL;
break;
}
if (method == NULL)
return NULL;
pctx = SSL_CTX_new(method);
return pctx;
}
void CTLSConnection::initialize() throw(CTCPConnection::CConnectException)
{
//Use ONLY TLS 1.1: this is the latest version supported by libssl
m_TLSContext = SSL_CTX_new(TLSv1_1_method());
if(m_TLSContext == NULL)
{
deallocate();
throw CConnectException(
"Failed to create a new SSL/TLS context");
}
SSL_CTX_set_options(m_TLSContext,
SSL_OP_SINGLE_DH_USE | //docs seem to indicate this improves security
SSL_OP_NO_SSLv2 | //do not use old SSL v2 protocol
SSL_OP_NO_SSLv3 | //do not use old SSL v3 protocol
SSL_OP_NO_TLSv1 | //do not use old TLS v1.0 protocol
SSL_MODE_AUTO_RETRY //send and receive implementations depend on this
); //TODO
m_TLSConnection = SSL_new(m_TLSContext);
if(m_TLSConnection == NULL)
{
deallocate();
throw CConnectException(
"Failed to create a new SSL/TLS connection structure");
}
//TODO:
if(!SSL_set_fd(m_TLSConnection, getFD()))
{
deallocate();
throw CConnectException(
"Failed to connect SSL/TLS object to file descriptor");
}
}
static const SSL_METHOD *tls1_get_method(int ver)
{
if (ver == TLS1_1_VERSION)
return TLSv1_1_method();
if (ver == TLS1_VERSION)
return TLSv1_method();
return NULL;
}
extern "C" const SSL_METHOD* CryptoNative_TlsV1_1Method()
{
#if HAVE_TLS_V1_1
const SSL_METHOD* method = TLSv1_1_method();
assert(method != nullptr);
return method;
#else
return nullptr;
#endif
}
/**
* Find the protocol.
*/
static LSEC_SSL_METHOD* str2method(const char *method)
{
if (!strcmp(method, "sslv23")) return SSLv23_method();
if (!strcmp(method, "sslv3")) return SSLv3_method();
if (!strcmp(method, "tlsv1")) return TLSv1_method();
#if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
if (!strcmp(method, "tlsv1_1")) return TLSv1_1_method();
if (!strcmp(method, "tlsv1_2")) return TLSv1_2_method();
#endif
return NULL;
}
static const SSL_METHOD *
tls1_get_method(int ver)
{
if (ver == TLS1_2_VERSION)
return (TLSv1_2_method());
if (ver == TLS1_1_VERSION)
return (TLSv1_1_method());
if (ver == TLS1_VERSION)
return (TLSv1_method());
return (NULL);
}
// nassl.SSL_CTX.new()
static PyObject* nassl_SSL_CTX_new(PyTypeObject *type, PyObject *args, PyObject *kwds) {
nassl_SSL_CTX_Object *self;
int sslVersion;
SSL_CTX *sslCtx;
self = (nassl_SSL_CTX_Object *)type->tp_alloc(type, 0);
if (self == NULL)
return NULL;
self->sslCtx = NULL;
self->pkeyPasswordBuf = NULL;
if (!PyArg_ParseTuple(args, "I", &sslVersion)) {
Py_DECREF(self);
return NULL;
}
switch (sslVersion) {
case sslv23:
sslCtx = SSL_CTX_new(SSLv23_method());
break;
case sslv2:
sslCtx = SSL_CTX_new(SSLv2_method());
break;
case sslv3:
sslCtx = SSL_CTX_new(SSLv3_method());
break;
case tlsv1:
sslCtx = SSL_CTX_new(TLSv1_method());
break;
case tlsv1_1:
sslCtx = SSL_CTX_new(TLSv1_1_method());
break;
case tlsv1_2:
sslCtx = SSL_CTX_new(TLSv1_2_method());
break;
default:
PyErr_SetString(PyExc_ValueError, "Invalid value for ssl version");
Py_DECREF(self);
return NULL;
}
if (sslCtx == NULL) {
raise_OpenSSL_error();
Py_DECREF(self);
return NULL;
}
// Add the client certificate callback
SSL_CTX_set_client_cert_cb(sslCtx, client_cert_cb);
self->sslCtx = sslCtx;
return (PyObject *)self;
}
static const SSL_METHOD *
ssl23_get_method(int ver)
{
if (ver == SSL3_VERSION)
return (SSLv3_method());
if (ver == TLS1_VERSION)
return (TLSv1_method());
if (ver == TLS1_1_VERSION)
return (TLSv1_1_method());
if (ver == TLS1_2_VERSION)
return (TLSv1_2_method());
return (NULL);
}
static const SSL_METHOD *swSSL_get_method(int method)
{
switch (method)
{
#ifndef OPENSSL_NO_SSL3_METHOD
case SW_SSLv3_METHOD:
return SSLv3_method();
case SW_SSLv3_SERVER_METHOD:
return SSLv3_server_method();
case SW_SSLv3_CLIENT_METHOD:
return SSLv3_client_method();
#endif
case SW_SSLv23_SERVER_METHOD:
return SSLv23_server_method();
case SW_SSLv23_CLIENT_METHOD:
return SSLv23_client_method();
case SW_TLSv1_METHOD:
return TLSv1_method();
case SW_TLSv1_SERVER_METHOD:
return TLSv1_server_method();
case SW_TLSv1_CLIENT_METHOD:
return TLSv1_client_method();
#ifdef TLS1_1_VERSION
case SW_TLSv1_1_METHOD:
return TLSv1_1_method();
case SW_TLSv1_1_SERVER_METHOD:
return TLSv1_1_server_method();
case SW_TLSv1_1_CLIENT_METHOD:
return TLSv1_1_client_method();
#endif
#ifdef TLS1_2_VERSION
case SW_TLSv1_2_METHOD:
return TLSv1_2_method();
case SW_TLSv1_2_SERVER_METHOD:
return TLSv1_2_server_method();
case SW_TLSv1_2_CLIENT_METHOD:
return TLSv1_2_client_method();
#endif
case SW_DTLSv1_METHOD:
return DTLSv1_method();
case SW_DTLSv1_SERVER_METHOD:
return DTLSv1_server_method();
case SW_DTLSv1_CLIENT_METHOD:
return DTLSv1_client_method();
case SW_SSLv23_METHOD:
default:
return SSLv23_method();
}
return SSLv23_method();
}
static const SSL_METHOD *ssl23_get_method(int ver)
{
#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return (SSLv3_method());
else
#endif
if (ver == TLS1_VERSION)
return (TLSv1_method());
else if (ver == TLS1_1_VERSION)
return (TLSv1_1_method());
else if (ver == TLS1_2_VERSION)
return (TLSv1_2_method());
else
return (NULL);
}
static const SSL_METHOD *tls1_get_method(int ver)
{
if (ver == TLS_ANY_VERSION)
return TLS_method();
if (ver == TLS1_2_VERSION)
return TLSv1_2_method();
if (ver == TLS1_1_VERSION)
return TLSv1_1_method();
if (ver == TLS1_VERSION)
return TLSv1_method();
#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return (SSLv3_method());
else
#endif
return NULL;
}
static const SSL_METHOD* get_ssl_method(const char* tls_version)
{
if (!tls_version || !*tls_version)
{
LOG_ERROR("tls_version is not set.");
return 0;
}
if (!strcmp(tls_version, "1.0"))
return TLSv1_method();
if (!strcmp(tls_version, "1.1"))
return TLSv1_1_method();
if (!strcmp(tls_version, "1.2"))
return TLSv1_2_method();
LOG_ERROR("Unable to recognize tls_version.");
return 0;
}
static const SSL_METHOD *swSSL_get_method(int method)
{
switch (method)
{
case SW_SSLv3_METHOD:
return SSLv3_method();
case SW_SSLv3_SERVER_METHOD:
return SSLv3_server_method();
case SW_SSLv3_CLIENT_METHOD:
return SSLv3_client_method();
case SW_SSLv23_SERVER_METHOD:
return SSLv23_server_method();
case SW_SSLv23_CLIENT_METHOD:
return SSLv23_client_method();
case SW_TLSv1_METHOD:
return TLSv1_method();
case SW_TLSv1_SERVER_METHOD:
return TLSv1_server_method();
case SW_TLSv1_CLIENT_METHOD:
return TLSv1_client_method();
case SW_TLSv1_1_METHOD:
return TLSv1_1_method();
case SW_TLSv1_1_SERVER_METHOD:
return TLSv1_1_server_method();
case SW_TLSv1_1_CLIENT_METHOD:
return TLSv1_1_client_method();
case SW_TLSv1_2_METHOD:
return TLSv1_2_method();
case SW_TLSv1_2_SERVER_METHOD:
return TLSv1_2_server_method();
case SW_TLSv1_2_CLIENT_METHOD:
return TLSv1_2_client_method();
case SW_DTLSv1_METHOD:
return DTLSv1_method();
case SW_DTLSv1_SERVER_METHOD:
return DTLSv1_server_method();
case SW_DTLSv1_CLIENT_METHOD:
return DTLSv1_client_method();
case SW_SSLv23_METHOD:
default:
return SSLv23_method();
}
return SSLv23_method();
}
static int openssl_ssl_ctx_new(lua_State*L)
{
const char* meth = luaL_optstring(L, 1, "TLSv1");
#if OPENSSL_VERSION_NUMBER >= 0x01000000L
const
#endif
SSL_METHOD* method = NULL;
const char* ciphers;
SSL_CTX* ctx;
if (strcmp(meth, "SSLv3") == 0)
method = SSLv3_method(); /* SSLv3 */
else if (strcmp(meth, "SSLv3_server") == 0)
method = SSLv3_server_method(); /* SSLv3 */
else if (strcmp(meth, "SSLv3_client") == 0)
method = SSLv3_client_method(); /* SSLv3 */
else if (strcmp(meth, "SSLv23") == 0)
method = SSLv23_method(); /* SSLv3 but can rollback to v2 */
else if (strcmp(meth, "SSLv23_server") == 0)
method = SSLv23_server_method(); /* SSLv3 but can rollback to v2 */
else if (strcmp(meth, "SSLv23_client") == 0)
method = SSLv23_client_method(); /* SSLv3 but can rollback to v2 */
else if (strcmp(meth, "TLSv1_1") == 0)
method = TLSv1_1_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_1_server") == 0)
method = TLSv1_1_server_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_1_client") == 0)
method = TLSv1_1_client_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_2") == 0)
method = TLSv1_2_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_2_server") == 0)
method = TLSv1_2_server_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_2_client") == 0)
method = TLSv1_2_client_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1") == 0)
method = TLSv1_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_server") == 0)
method = TLSv1_server_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_client") == 0)
method = TLSv1_client_method(); /* TLSv1.0 */
else if (strcmp(meth, "DTLSv1") == 0)
method = DTLSv1_method(); /* DTLSv1.0 */
else if (strcmp(meth, "DTLSv1_server") == 0)
method = DTLSv1_server_method(); /* DTLSv1.0 */
else if (strcmp(meth, "DTLSv1_client") == 0)
method = DTLSv1_client_method(); /* DTLSv1.0 */
#ifndef OPENSSL_NO_SSL2
#if OPENSSL_VERSION_NUMBER < 0x10100000L
else if (strcmp(meth, "SSLv2") == 0)
method = SSLv2_method(); /* SSLv2 */
else if (strcmp(meth, "SSLv2_server") == 0)
method = SSLv2_server_method(); /* SSLv2 */
else if (strcmp(meth, "SSLv2_client") == 0)
method = SSLv2_client_method();
#endif
#ifdef LOAD_SSL_CUSTOM
LOAD_SSL_CUSTOM
#endif
#endif
else
luaL_error(L, "#1:%s not supported\n"
"Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n",
"default is SSLv3",
meth);
ciphers = luaL_optstring(L, 2, SSL_DEFAULT_CIPHER_LIST);
ctx = SSL_CTX_new(method);
if (!ctx)
luaL_error(L, "#1:%s not supported\n"
"Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n",
"default is SSLv3",
meth);
openssl_newvalue(L, ctx);
SSL_CTX_set_cipher_list(ctx, ciphers);
PUSH_OBJECT(ctx, "openssl.ssl_ctx");
SSL_CTX_set_app_data(ctx, L);
return 1;
}
const SSL_METHOD *TLSv1_1_server_method(void) {
return TLSv1_1_method();
}
const SSL_METHOD *TLSv1_1_client_method(void) {
return TLSv1_1_method();
}
static const SSL_METHOD *get_method(int protocol, int type)
{
const SSL_METHOD *method = NULL;
caml_enter_blocking_section();
switch (protocol)
{
case 0:
switch (type)
{
case 0:
method = SSLv23_client_method();
break;
case 1:
method = SSLv23_server_method();
break;
case 2:
method = SSLv23_method();
break;
}
break;
case 1:
switch (type)
{
case 0:
method = SSLv3_client_method();
break;
case 1:
method = SSLv3_server_method();
break;
case 2:
method = SSLv3_method();
break;
}
break;
case 2:
switch (type)
{
case 0:
method = TLSv1_client_method();
break;
case 1:
method = TLSv1_server_method();
break;
case 2:
method = TLSv1_method();
break;
}
break;
case 3:
#ifdef HAVE_TLS11
switch (type)
{
case 0:
method = TLSv1_1_client_method();
break;
case 1:
method = TLSv1_1_server_method();
break;
case 2:
method = TLSv1_1_method();
break;
}
#endif
break;
case 4:
#ifdef HAVE_TLS12
switch (type)
{
case 0:
method = TLSv1_2_client_method();
break;
case 1:
method = TLSv1_2_server_method();
break;
case 2:
method = TLSv1_2_method();
break;
}
#endif
break;
default:
caml_leave_blocking_section();
caml_invalid_argument("Unknown method (this should not have happened, please report).");
break;
}
caml_leave_blocking_section();
if (method == NULL)
caml_raise_constant(*caml_named_value("ssl_exn_method_error"));
return method;
}