/**
* Closes an accepted SSL server connection and deletes it form the
* connection list.
* @param ssl_server data for ssl server connection
* @param ssl data the connection to be deleted
*/
void close_accepted_ssl_socket(ssl_server_connection *ssl_server, ssl_connection *ssl) {
if (!ssl || !ssl_server)
return;
close_socket(ssl->socket);
LOCK(ssl_mutex);
if (ssl->prev == NULL)
ssl_server->ssl_conn_list = ssl->next;
else
ssl->prev->next = ssl->next;
END_LOCK;
delete_ssl_socket(ssl);
}
/**
* Deletes an accepted SSL server connection from the connection
* list.
* @param ssl_server data for ssl server connection
* @param ssl data the connection to be deleted
* @return TRUE, or FALSE if an error has occured.
*/
int delete_accepted_ssl_socket (ssl_server_connection *ssl_server,
ssl_connection *ssl) {
#ifdef HAVE_OPENSSL
int return_value= TRUE;
if ((ssl == NULL) || (ssl_server == NULL)) {
return FALSE;
}
LOCK(ssl_mutex);
if ( ssl->prev == NULL ) {
ssl_server->ssl_conn_list=ssl->next;
} else {
ssl->prev->next=ssl->next;
}
END_LOCK;
if(! cleanup_ssl_socket(ssl)) {
return_value= FALSE;
}
if (! delete_ssl_socket(ssl)) {
return_value= FALSE;
}
return return_value;
#else
return FALSE;
#endif
}
void socket_free(Socket_T *S) {
ASSERT(S && *S);
#ifdef HAVE_OPENSSL
if((*S)->ssl && (*S)->ssl->handler) {
if((*S)->connection_type==TYPE_LOCAL) {
close_ssl_socket((*S)->ssl);
delete_ssl_socket((*S)->ssl);
} else if((*S)->connection_type==TYPE_ACCEPT && (*S)->sslserver) {
close_accepted_ssl_socket((*S)->sslserver, (*S)->ssl);
}
} else
#endif
close_socket((*S)->socket);
FREE((*S)->host);
FREE(*S);
}
/**
* Generate a new ssl connection
* @return ssl connection container
*/
ssl_connection *new_ssl_connection(char *clientpemfile, int sslversion) {
ssl_connection *ssl;
if (!ssl_initialized)
start_ssl();
NEW(ssl);
ssl->socket_bio = NULL;
ssl->handler = NULL;
ssl->cert = NULL;
ssl->cipher = NULL;
ssl->socket = 0;
ssl->next = NULL;
ssl->accepted = FALSE;
ssl->cert_md5 = NULL;
ssl->cert_md5_len = 0;
ssl->clientpemfile = clientpemfile ? xstrdup(clientpemfile) : NULL;
switch (sslversion) {
case SSL_VERSION_AUTO:
#ifdef OPENSSL_FIPS
if (FIPS_mode()) {
ssl->method = TLSv1_client_method();
} else
#endif
ssl->method = SSLv23_client_method();
break;
case SSL_VERSION_SSLV2:
#ifdef OPENSSL_NO_SSL2
LogError("SSLv2 is not allowed - use either SSLv3 or TLSv1");
goto sslerror;
#else
#ifdef OPENSSL_FIPS
if (FIPS_mode()) {
LogError("SSLv2 is not allowed in FIPS mode - use TLSv1");
goto sslerror;
} else
#endif
ssl->method = SSLv2_client_method();
#endif
break;
case SSL_VERSION_SSLV3:
#ifdef OPENSSL_FIPS
if (FIPS_mode()) {
LogError("SSLv3 is not allowed in FIPS mode - use TLSv1");
goto sslerror;
} else
#endif
ssl->method = SSLv3_client_method();
break;
case SSL_VERSION_TLS:
ssl->method = TLSv1_client_method();
break;
default:
LogError("%s: Unknown SSL version!\n", prog);
goto sslerror;
}
if (!ssl->method) {
LogError("%s: Cannot initialize SSL method -- %s\n", prog, SSLERROR);
goto sslerror;
}
if (!(ssl->ctx = SSL_CTX_new(ssl->method))) {
LogError("%s: Cannot initialize SSL server certificate handler -- %s\n", prog, SSLERROR);
goto sslerror;
}
if (ssl->clientpemfile) {
if (SSL_CTX_use_certificate_chain_file(ssl->ctx, ssl->clientpemfile) <= 0) {
LogError("%s: Cannot initialize SSL server certificate -- %s\n", prog, SSLERROR);
goto sslerror;
}
if (SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->clientpemfile, SSL_FILETYPE_PEM) <= 0) {
LogError("%s: Cannot initialize SSL server private key -- %s\n", prog, SSLERROR);
goto sslerror;
}
if (!SSL_CTX_check_private_key(ssl->ctx)) {
LogError("%s: Private key does not match the certificate public key -- %s\n", prog, SSLERROR);
goto sslerror;
}
}
return ssl;
sslerror:
delete_ssl_socket(ssl);
return NULL;
}
/**
* Generate a new ssl connection
* @return ssl connection container
*/
ssl_connection *new_ssl_connection(char *clientpemfile, int sslversion) {
#ifdef HAVE_OPENSSL
ssl_connection *ssl = (ssl_connection *) NEW(ssl);
if (!ssl_initilized) {
start_ssl();
}
ssl->socket_bio= NULL;
ssl->handler= NULL;
ssl->cert= NULL;
ssl->cipher= NULL;
ssl->socket= 0;
ssl->next = NULL;
ssl->accepted = FALSE;
ssl->cert_md5 = NULL;
ssl->cert_md5_len = 0;
if(clientpemfile!=NULL) {
ssl->clientpemfile= xstrdup(clientpemfile);
} else {
ssl->clientpemfile= NULL;
}
switch (sslversion) {
case SSL_VERSION_AUTO:
ssl->method = SSLv23_client_method();
break;
case SSL_VERSION_SSLV2:
ssl->method = SSLv2_client_method();
break;
case SSL_VERSION_SSLV3:
ssl->method = SSLv3_client_method();
break;
case SSL_VERSION_TLS:
ssl->method = TLSv1_client_method();
break;
default:
log("%s: new_ssl_connection(): Unknown SSL version!\n", prog);
goto sslerror;
}
if (ssl->method == NULL ) {
handle_ssl_error("new_ssl_connection()");
log("%s: new_ssl_connection(): Cannot initilize SSL method!\n", prog);
goto sslerror;
}
if ((ssl->ctx= SSL_CTX_new (ssl->method)) == NULL ) {
handle_ssl_error("new_ssl_connection()");
log("%s: new_ssl_connection(): Cannot initilize SSL server certificate"
" handler!\n", prog);
goto sslerror;
}
if ( ssl->clientpemfile!=NULL ) {
if (SSL_CTX_use_certificate_file(ssl->ctx, ssl->clientpemfile,
SSL_FILETYPE_PEM) <= 0) {
handle_ssl_error("new_ssl_connection()");
log("%s: new_ssl_connection(): Cannot initilize SSL server"
" certificate!\n", prog);
goto sslerror;
}
if (SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->clientpemfile,
SSL_FILETYPE_PEM) <= 0) {
handle_ssl_error("new_ssl_connection()");
log("%s: new_ssl_connection(): Cannot initilize SSL server"
" private key!\n", prog);
goto sslerror;
}
if (!SSL_CTX_check_private_key(ssl->ctx)) {
handle_ssl_error("new_ssl_connection()");
log("%s: new_ssl_connection(): Private key does not match the"
" certificate public key!\n",
prog);
goto sslerror;
}
}
return ssl;
sslerror:
delete_ssl_socket(ssl);
return NULL;
#else
return NULL;
#endif
}
/**
* Generate a new ssl connection
* @return ssl connection container
*/
ssl_connection *new_ssl_connection(char *clientpemfile, int sslversion) {
ssl_connection *ssl;
if (!ssl_initialized)
start_ssl();
NEW(ssl);
ssl->socket_bio = NULL;
ssl->handler = NULL;
ssl->cert = NULL;
ssl->cipher = NULL;
ssl->socket = 0;
ssl->next = NULL;
ssl->accepted = FALSE;
ssl->cert_md5 = NULL;
ssl->cert_md5_len = 0;
ssl->clientpemfile = clientpemfile ? Str_dup(clientpemfile) : NULL;
switch (sslversion) {
case SSL_VERSION_SSLV2:
#ifdef OPENSSL_NO_SSL2
LogError("SSLv2 is not allowed - use TLS\n");
goto sslerror;
#else
#ifdef OPENSSL_FIPS
if (FIPS_mode()) {
LogError("SSLv2 is not allowed in FIPS mode - use TLS\n");
goto sslerror;
} else
#endif
ssl->method = SSLv2_client_method();
#endif
break;
case SSL_VERSION_SSLV3:
#ifdef OPENSSL_FIPS
if (FIPS_mode()) {
LogError("SSLv3 is not allowed in FIPS mode - use TLS\n");
goto sslerror;
} else
#endif
ssl->method = SSLv3_client_method();
break;
case SSL_VERSION_TLSV1:
ssl->method = TLSv1_client_method();
break;
#ifdef HAVE_TLSV1_1
case SSL_VERSION_TLSV11:
ssl->method = TLSv1_1_client_method();
break;
#endif
#ifdef HAVE_TLSV1_2
case SSL_VERSION_TLSV12:
ssl->method = TLSv1_2_client_method();
break;
#endif
case SSL_VERSION_AUTO:
default:
ssl->method = SSLv23_client_method();
break;
}
if (!ssl->method) {
LogError("Cannot initialize SSL method -- %s\n", SSLERROR);
goto sslerror;
}
if (!(ssl->ctx = SSL_CTX_new(ssl->method))) {
LogError("Cannot initialize SSL client certificate handler -- %s\n", SSLERROR);
goto sslerror;
}
if (sslversion == SSL_VERSION_AUTO)
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
if (ssl->clientpemfile) {
if (SSL_CTX_use_certificate_chain_file(ssl->ctx, ssl->clientpemfile) <= 0) {
LogError("Cannot initialize SSL client certificate -- %s\n", SSLERROR);
goto sslerror;
}
if (SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->clientpemfile, SSL_FILETYPE_PEM) <= 0) {
LogError("Cannot initialize SSL client private key -- %s\n", SSLERROR);
goto sslerror;
}
if (!SSL_CTX_check_private_key(ssl->ctx)) {
LogError("Private key does not match the certificate public key -- %s\n", SSLERROR);
goto sslerror;
}
}
return ssl;
sslerror:
delete_ssl_socket(ssl);
return NULL;
}
