static int bio_zlib_new(BIO *bi) { BIO_ZLIB_CTX *ctx; # ifdef ZLIB_SHARED (void)COMP_zlib(); if (!zlib_loaded) { COMPerr(COMP_F_BIO_ZLIB_NEW, COMP_R_ZLIB_NOT_SUPPORTED); return 0; } # endif ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx == NULL) { COMPerr(COMP_F_BIO_ZLIB_NEW, ERR_R_MALLOC_FAILURE); return 0; } ctx->ibufsize = ZLIB_DEFAULT_BUFSIZE; ctx->obufsize = ZLIB_DEFAULT_BUFSIZE; ctx->zin.zalloc = Z_NULL; ctx->zin.zfree = Z_NULL; ctx->zout.zalloc = Z_NULL; ctx->zout.zfree = Z_NULL; ctx->comp_level = Z_DEFAULT_COMPRESSION; BIO_set_init(bi, 1); BIO_set_data(bi, ctx); return 1; }
OpenSSL::OpenSSL( TLSHandler *th, const std::string& server ) : TLSBase( th, server ), m_ssl( 0 ), m_ctx( 0 ), m_buf( 0 ), m_bufsize( 17000 ) { m_buf = (char*)calloc( m_bufsize + 1, sizeof( char ) ); SSL_library_init(); SSL_COMP_add_compression_method( 1, COMP_zlib() ); m_ctx = SSL_CTX_new( TLSv1_client_method() ); if( !m_ctx ) return; if( !SSL_CTX_set_cipher_list( m_ctx, "HIGH:MEDIUM:AES:@STRENGTH" ) ) return; m_ssl = SSL_new( m_ctx ); SSL_set_connect_state( m_ssl ); if( !BIO_new_bio_pair( &m_ibio, 0, &m_nbio, 0 ) ) { return; } SSL_set_bio( m_ssl, m_ibio, m_ibio ); SSL_set_mode( m_ssl, SSL_MODE_AUTO_RETRY ); }
bool OpenSSL::init() { if( m_initLib ) SSL_library_init(); SSL_COMP_add_compression_method( 1, COMP_zlib() ); m_ctx = SSL_CTX_new( TLSv1_client_method() ); if( !m_ctx ) return false; if( !SSL_CTX_set_cipher_list( m_ctx, "HIGH:MEDIUM:AES:@STRENGTH" ) ) return false; m_ssl = SSL_new( m_ctx ); SSL_set_connect_state( m_ssl ); if( !BIO_new_bio_pair( &m_ibio, 0, &m_nbio, 0 ) ) return false; SSL_set_bio( m_ssl, m_ibio, m_ibio ); SSL_set_mode( m_ssl, SSL_MODE_AUTO_RETRY ); m_valid = true; return true; }
int SSLInit(const SSLOptions& sslOpt) { int iResult = 0; if(!iSSLInit) { iSSLInit = 1; #ifdef _WIN32 InitializeCriticalSection(&lock); #else pthread_mutexattr_t mutexAttr; pthread_mutexattr_init(&mutexAttr); pthread_mutexattr_settype(&mutexAttr, PTHREAD_MUTEX_RECURSIVE); pthread_mutex_init(&lock, &mutexAttr); #endif CRYPTO_set_locking_callback(LockSSL); SSLeay_add_ssl_algorithms(); SSL_load_error_strings(); COMP_METHOD* pCompressMethod = COMP_zlib(); if(pCompressMethod != NULL) { SSL_COMP_add_compression_method(0xe0, pCompressMethod); } pCompressMethod = COMP_rle(); if(pCompressMethod != NULL) { SSL_COMP_add_compression_method(0xe1, pCompressMethod); } pSSLCliCtx = SSLMakeCtx(sslOpt, 0); pSSLSrvCtx = SSLMakeCtx(sslOpt, 1); if(!pSSLCliCtx || !pSSLSrvCtx) { SSLDone(); iResult = -1; } } return (iResult); }
static void load_builtin_compressions(void) { int got_write_lock = 0; CRYPTO_r_lock(CRYPTO_LOCK_SSL); if (ssl_comp_methods == NULL) { CRYPTO_r_unlock(CRYPTO_LOCK_SSL); CRYPTO_w_lock(CRYPTO_LOCK_SSL); got_write_lock = 1; if (ssl_comp_methods == NULL) { SSL_COMP *comp = NULL; MemCheck_off(); ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); if (ssl_comp_methods != NULL) { comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); if (comp != NULL) { comp->method=COMP_zlib(); if (comp->method && comp->method->type == NID_undef) OPENSSL_free(comp); else { comp->id=SSL_COMP_ZLIB_IDX; comp->name=comp->method->name; sk_SSL_COMP_push(ssl_comp_methods,comp); } } sk_SSL_COMP_sort(ssl_comp_methods); } MemCheck_on(); } } if (got_write_lock) CRYPTO_w_unlock(CRYPTO_LOCK_SSL); else CRYPTO_r_unlock(CRYPTO_LOCK_SSL); }
void openssl_ctx_compress() { COMP_CTX *ctx; int len, size, total; unsigned char inputs[COMM_LEN] = "ctx_compress"; unsigned char tmps[COMM_LEN], outputs[COMM_LEN]; memset(tmps, 0, sizeof(tmps)); memset(outputs, 0, sizeof(outputs)); ctx = COMP_CTX_new(COMP_zlib()); total = COMP_compress_block(ctx, outputs, COMM_LEN, inputs, COMM_LEN); len = COMP_expand_block(ctx, tmps, sizeof(tmps), outputs, total); COMP_CTX_free(ctx); printf("\nCompress(%s) = ", inputs); for (size = 0; size < total; size++) printf("%02x", outputs[size]); printf("\n"); }
bool OpenSSLBase::init( const std::string& clientKey, const std::string& clientCerts, const StringList& cacerts ) { #if defined OPENSSL_VERSION_NUMBER && ( OPENSSL_VERSION_NUMBER < 0x10100000 ) if( m_initLib ) SSL_library_init(); #endif // OPENSSL_VERSION_NUMBER < 0x10100000 SSL_COMP_add_compression_method( 193, COMP_zlib() ); OpenSSL_add_all_algorithms(); if( !setType() ) //inits m_ctx return false; setClientCert( clientKey, clientCerts ); setCACerts( cacerts ); if( !SSL_CTX_set_cipher_list( m_ctx, "HIGH:MEDIUM:AES:@STRENGTH" ) ) return false; m_ssl = SSL_new( m_ctx ); if( !m_ssl ) return false; if( !BIO_new_bio_pair( &m_ibio, 0, &m_nbio, 0 ) ) return false; SSL_set_bio( m_ssl, m_ibio, m_ibio ); SSL_set_mode( m_ssl, SSL_MODE_AUTO_RETRY | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE ); ERR_load_crypto_strings(); SSL_load_error_strings(); if( !privateInit() ) return false; m_valid = true; return true; }
static int bio_zlib_new (BIO * bi) { BIO_ZLIB_CTX *ctx; #ifdef ZLIB_SHARED (void) COMP_zlib (); if (!zlib_loaded) { COMPerr (COMP_F_BIO_ZLIB_NEW, COMP_R_ZLIB_NOT_SUPPORTED); return 0; } #endif ctx = OPENSSL_malloc (sizeof (BIO_ZLIB_CTX)); if (!ctx) { COMPerr (COMP_F_BIO_ZLIB_NEW, ERR_R_MALLOC_FAILURE); return 0; } ctx->ibuf = NULL; ctx->obuf = NULL; ctx->ibufsize = ZLIB_DEFAULT_BUFSIZE; ctx->obufsize = ZLIB_DEFAULT_BUFSIZE; ctx->zin.zalloc = Z_NULL; ctx->zin.zfree = Z_NULL; ctx->zin.next_in = NULL; ctx->zin.avail_in = 0; ctx->zin.next_out = NULL; ctx->zin.avail_out = 0; ctx->zout.zalloc = Z_NULL; ctx->zout.zfree = Z_NULL; ctx->zout.next_in = NULL; ctx->zout.avail_in = 0; ctx->zout.next_out = NULL; ctx->zout.avail_out = 0; ctx->odone = 0; ctx->comp_level = Z_DEFAULT_COMPRESSION; bi->init = 1; bi->ptr = (char *) ctx; bi->flags = 0; return 1; }
NOEXPORT int compression_init(GLOBAL_OPTIONS *global) { STACK_OF(SSL_COMP) *methods; methods=SSL_COMP_get_compression_methods(); if(!methods) { if(global->compression==COMP_NONE) { s_log(LOG_NOTICE, "Failed to get compression methods"); return 0; /* ignore */ } else { s_log(LOG_ERR, "Failed to get compression methods"); return 1; } } if(global->compression==COMP_NONE || SSLeay()<0x00908051L /* 0.9.8e-beta1 */) { /* delete OpenSSL defaults (empty the SSL_COMP stack) */ /* cannot use sk_SSL_COMP_pop_free, * as it also destroys the stack itself */ /* only leave the standard RFC 1951 (DEFLATE) algorithm, * if any of the private algorithms is enabled */ /* only allow DEFLATE with OpenSSL 0.9.8 or later * with OpenSSL #1468 zlib memory leak fixed */ while(sk_SSL_COMP_num(methods)) #if OPENSSL_VERSION_NUMBER>=0x10100000L /* FIXME: remove when sk_SSL_COMP_pop() works again */ OPENSSL_free(sk_pop((void *)methods)); #else OPENSSL_free(sk_SSL_COMP_pop(methods)); #endif } if(global->compression==COMP_NONE) { s_log(LOG_DEBUG, "Compression disabled"); return 0; /* success */ } /* also insert the obsolete ZLIB algorithm */ if(global->compression==COMP_ZLIB) { /* 224 - within the private range (193 to 255) */ COMP_METHOD *meth=COMP_zlib(); #if OPENSSL_VERSION_NUMBER>=0x10100000L if(!meth || COMP_get_type(meth)==NID_undef) { #else if(!meth || meth->type==NID_undef) { #endif s_log(LOG_ERR, "ZLIB compression is not supported"); return 1; } SSL_COMP_add_compression_method(0xe0, meth); } s_log(LOG_INFO, "Compression enabled: %d method(s)", sk_SSL_COMP_num(methods)); return 0; /* success */ } #endif /* OPENSSL_NO_COMP */ NOEXPORT int prng_init(GLOBAL_OPTIONS *global) { int totbytes=0; char filename[256]; #ifndef USE_WIN32 int bytes; #endif filename[0]='\0'; /* if they specify a rand file on the command line we assume that they really do want it, so try it first */ if(global->rand_file) { totbytes+=add_rand_file(global, global->rand_file); if(RAND_status()) return 0; /* success */ } /* try the $RANDFILE or $HOME/.rnd files */ RAND_file_name(filename, 256); if(filename[0]) { totbytes+=add_rand_file(global, filename); if(RAND_status()) return 0; /* success */ } #ifdef RANDOM_FILE totbytes+=add_rand_file(global, RANDOM_FILE); if(RAND_status()) return 0; /* success */ #endif #ifdef USE_WIN32 RAND_screen(); if(RAND_status()) { s_log(LOG_DEBUG, "Seeded PRNG with RAND_screen"); return 0; /* success */ } s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG"); #else if(global->egd_sock) { if((bytes=RAND_egd(global->egd_sock))==-1) { s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock); bytes=0; } else { totbytes+=bytes; s_log(LOG_DEBUG, "Snagged %d random bytes from EGD Socket %s", bytes, global->egd_sock); return 0; /* OpenSSL always gets what it needs or fails, so no need to check if seeded sufficiently */ } } /* try the good-old default /dev/urandom, if available */ totbytes+=add_rand_file(global, "/dev/urandom"); if(RAND_status()) return 0; /* success */ #endif /* USE_WIN32 */ /* random file specified during configure */ s_log(LOG_ERR, "PRNG seeded with %d bytes total", totbytes); s_log(LOG_ERR, "PRNG was not seeded with enough random bytes"); return 1; /* FAILED */ }
int main(int argc, char *argv[]) { char *CApath=NULL,*CAfile=NULL; int badop=0; int bio_pair=0; int force=0; int tls1=0,ssl2=0,ssl3=0,ret=1; int client_auth=0; int server_auth=0,i; int app_verify=0; char *server_cert=TEST_SERVER_CERT; char *server_key=NULL; char *client_cert=TEST_CLIENT_CERT; char *client_key=NULL; SSL_CTX *s_ctx=NULL; SSL_CTX *c_ctx=NULL; SSL_METHOD *meth=NULL; SSL *c_ssl,*s_ssl; int number=1,reuse=0; long bytes=1L; #ifndef OPENSSL_NO_DH DH *dh; int dhe1024 = 0, dhe1024dsa = 0; #endif int no_dhe = 0; int print_time = 0; clock_t s_time = 0, c_time = 0; int comp = 0; COMP_METHOD *cm = NULL; verbose = 0; debug = 0; cipher = 0; bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); CRYPTO_set_locking_callback(lock_dbg_cb); /* enable memory leak checking unless explicitly disabled */ if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); } else { /* OPENSSL_DEBUG_MEMORY=off */ CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); RAND_seed(rnd_seed, sizeof rnd_seed); bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE); argc--; argv++; while (argc >= 1) { if (strcmp(*argv,"-server_auth") == 0) server_auth=1; else if (strcmp(*argv,"-client_auth") == 0) client_auth=1; else if (strcmp(*argv,"-v") == 0) verbose=1; else if (strcmp(*argv,"-d") == 0) debug=1; else if (strcmp(*argv,"-reuse") == 0) reuse=1; else if (strcmp(*argv,"-dhe1024") == 0) { #ifndef OPENSSL_NO_DH dhe1024=1; #else fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv,"-dhe1024dsa") == 0) { #ifndef OPENSSL_NO_DH dhe1024dsa=1; #else fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv,"-no_dhe") == 0) no_dhe=1; else if (strcmp(*argv,"-ssl2") == 0) ssl2=1; else if (strcmp(*argv,"-tls1") == 0) tls1=1; else if (strcmp(*argv,"-ssl3") == 0) ssl3=1; else if (strncmp(*argv,"-num",4) == 0) { if (--argc < 1) goto bad; number= atoi(*(++argv)); if (number == 0) number=1; } else if (strcmp(*argv,"-bytes") == 0) { if (--argc < 1) goto bad; bytes= atol(*(++argv)); if (bytes == 0L) bytes=1L; i=strlen(argv[0]); if (argv[0][i-1] == 'k') bytes*=1024L; if (argv[0][i-1] == 'm') bytes*=1024L*1024L; } else if (strcmp(*argv,"-cert") == 0) { if (--argc < 1) goto bad; server_cert= *(++argv); } else if (strcmp(*argv,"-s_cert") == 0) { if (--argc < 1) goto bad; server_cert= *(++argv); } else if (strcmp(*argv,"-key") == 0) { if (--argc < 1) goto bad; server_key= *(++argv); } else if (strcmp(*argv,"-s_key") == 0) { if (--argc < 1) goto bad; server_key= *(++argv); } else if (strcmp(*argv,"-c_cert") == 0) { if (--argc < 1) goto bad; client_cert= *(++argv); } else if (strcmp(*argv,"-c_key") == 0) { if (--argc < 1) goto bad; client_key= *(++argv); } else if (strcmp(*argv,"-cipher") == 0) { if (--argc < 1) goto bad; cipher= *(++argv); } else if (strcmp(*argv,"-CApath") == 0) { if (--argc < 1) goto bad; CApath= *(++argv); } else if (strcmp(*argv,"-CAfile") == 0) { if (--argc < 1) goto bad; CAfile= *(++argv); } else if (strcmp(*argv,"-bio_pair") == 0) { bio_pair = 1; } else if (strcmp(*argv,"-f") == 0) { force = 1; } else if (strcmp(*argv,"-time") == 0) { print_time = 1; } else if (strcmp(*argv,"-zlib") == 0) { comp = COMP_ZLIB; } else if (strcmp(*argv,"-rle") == 0) { comp = COMP_RLE; } else if (strcmp(*argv,"-app_verify") == 0) { app_verify = 1; } else { fprintf(stderr,"unknown option %s\n",*argv); badop=1; break; } argc--; argv++; } if (badop) { bad: sv_usage(); goto end; } if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " "or add one of -ssl2, -ssl3, -tls1, -reuse\n" "to avoid protocol mismatch.\n"); EXIT(1); } if (print_time) { if (!bio_pair) { fprintf(stderr, "Using BIO pair (-bio_pair)\n"); bio_pair = 1; } if (number < 50 && !force) fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); } /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ SSL_library_init(); SSL_load_error_strings(); if (comp == COMP_ZLIB) cm = COMP_zlib(); if (comp == COMP_RLE) cm = COMP_rle(); if (cm != NULL) { if (cm->type != NID_undef) SSL_COMP_add_compression_method(comp, cm); else { fprintf(stderr, "Warning: %s compression not supported\n", (comp == COMP_RLE ? "rle" : (comp == COMP_ZLIB ? "zlib" : "unknown"))); ERR_print_errors_fp(stderr); } } #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) if (ssl2) meth=SSLv2_method(); else if (tls1) meth=TLSv1_method(); else if (ssl3) meth=SSLv3_method(); else meth=SSLv23_method(); #else #ifdef OPENSSL_NO_SSL2 meth=SSLv3_method(); #else meth=SSLv2_method(); #endif #endif c_ctx=SSL_CTX_new(meth); s_ctx=SSL_CTX_new(meth); if ((c_ctx == NULL) || (s_ctx == NULL)) { ERR_print_errors(bio_err); goto end; } if (cipher != NULL) { SSL_CTX_set_cipher_list(c_ctx,cipher); SSL_CTX_set_cipher_list(s_ctx,cipher); } #ifndef OPENSSL_NO_DH if (!no_dhe) { if (dhe1024dsa) { /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */ SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); dh=get_dh1024dsa(); } else if (dhe1024) dh=get_dh1024(); else dh=get_dh512(); SSL_CTX_set_tmp_dh(s_ctx,dh); DH_free(dh); } #else (void)no_dhe; #endif #ifndef OPENSSL_NO_RSA SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb); #endif if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM)) { ERR_print_errors(bio_err); } else if (!SSL_CTX_use_PrivateKey_file(s_ctx, (server_key?server_key:server_cert), SSL_FILETYPE_PEM)) { ERR_print_errors(bio_err); goto end; } if (client_auth) { SSL_CTX_use_certificate_file(c_ctx,client_cert, SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(c_ctx, (client_key?client_key:client_cert), SSL_FILETYPE_PEM); } if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(s_ctx)) || (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(c_ctx))) { /* fprintf(stderr,"SSL_load_verify_locations\n"); */ ERR_print_errors(bio_err); /* goto end; */ } if (client_auth) { BIO_printf(bio_err,"client authentication\n"); SSL_CTX_set_verify(s_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); if (app_verify) { SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg); } } if (server_auth) { BIO_printf(bio_err,"server authentication\n"); SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER, verify_callback); if (app_verify) { SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg); } } { int session_id_context = 0; SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context); } c_ssl=SSL_new(c_ctx); s_ssl=SSL_new(s_ctx); #ifndef OPENSSL_NO_KRB5 if (c_ssl && c_ssl->kssl_ctx) { char localhost[MAXHOSTNAMELEN+2]; if (gethostname(localhost, sizeof localhost-1) == 0) { localhost[sizeof localhost-1]='\0'; if(strlen(localhost) == sizeof localhost-1) { BIO_printf(bio_err,"localhost name too long\n"); goto end; } kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, localhost); } } #endif /* OPENSSL_NO_KRB5 */ for (i=0; i<number; i++) { if (!reuse) SSL_set_session(c_ssl,NULL); if (bio_pair) ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time); else ret=doit(s_ssl,c_ssl,bytes); } if (!verbose) { print_details(c_ssl, ""); } if ((number > 1) || (bytes > 1L)) BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes); if (print_time) { #ifdef CLOCKS_PER_SEC /* "To determine the time in seconds, the value returned * by the clock function should be divided by the value * of the macro CLOCKS_PER_SEC." * -- ISO/IEC 9899 */ BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n" "Approximate total client time: %6.2f s\n", (double)s_time/CLOCKS_PER_SEC, (double)c_time/CLOCKS_PER_SEC); #else /* "`CLOCKS_PER_SEC' undeclared (first use this function)" * -- cc on NeXTstep/OpenStep */ BIO_printf(bio_stdout, "Approximate total server time: %6.2f units\n" "Approximate total client time: %6.2f units\n", (double)s_time, (double)c_time); #endif } SSL_free(s_ssl); SSL_free(c_ssl); end: if (s_ctx != NULL) SSL_CTX_free(s_ctx); if (c_ctx != NULL) SSL_CTX_free(c_ctx); if (bio_stdout != NULL) BIO_free(bio_stdout); #ifndef OPENSSL_NO_RSA free_tmp_rsa(); #endif #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); ERR_remove_state(0); EVP_cleanup(); CRYPTO_mem_leaks(bio_err); if (bio_err != NULL) BIO_free(bio_err); EXIT(ret); }