static int test_v3(void) { STACK_OF(SSL_CIPHER) *sk = NULL, *scsv = NULL; /* ECDHE-ECDSA-AES256GCM, ECDHE-ECDSA-CHACHAPOLY, DHE-RSA-AES256GCM, * EMPTY-RENEGOTIATION-INFO-SCSV, FALLBACK-SCSV */ const unsigned char bytes[] = {0x00, 0x2f, 0x00, 0x33, 0x00, 0x9f, 0x00, 0xff, 0x56, 0x00}; int ret = 0; if (!SSL_bytes_to_cipher_list(s, bytes, sizeof(bytes), 0, &sk, &scsv) || !TEST_ptr(sk) || !TEST_int_eq(sk_SSL_CIPHER_num(sk), 3) || !TEST_ptr(scsv) || !TEST_int_eq(sk_SSL_CIPHER_num(scsv), 2) || !TEST_str_eq(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 0)), "AES128-SHA") || !TEST_str_eq(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 1)), "DHE-RSA-AES128-SHA") || !TEST_str_eq(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 2)), "DHE-RSA-AES256-GCM-SHA384") || !TEST_str_eq(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(scsv, 0)), "TLS_EMPTY_RENEGOTIATION_INFO_SCSV") || !TEST_str_eq(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(scsv, 1)), "TLS_FALLBACK_SCSV")) goto err; ret = 1; err: sk_SSL_CIPHER_free(sk); sk_SSL_CIPHER_free(scsv); return ret; }
static int test_v2(void) { STACK_OF(SSL_CIPHER) *sk, *scsv; /* ECDHE-ECDSA-AES256GCM, SSL2_RC4_1238_WITH_MD5, * ECDHE-ECDSA-CHACHA20-POLY1305 */ const unsigned char bytes[] = {0x00, 0x00, 0x35, 0x01, 0x00, 0x80, 0x00, 0x00, 0x33}; int ret = 0; if (!TEST_true(SSL_bytes_to_cipher_list(s, bytes, sizeof(bytes), 1, &sk, &scsv)) || !TEST_ptr(sk) || !TEST_int_eq(sk_SSL_CIPHER_num(sk), 2) || !TEST_ptr(scsv) || !TEST_int_eq(sk_SSL_CIPHER_num(scsv), 0)) goto err; if (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 0)), "AES256-SHA") != 0 || strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 1)), "DHE-RSA-AES128-SHA") != 0) goto err; ret = 1; err: sk_SSL_CIPHER_free(sk); sk_SSL_CIPHER_free(scsv); return ret; }
static void print_ciphersuite_data(BIO *io, SSL *ssl, int js) { SSL_SESSION* session = SSL_get_session(ssl); long protocol = SSL_version(ssl); const char *protocol_name = get_protocol_name(protocol); const char *eol = js ? "\\n\\\n" : "\n"; if(BIO_printf(io, "Version: 0x%lx %s%s", protocol, protocol_name, eol) <= 0) err_exit("Write error"); if(BIO_printf(io, "Current cipher: %s%s", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)), eol) <= 0) err_exit("Write error"); STACK_OF(SSL_CIPHER) *ciphers = session->ciphers; SSL_CIPHER *c; int n = sk_SSL_CIPHER_num(ciphers); if(BIO_printf(io, "client sent %d ciphers%s", n, eol) <= 0) err_exit("Write error"); int i; for (i = 0; i < n; i++) { c = sk_SSL_CIPHER_value(ciphers, i); if(BIO_printf(io, "client [%2d of %2d]: %s%s", i, n, SSL_CIPHER_get_name(c), eol) <= 0) err_exit("Write error"); } }
/** Return true iff the cipher list suggested by the client for <b>ssl</b> is * a list that indicates that the client knows how to do the v2 TLS connection * handshake. */ static int tor_tls_client_is_using_v2_ciphers(const SSL *ssl, const char *address) { int i; SSL_SESSION *session; /* If we reached this point, we just got a client hello. See if there is * a cipher list. */ if (!(session = SSL_get_session((SSL *)ssl))) { log_warn(LD_NET, "No session on TLS?"); return 0; } if (!session->ciphers) { log_warn(LD_NET, "No ciphers on session"); return 0; } /* Now we need to see if there are any ciphers whose presence means we're * dealing with an updated Tor. */ for (i = 0; i < sk_SSL_CIPHER_num(session->ciphers); ++i) { SSL_CIPHER *cipher = sk_SSL_CIPHER_value(session->ciphers, i); const char *ciphername = SSL_CIPHER_get_name(cipher); if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) && strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) && strcmp(ciphername, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) && strcmp(ciphername, "(NONE)")) { /* XXXX should be ld_debug */ log_info(LD_NET, "Got a non-version-1 cipher called '%s'", ciphername); // return 1; goto dump_list; } } return 0; dump_list: { smartlist_t *elts = smartlist_create(); char *s; for (i = 0; i < sk_SSL_CIPHER_num(session->ciphers); ++i) { SSL_CIPHER *cipher = sk_SSL_CIPHER_value(session->ciphers, i); const char *ciphername = SSL_CIPHER_get_name(cipher); smartlist_add(elts, (char*)ciphername); } s = smartlist_join_strings(elts, ":", 0, NULL); log_info(LD_NET, "Got a non-version-1 cipher list from %s. It is: '%s'", address, s); tor_free(s); smartlist_free(elts); } return 1; }
int tlsops_cipher(struct sip_msg *msg, pv_param_t *param, pv_value_t *res) { str cipher; static char buf[1024]; struct tcp_connection* c; SSL* ssl; c = get_cur_connection(msg); if (!c) { LM_INFO("TLS connection not found in select_cipher\n"); goto err; } ssl = get_ssl(c); if (!ssl) goto err; cipher.s = (char*)SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)); cipher.len = cipher.s ? strlen(cipher.s) : 0; if (cipher.len >= 1024) { LM_ERR("cipher name too long\n"); goto err; } memcpy(buf, cipher.s, cipher.len); res->rs.s = buf; res->rs.len = cipher.len; res->flags = PV_VAL_STR; tcpconn_put(c); return 0; err: if (c) tcpconn_put(c); return pv_get_null(msg, param, res); }
static int get_cipher(str* res, sip_msg_t* msg) { str cipher; static char buf[1024]; struct tcp_connection* c; SSL* ssl; c = get_cur_connection(msg); if (!c) { INFO("TLS connection not found in select_cipher\n"); goto err; } ssl = get_ssl(c); if (!ssl) goto err; cipher.s = (char*)SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)); cipher.len = cipher.s ? strlen(cipher.s) : 0; if (cipher.len >= 1024) { ERR("Cipher name too long\n"); goto err; } memcpy(buf, cipher.s, cipher.len); res->s = buf; res->len = cipher.len; tcpconn_put(c); return 0; err: if (c) tcpconn_put(c); return -1; }
static std::unordered_map<uint16_t, std::string> getOpenSSLCipherNames() { std::unordered_map<uint16_t, std::string> ret; SSL_CTX* ctx = nullptr; SSL* ssl = nullptr; const SSL_METHOD* meth = SSLv23_server_method(); OpenSSL_add_ssl_algorithms(); if ((ctx = SSL_CTX_new(meth)) == nullptr) { return ret; } SCOPE_EXIT { SSL_CTX_free(ctx); }; if ((ssl = SSL_new(ctx)) == nullptr) { return ret; } SCOPE_EXIT { SSL_free(ssl); }; STACK_OF(SSL_CIPHER)* sk = SSL_get_ciphers(ssl); for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) { const SSL_CIPHER* c = sk_SSL_CIPHER_value(sk, i); unsigned long id = SSL_CIPHER_get_id(c); // OpenSSL 1.0.2 and prior does weird things such as stuff the SSL/TLS // version into the top 16 bits. Let's ignore those for now. This is // BoringSSL compatible (their id can be cast as uint16_t) uint16_t cipherCode = id & 0xffffL; ret[cipherCode] = SSL_CIPHER_get_name(c); } return ret; }
const char *OpenSSLQueryCipher(STREAM *S) { void *ptr; if (! S) return(NULL); ptr=STREAMGetItem(S,"LIBUSEFUL-SSL-CTX"); if (! ptr) return(NULL); #ifdef HAVE_LIBSSL const SSL_CIPHER *Cipher; char *Tempstr=NULL; Cipher=SSL_get_current_cipher((const SSL *) ptr); if (Cipher) { Tempstr=FormatStr(Tempstr,"%d bit %s",SSL_CIPHER_get_bits(Cipher,NULL), SSL_CIPHER_get_name(Cipher)); STREAMSetValue(S,"SSL-Cipher",Tempstr); Tempstr=SetStrLen(Tempstr,1024); Tempstr=SSL_CIPHER_description(Cipher, Tempstr, 1024); STREAMSetValue(S,"SSL-Cipher-Details",Tempstr); } DestroyString(Tempstr); return(STREAMGetValue(S,"SSL-Cipher")); #else return(NULL); #endif }
bool Parser::extractKeyingMaterial() { int r = 0; if (!isHandshakeFinished()) { printf("dtls::Parser::extractKeyingMaterial() - error: cannot extract keying material when the handshake isn't finished.\n"); return false; } r = SSL_export_keying_material(ssl, keying_material, DTLS_SRTP_MASTER_LEN * 2, "EXTRACTOR-dtls_srtp", 19, NULL, 0, 0); if (r != 1) { printf("dtls::Parser::extractKeyingMaterial() - error: cannot export the keying material.\n"); exit(1); } if (mode == DTLS_MODE_SERVER) { /* set the keying material in case we are a server. */ remote_key = keying_material; local_key = remote_key + DTLS_SRTP_MASTER_KEY_LEN; remote_salt = local_key + DTLS_SRTP_MASTER_KEY_LEN; local_salt = remote_salt + DTLS_SRTP_MASTER_SALT_LEN; } else if (mode == DTLS_MODE_CLIENT) { printf("dtls::Parser::extractKeyingMaterial() - error: client keying material not tested.\n"); /* set the keying material in case we are a client. */ local_key = keying_material; remote_key = local_key + DTLS_SRTP_MASTER_KEY_LEN; local_salt = remote_key + DTLS_SRTP_MASTER_KEY_LEN; remote_salt = local_salt + DTLS_SRTP_MASTER_SALT_LEN; exit(1); } else { printf("dtls::Parser::extractKeyingMaterial() - error: unhandled dtls::Parser mode!.\n"); exit(1); } #if 1 /* show some debug info (p->name probably = SRTP_AES128_CM_SHA1_80) */ SRTP_PROTECTION_PROFILE *p = SSL_get_selected_srtp_profile(ssl); if(!p) { printf("dtls::Parser::extractKeyingMaterial() - error: cannot extract the srtp_profile.\n"); exit(1); } printf("dtls::Parser::extractKeyingMaterial() - verbose: protection profile: %s\n", p->name); /* cipher probably is AES256-SHA */ printf("dtls::Parser::extractKeyingMaterial() - verbose: cipher: %s\n", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl))); #endif return true; }
static int openssl_ssl_current_cipher(lua_State *L) { SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl"); const SSL_CIPHER* c = SSL_get_current_cipher(s); if (c) { int bits, algbits; char err[LUAL_BUFFERSIZE] = {0};; lua_newtable(L); AUXILIAR_SET(L, -1, "name", SSL_CIPHER_get_name(c), string); AUXILIAR_SET(L, -1, "version", SSL_CIPHER_get_version(c), string); #if OPENSSL_VERSION_NUMBER > 0x10000000L AUXILIAR_SET(L, -1, "id", SSL_CIPHER_get_id(c), integer); #endif bits = SSL_CIPHER_get_bits(c, &algbits); AUXILIAR_SET(L, -1, "bits", bits, integer); AUXILIAR_SET(L, -1, "algbits", algbits, integer); AUXILIAR_SET(L, -1, "description", SSL_CIPHER_description((SSL_CIPHER*)c, err, sizeof(err)), string); return 1; } return 0; }
static const char * openssl_iostream_get_security_string(struct ssl_iostream *ssl_io) { const SSL_CIPHER *cipher; #ifdef HAVE_SSL_COMPRESSION const COMP_METHOD *comp; #endif const char *comp_str; int bits, alg_bits; if (!ssl_io->handshaked) return ""; cipher = SSL_get_current_cipher(ssl_io->ssl); bits = SSL_CIPHER_get_bits(cipher, &alg_bits); #ifdef HAVE_SSL_COMPRESSION comp = SSL_get_current_compression(ssl_io->ssl); comp_str = comp == NULL ? "" : t_strconcat(" ", SSL_COMP_get_name(comp), NULL); #else comp_str = ""; #endif return t_strdup_printf("%s with cipher %s (%d/%d bits)%s", SSL_get_version(ssl_io->ssl), SSL_CIPHER_get_name(cipher), bits, alg_bits, comp_str); }
/** * Adds Ciphers to the Cipher List structure * * @param options Options for this run * @param ssl_method SSL method to populate ciphers for. * @return Boolean: true = success | false = error */ int populate_ciphers(struct sslCheckOptions *options, const SSL_METHOD *ssl_method) { struct sslCipher *cipher_ptr; int i; // STACK_OF is a sign that you should be using C++ :) STACK_OF(SSL_CIPHER) *cipher_list; SSL_CTX *ctx; SSL *ssl = NULL; ctx = SSL_CTX_new(ssl_method); if (ctx == NULL) { printf("%sERROR: Could not create CTX object.%s\n", COL_RED, RESET); return false; } SSL_CTX_set_cipher_list(ctx, "ALL:COMPLEMENTOFALL"); ssl = SSL_new(ctx); if (ssl == NULL) { printf("%sERROR: Could not create SSL object.%s\n", COL_RED, RESET); SSL_CTX_free(ctx); return false; } cipher_list = SSL_get_ciphers(ssl); if (options->ciphers != NULL) { cipher_ptr = options->ciphers; while (cipher_ptr->next != NULL) cipher_ptr = cipher_ptr->next; } // Create Cipher Struct Entries... for (i = 0; i < sk_SSL_CIPHER_num(cipher_list); i++) { if (options->ciphers == NULL) { options->ciphers = malloc(sizeof(struct sslCipher)); cipher_ptr = options->ciphers; } else { cipher_ptr->next = malloc(sizeof(struct sslCipher)); cipher_ptr = cipher_ptr->next; } memset(cipher_ptr, 0, sizeof(struct sslCipher)); cipher_ptr->next = NULL; // Add cipher information... cipher_ptr->sslMethod = ssl_method; cipher_ptr->name = SSL_CIPHER_get_name(sk_SSL_CIPHER_value(cipher_list, i)); cipher_ptr->version = SSL_CIPHER_get_version(sk_SSL_CIPHER_value(cipher_list, i)); SSL_CIPHER_description(sk_SSL_CIPHER_value(cipher_list, i), cipher_ptr->description, sizeof(cipher_ptr->description) - 1); cipher_ptr->bits = SSL_CIPHER_get_bits(sk_SSL_CIPHER_value(cipher_list, i), &cipher_ptr->alg_bits); } SSL_free(ssl); SSL_CTX_free(ctx); return true; }
static void set_cipher_info(TLS_REC *tls, SSL *ssl) { g_return_if_fail(tls != NULL); g_return_if_fail(ssl != NULL); tls_rec_set_protocol_version(tls, SSL_get_version(ssl)); tls_rec_set_cipher(tls, SSL_CIPHER_get_name(SSL_get_current_cipher(ssl))); tls_rec_set_cipher_size(tls, SSL_get_cipher_bits(ssl, NULL)); }
CAMLprim value ocaml_ssl_get_cipher_name(value vcipher) { const char *name; SSL_CIPHER *cipher = (SSL_CIPHER*)vcipher; caml_enter_blocking_section(); name = SSL_CIPHER_get_name(cipher); caml_leave_blocking_section(); return caml_copy_string(name); }
const char* Connection::currentCipher() const { //char desc[512]; //SSL_CIPHER_description(c, desc, sizeof(desc)); //bits = SSL_CIPHER_get_bits(c, &usedBits); //name = SSL_CIPHER_get_name(c); //version = SSL_CIPHER_get_version(c); const SSL_CIPHER* c = SSL_get_current_cipher(_ssl); const char* name = SSL_CIPHER_get_name(c); return name; }
const char * rb_ssl_get_cipher(rb_fde_t *F) { const SSL_CIPHER *sslciph; if(F == NULL || F->ssl == NULL) return NULL; if((sslciph = SSL_get_current_cipher(F->ssl)) == NULL) return NULL; return SSL_CIPHER_get_name(sslciph); }
const char *net_get_cipher(void) { if (_use_ssl) { const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl); if (cipher) return SSL_CIPHER_get_name(cipher); else return "unencrypted"; } else return "unencrypted"; }
bool pn_ssl_get_cipher_name(pn_ssl_t *ssl, char *buffer, size_t size ) { const SSL_CIPHER *c; *buffer = '\0'; if (ssl->ssl && (c = SSL_get_current_cipher( ssl->ssl ))) { const char *v = SSL_CIPHER_get_name(c); if (v) { snprintf( buffer, size, "%s", v ); return true; } } return false; }
static void benchmark(SSL *ssl, uint64_t send_bytes, uint64_t recv_bytes) { uint64_t bytes = 0; char buf[BENCH_CHUNK]; record_time_t t0, t1, t2; int sd; memset(buf, 'a', BENCH_CHUNK); record_time(&t0); if (SSL_connect(ssl) != 1) { ERR_print_errors_fp(stderr); goto out; } printf("cipher: %s\n", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl))); record_time(&t1); if (send_bytes) { while (bytes < send_bytes) { int to_send = (send_bytes - bytes > BENCH_CHUNK) ? BENCH_CHUNK : send_bytes - bytes; if (SSL_write_all(ssl, buf, to_send)) break; bytes += to_send; } } else { while (bytes < recv_bytes) { int to_recv = (recv_bytes - bytes > BENCH_CHUNK) ? BENCH_CHUNK : recv_bytes - bytes; int recved; recved = SSL_read(ssl, buf, sizeof(to_recv)); if (recved > 0) bytes += recved; else break; } } record_time(&t2); print_time((send_bytes > 0) ? "sending" : "receiving", (send_bytes > 0) ? send_bytes : recv_bytes, &t1, &t2); SSL_shutdown(ssl); out: sd = SSL_get_fd(ssl); SSL_free(ssl); close(sd); }
int tls_init_data_session(const int fd, const int passive) { const SSL_CIPHER *cipher; int ret; int ret_; (void) passive; if (tls_ctx == NULL) { logfile(LOG_ERR, MSG_TLS_NO_CTX); tls_error(__LINE__, 0); } if (tls_data_cnx != NULL) { tls_close_session(&tls_data_cnx); } else if ((tls_data_cnx = SSL_new(tls_ctx)) == NULL) { tls_error(__LINE__, 0); } if (SSL_set_fd(tls_data_cnx, fd) != 1) { tls_error(__LINE__, 0); } SSL_set_accept_state(tls_data_cnx); for (;;) { ret = SSL_accept(tls_data_cnx); if (ret <= 0) { ret_ = SSL_get_error(tls_data_cnx, ret); if (ret == -1 && (ret_ == SSL_ERROR_WANT_READ || ret_ == SSL_ERROR_WANT_WRITE)) { continue; } logfile(LOG_INFO, MSG_LOGOUT); _EXIT(EXIT_FAILURE); } break; } # if ONLY_ACCEPT_REUSED_SSL_SESSIONS if (broken_client_compat == 0 && SSL_session_reused(tls_data_cnx) == 0) { tls_error(__LINE__, 0); } # endif if ((cipher = SSL_get_current_cipher(tls_data_cnx)) != NULL) { int strength_bits = SSL_CIPHER_get_bits(cipher, NULL); logfile(LOG_INFO, MSG_TLS_INFO, SSL_CIPHER_get_version(cipher), SSL_CIPHER_get_name(cipher), strength_bits); if (strength_bits < MINIMAL_CIPHER_STRENGTH_BITS) { die(534, LOG_ERR, MSG_TLS_WEAK); } } return 0; }
/* SSL info callback, this is used to trace engine state changes * and to check when the handshake is finished, so we can display * some cipher and session information and process callbacks. */ void ssl_info(SSL *ssl, int where, int ret) { int sock; X509 *cert; char buf[256]; ssl_appdata *data; SSL_CIPHER *cipher; int secret, processed; /* We're doing non-blocking IO, so we check here if the handshake has finished */ if (where & SSL_CB_HANDSHAKE_DONE) { if (!(data = (ssl_appdata *) SSL_get_app_data(ssl))) return; /* Callback for completed handshake. Cheaper and more convenient than using H_tls */ sock = SSL_get_fd(ssl); if (data->cb) data->cb(sock); /* Call TLS binds. We allow scripts to take over or disable displaying of certificate information. */ if (check_tcl_tls(sock)) return; putlog(data->loglevel, "*", "TLS: handshake successful. Secure connection " "established."); if ((cert = SSL_get_peer_certificate(ssl))) ssl_showcert(cert, data->loglevel); else putlog(data->loglevel, "*", "TLS: peer did not present a certificate"); /* Display cipher information */ cipher = SSL_get_current_cipher(ssl); processed = SSL_CIPHER_get_bits(cipher, &secret); putlog(data->loglevel, "*", "TLS: cipher used: %s %s; %d bits (%d secret)", SSL_CIPHER_get_name(cipher), SSL_CIPHER_get_version(cipher), processed, secret); /* secret are the actually secret bits. If processed and secret differ, the rest of the bits are fixed, i.e. for limited export ciphers */ /* More verbose information, for debugging only */ SSL_CIPHER_description(cipher, buf, sizeof buf); debug1("TLS: cipher details: %s", buf); } /* Display the state of the engine for debugging purposes */ debug1("TLS: state change: %s", SSL_state_string_long(ssl)); }
static VALUE ossl_ssl_cipher_to_ary(SSL_CIPHER *cipher) { VALUE ary; int bits, alg_bits; ary = rb_ary_new2(4); rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_name(cipher))); rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_version(cipher))); bits = SSL_CIPHER_get_bits(cipher, &alg_bits); rb_ary_push(ary, INT2FIX(bits)); rb_ary_push(ary, INT2FIX(alg_bits)); return ary; }
struct chiper_info * _SSL_get_cipher_info (SSL * ssl) { SSL_CIPHER *c; c = SSL_get_current_cipher (ssl); strncpy (chiper_info.version, SSL_CIPHER_get_version (c), sizeof (chiper_info.version)); strncpy (chiper_info.chiper, SSL_CIPHER_get_name (c), sizeof (chiper_info.chiper)); SSL_CIPHER_get_bits (c, &chiper_info.chiper_bits); return (&chiper_info); }
return the certificate even if it wasn't validated."); static PyObject *PySSL_cipher (PySSLObject *self) { PyObject *retval, *v; SSL_CIPHER *current; char *cipher_name; char *cipher_protocol; if (self->ssl == NULL) return Py_None; current = SSL_get_current_cipher(self->ssl); if (current == NULL) return Py_None; retval = PyTuple_New(3); if (retval == NULL) return NULL; cipher_name = (char *) SSL_CIPHER_get_name(current); if (cipher_name == NULL) { PyTuple_SET_ITEM(retval, 0, Py_None); } else { v = PyUnicode_FromString(cipher_name); if (v == NULL) goto fail0; PyTuple_SET_ITEM(retval, 0, v); } cipher_protocol = SSL_CIPHER_get_version(current); if (cipher_protocol == NULL) { PyTuple_SET_ITEM(retval, 1, Py_None); } else { v = PyUnicode_FromString(cipher_protocol); if (v == NULL) goto fail0; PyTuple_SET_ITEM(retval, 1, v); } v = PyLong_FromLong(SSL_CIPHER_get_bits(current, NULL)); if (v == NULL) goto fail0; PyTuple_SET_ITEM(retval, 2, v); return retval; fail0: Py_DECREF(retval); return NULL; }
int main(void) { SSL_CTX *ctx = SSL_CTX_new(DTLS_method()); STACK_OF(SSL_CIPHER) *ciphers; int i, rv = 0; SSL_CTX_set_psk_server_callback(ctx, srvr_psk_callback); SSL_CTX_set_psk_client_callback(ctx, clnt_psk_callback); SSL_CTX_set_security_level(ctx, 0); /* We only care about iterating over each enc/mac; we don't * want to repeat the test for each auth/kx variant. * So keep life simple and only do (non-DH) PSK. */ if (!SSL_CTX_set_cipher_list(ctx, "PSK")) { fprintf(stderr, "Failed to set PSK cipher list\n"); goto out; } ciphers = SSL_CTX_get_ciphers(ctx); for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i); const char *cipher_name = SSL_CIPHER_get_name(cipher); /* As noted above, only one test for each enc/mac variant. */ if (strncmp(cipher_name, "PSK-", 4)) continue; rv = mtu_test(ctx, cipher_name, 0); if (!rv) break; printf("DTLS MTU test OK for %s\n", cipher_name); if (rv == 1) continue; /* mtu_test() returns 2 if it used Encrypt-then-MAC */ rv = mtu_test(ctx, cipher_name, 1); if (!rv) break; printf("DTLS MTU test OK for %s without Encrypt-then-MAC\n", cipher_name); } out: SSL_CTX_free(ctx); return !rv; }
void SSLGetSessionCipher(SSL* pSSLSession, char* pszBuffer, int iBufferSize) { SSL_CIPHER* pCipher = SSL_get_current_cipher(pSSLSession); SetEmptyString(pszBuffer); if(pCipher) { SysSNPrintf(pszBuffer, iBufferSize, "protocol=%s, cipher=%s(%d)", SSL_CIPHER_get_version(pCipher), SSL_CIPHER_get_name(pCipher), SSL_CIPHER_get_bits(pCipher, NULL)); } }
static void print_details(SSL *c_ssl, const char *prefix) { SSL_CIPHER *ciph; X509 *cert; ciph=SSL_get_current_cipher(c_ssl); BIO_printf(bio_stdout,"%s%s, cipher %s %s", prefix, SSL_get_version(c_ssl), SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph)); cert=SSL_get_peer_certificate(c_ssl); if (cert != NULL) { EVP_PKEY *pkey = X509_get_pubkey(cert); if (pkey != NULL) { if (0) ; #ifndef OPENSSL_NO_RSA else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL && pkey->pkey.rsa->n != NULL) { BIO_printf(bio_stdout, ", %d bit RSA", BN_num_bits(pkey->pkey.rsa->n)); } #endif #ifndef OPENSSL_NO_DSA else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL && pkey->pkey.dsa->p != NULL) { BIO_printf(bio_stdout, ", %d bit DSA", BN_num_bits(pkey->pkey.dsa->p)); } #endif EVP_PKEY_free(pkey); } X509_free(cert); } /* The SSL API does not allow us to look at temporary RSA/DH keys, * otherwise we should print their lengths too */ BIO_printf(bio_stdout,"\n"); }
int ipfix_ssl_init_con( SSL *con ) { extern FILE *mlog_fp; // todo: see if this is working int i; char *str; long verify_error; char buf[100]; if ((i=SSL_accept(con)) <= 0) { if (BIO_sock_should_retry(i)) { mlogf( 0, "[ipfix_ssl_init] DELAY\n"); return -1; } mlogf( 0, "[ipfix_ssl_init] ERROR\n"); verify_error=SSL_get_verify_result( con ); if (verify_error != X509_V_OK) { mlogf( 0, "[ipfix_ssl_init] verify error: %s\n", X509_verify_cert_error_string(verify_error)); } else ERR_print_errors_fp( mlog_fp ); return -1; } if ( 1 <= mlog_get_vlevel() ) { PEM_write_SSL_SESSION( mlog_fp, SSL_get_session(con)); if ( SSL_get_shared_ciphers(con, buf, sizeof buf) != NULL) { mlogf( 3, "[ipfix] Shared ciphers:%s\n", buf); } str=(char*)SSL_CIPHER_get_name( SSL_get_current_cipher(con) ); mlogf( 3, "[ipfix] CIPHER is %s\n",(str != NULL)?str:"(NONE)"); if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) & TLS1_FLAGS_TLS_PADDING_BUG) { mlogf( 1, "[ipfix] Peer has incorrect TLSv1 block padding\n"); } } return 0; }
void handle_handshake(const boost::system::error_code& error) { if (!error) { std::cout << SSL_CIPHER_get_name(SSL_get_current_cipher(socket_.native_handle())) << std::endl; std::cout << "Enter message: "; std::cin.getline(request_, max_length); size_t request_length = strlen(request_); boost::asio::async_write(socket_, boost::asio::buffer(request_, request_length), boost::bind(&client::handle_write, this, boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred)); } else { std::cout << "Handshake failed: " << error << "\n"; } }
/* ************************************** * * Information functions * * Print information for the end user. * ***************************************/ void print_details (struct key_state_ssl * ks_ssl, const char *prefix) { const SSL_CIPHER *ciph; X509 *cert; char s1[256]; char s2[256]; s1[0] = s2[0] = 0; ciph = SSL_get_current_cipher (ks_ssl->ssl); openvpn_snprintf (s1, sizeof (s1), "%s %s, cipher %s %s", prefix, SSL_get_version (ks_ssl->ssl), SSL_CIPHER_get_version (ciph), SSL_CIPHER_get_name (ciph)); cert = SSL_get_peer_certificate (ks_ssl->ssl); if (cert != NULL) { EVP_PKEY *pkey = X509_get_pubkey (cert); if (pkey != NULL) { if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL && pkey->pkey.rsa->n != NULL) { openvpn_snprintf (s2, sizeof (s2), ", %d bit RSA", BN_num_bits (pkey->pkey.rsa->n)); } else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL && pkey->pkey.dsa->p != NULL) { openvpn_snprintf (s2, sizeof (s2), ", %d bit DSA", BN_num_bits (pkey->pkey.dsa->p)); } EVP_PKEY_free (pkey); } X509_free (cert); } /* The SSL API does not allow us to look at temporary RSA/DH keys, * otherwise we should print their lengths too */ msg (D_HANDSHAKE, "%s%s", s1, s2); }