lcb_error_t lcbio_ssl_apply(lcbio_SOCKET *sock, lcbio_pSSLCTX sctx) { lcbio_pTABLE old_iot = sock->io, new_iot; lcbio_PROTOCTX *sproto; if (old_iot->model == LCB_IOMODEL_EVENT) { new_iot = lcbio_Essl_new(old_iot, sock->u.fd, sctx->ctx); } else { new_iot = lcbio_Cssl_new(old_iot, sock->u.sd, sctx->ctx); } if (new_iot) { sproto = calloc(1, sizeof(*sproto)); sproto->id = LCBIO_PROTOCTX_SSL; sproto->dtor = noop_dtor; lcbio_protoctx_add(sock, sproto); lcbio_table_unref(old_iot); sock->io = new_iot; /* just for logging */ SSL_set_app_data(((lcbio_XSSL *)new_iot)->ssl, sock); return LCB_SUCCESS; } else { return LCB_ERROR; } }
SpiceOpenSSLVerify* spice_openssl_verify_new(SSL *ssl, SPICE_SSL_VERIFY_OP verifyop, const char *hostname, const char *pubkey, size_t pubkey_size, const char *subject) { SpiceOpenSSLVerify *v; if (!verifyop) return NULL; v = spice_new0(SpiceOpenSSLVerify, 1); v->ssl = ssl; v->verifyop = verifyop; v->hostname = spice_strdup(hostname); v->pubkey = (char*)spice_memdup(pubkey, pubkey_size); v->pubkey_size = pubkey_size; v->subject = spice_strdup(subject); v->all_preverify_ok = 1; SSL_set_app_data(ssl, v); SSL_set_verify(ssl, SSL_VERIFY_PEER, openssl_verify); return v; }
/* * Attempt to negotiate secure session. */ PostgresPollingStatusType pqsecure_open_client(PGconn *conn) { #ifdef USE_SSL /* First time through? */ if (conn->ssl == NULL) { if (!(conn->ssl = SSL_new(SSL_context)) || !SSL_set_app_data(conn->ssl, conn) || !SSL_set_fd(conn->ssl, conn->sock)) { char *err = SSLerrmessage(); printfPQExpBuffer(&conn->errorMessage, libpq_gettext("could not establish SSL connection: %s\n"), err); SSLerrfree(err); close_SSL(conn); return PGRES_POLLING_FAILED; } /* * Initialize errorMessage to empty. This allows open_client_SSL() to * detect whether client_cert_cb() has stored a message. */ resetPQExpBuffer(&conn->errorMessage); } /* Begin or continue the actual handshake */ return open_client_SSL(conn); #else /* shouldn't get here */ return PGRES_POLLING_FAILED; #endif }
void *ma_tls_init(MYSQL *mysql) { SSL *ssl= NULL; #ifdef HAVE_TLS_SESSION_CACHE MA_SSL_SESSION *session= ma_tls_get_session(mysql); #endif pthread_mutex_lock(&LOCK_openssl_config); if (ma_tls_set_certs(mysql)) { goto error; } if (!(ssl= SSL_new(SSL_context))) goto error; if (!SSL_set_app_data(ssl, mysql)) goto error; #ifdef HAVE_TLS_SESSION_CACHE if (session) SSL_set_session(ssl, session->session); #endif pthread_mutex_unlock(&LOCK_openssl_config); return (void *)ssl; error: pthread_mutex_unlock(&LOCK_openssl_config); if (ssl) SSL_free(ssl); return NULL; }
/* allocates a new ssl object SYNOPSIS my_ssl_init mysql connection object RETURN VALUES NULL on error SSL new SSL object */ SSL *my_ssl_init(MYSQL *mysql) { SSL *ssl= NULL; DBUG_ENTER("my_ssl_init"); DBUG_ASSERT(mysql->net.vio->ssl == NULL); if (!my_ssl_initialized) my_ssl_start(mysql); pthread_mutex_lock(&LOCK_ssl_config); if (my_ssl_set_certs(mysql)) goto error; if (!(ssl= SSL_new(SSL_context))) goto error; if (!SSL_set_app_data(ssl, mysql)) goto error; pthread_mutex_unlock(&LOCK_ssl_config); DBUG_RETURN(ssl); error: pthread_mutex_unlock(&LOCK_ssl_config); if (ssl) SSL_free(ssl); DBUG_RETURN(NULL); }
void *ma_ssl_init(MYSQL *mysql) { int verify; SSL *ssl= NULL; pthread_mutex_lock(&LOCK_openssl_config); if (ma_ssl_set_certs(mysql)) { goto error; } if (!(ssl= SSL_new(SSL_context))) goto error; if (!SSL_set_app_data(ssl, mysql)) goto error; verify= (!mysql->options.ssl_ca && !mysql->options.ssl_capath) ? SSL_VERIFY_NONE : SSL_VERIFY_PEER; SSL_CTX_set_verify(SSL_context, verify, my_verify_callback); SSL_CTX_set_verify_depth(SSL_context, 1); pthread_mutex_unlock(&LOCK_openssl_config); return (void *)ssl; error: pthread_mutex_unlock(&LOCK_openssl_config); if (ssl) SSL_free(ssl); return NULL; }
int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, int verify_peer, const char *subject_match) { if (conn == NULL) return -1; free(conn->subject_match); conn->subject_match = NULL; if (subject_match) { conn->subject_match = strdup(subject_match); if (conn->subject_match == NULL) return -1; } if (verify_peer) { SSL_set_app_data(conn->ssl, conn); SSL_set_verify(conn->ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE, tls_verify_cb); } else { SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); } SSL_set_accept_state(conn->ssl); return 0; }
VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) { VALUE obj; SSL_CTX* ctx; SSL* ssl; ms_conn* conn = engine_alloc(self, &obj); ID sym_key = rb_intern("key"); VALUE key = rb_funcall(mini_ssl_ctx, sym_key, 0); ID sym_cert = rb_intern("cert"); VALUE cert = rb_funcall(mini_ssl_ctx, sym_cert, 0); ID sym_ca = rb_intern("ca"); VALUE ca = rb_funcall(mini_ssl_ctx, sym_ca, 0); ID sym_verify_mode = rb_intern("verify_mode"); VALUE verify_mode = rb_funcall(mini_ssl_ctx, sym_verify_mode, 0); ctx = SSL_CTX_new(SSLv23_server_method()); conn->ctx = ctx; SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert)); SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM); if (!NIL_P(ca)) { SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL); } SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_COMPRESSION); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH"); DH *dh = get_dh1024(); SSL_CTX_set_tmp_dh(ctx, dh); #ifndef OPENSSL_NO_ECDH EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_secp521r1); if (ecdh) { SSL_CTX_set_tmp_ecdh(ctx, ecdh); EC_KEY_free(ecdh); } #endif ssl = SSL_new(ctx); conn->ssl = ssl; SSL_set_app_data(ssl, NULL); if (NIL_P(verify_mode)) { /* SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); */ } else { SSL_set_verify(ssl, NUM2INT(verify_mode), engine_verify_callback); } SSL_set_bio(ssl, conn->read, conn->write); SSL_set_accept_state(ssl); return obj; }
int MaOpenSslSocket::initConnection() { BIO *bioSSL, *bioSock; if (bio) { return 0; } bio = BIO_new(BIO_f_buffer()); if (bio == 0) { return MPR_ERR_CANT_INITIALIZE; } BIO_set_write_buffer_size(bio, 128); ssl = (SSL*) SSL_new(context); mprAssert(ssl); if (ssl == 0) { return MPR_ERR_CANT_INITIALIZE; } SSL_set_app_data(ssl, (void*) this); SSL_set_session(ssl, 0); bioSSL = BIO_new(BIO_f_ssl()); mprAssert(bioSSL); bioSock = BIO_new_socket(sock, BIO_NOCLOSE); mprAssert(bioSock); SSL_set_bio(ssl, bioSock, bioSock); SSL_set_accept_state(ssl); BIO_set_ssl(bioSSL, ssl, BIO_CLOSE); BIO_push(bio, bioSSL); return 0; }
static void int_ssl_check(SSL *s, int ret) { int e = SSL_get_error(s, ret); switch(e) { /* These seem to be harmless and already "dealt with" by our * non-blocking environment. NB: "ZERO_RETURN" is the clean * "error" indicating a successfully closed SSL tunnel. We let * this happen because our IO loop should not appear to have * broken on this condition - and outside the IO loop, the * "shutdown" state is checked. */ case SSL_ERROR_NONE: case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_X509_LOOKUP: case SSL_ERROR_ZERO_RETURN: return; /* These seem to be indications of a genuine error that should * result in the SSL tunnel being regarded as "dead". */ case SSL_ERROR_SYSCALL: case SSL_ERROR_SSL: SSL_set_app_data(s, (char *)1); return; default: break; } /* For any other errors that (a) exist, and (b) crop up - we need to * interpret what to do with them - so "politely inform" the caller that * the code needs updating here. */ abort(); }
/* allocates a new ssl object SYNOPSIS my_ssl_init mysql connection object RETURN VALUES NULL on error SSL new SSL object */ SSL *my_ssl_init(MYSQL *mysql) { int verify; SSL *ssl= NULL; DBUG_ENTER("my_ssl_init"); DBUG_ASSERT(mysql->net.vio->ssl == NULL); if (!my_ssl_initialized) my_ssl_start(mysql); if (!(ssl= SSL_new(SSL_context))) goto error; if (!SSL_set_app_data(ssl, mysql)) goto error; if (my_ssl_set_certs(ssl)) goto error; verify= (!mysql->options.ssl_ca && !mysql->options.ssl_capath) ? SSL_VERIFY_NONE : SSL_VERIFY_PEER; SSL_set_verify(ssl, verify, my_verify_callback); SSL_set_verify_depth(ssl, 1); DBUG_RETURN(ssl); error: if (ssl) SSL_free(ssl); DBUG_RETURN(NULL); }
static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) { X509* err_cert; SSL* ssl; int bytes; unsigned char* buf = NULL; if(!preverify_ok) { err_cert = X509_STORE_CTX_get_current_cert(ctx); if(err_cert) { /* * Save the failed certificate for inspection/logging. */ bytes = i2d_X509(err_cert, &buf); if(bytes > 0) { ms_cert_buf* cert_buf = (ms_cert_buf*)malloc(sizeof(ms_cert_buf)); cert_buf->buf = buf; cert_buf->bytes = bytes; ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); SSL_set_app_data(ssl, cert_buf); } } } return preverify_ok; }
tnet_dtls_socket_handle_t* tnet_dtls_socket_create(struct tnet_socket_s* wrapped_sock, struct ssl_ctx_st* ssl_ctx) { #if !HAVE_OPENSSL || !HAVE_OPENSSL_DTLS TSK_DEBUG_ERROR("OpenSSL or DTLS not enabled"); return tsk_null; #else tnet_dtls_socket_t* socket; if (!wrapped_sock || !ssl_ctx){ TSK_DEBUG_ERROR("Invalid parameter"); return tsk_null; } if ((socket = tsk_object_new(tnet_dtls_socket_def_t))) { const tsk_bool_t set_mtu = TNET_SOCKET_TYPE_IS_DGRAM(wrapped_sock->type) || 1; //!\ This is required even if the local transport is TCP/TLS because the relayed (TURN) transport could be UDP socket->wrapped_sock = tsk_object_ref(wrapped_sock); if (!(socket->ssl = SSL_new(ssl_ctx))) { TSK_DEBUG_ERROR("SSL_new(CTX) failed [%s]", ERR_error_string(ERR_get_error(), tsk_null)); TSK_OBJECT_SAFE_FREE(socket); return tsk_null; } if (set_mtu) { SSL_set_options(socket->ssl, SSL_OP_NO_QUERY_MTU); SSL_set_mtu(socket->ssl, TNET_DTLS_MTU - 28); socket->ssl->d1->mtu = TNET_DTLS_MTU - 28; } if (!(socket->rbio = BIO_new(BIO_s_mem())) || !(socket->wbio = BIO_new(BIO_s_mem()))){ TSK_DEBUG_ERROR("BIO_new_socket(%d) failed [%s]", socket->wrapped_sock->fd, ERR_error_string(ERR_get_error(), tsk_null)); if (socket->rbio){ BIO_free(socket->rbio); } if (socket->wbio){ BIO_free(socket->wbio); } TSK_OBJECT_SAFE_FREE(socket); return tsk_null; } BIO_set_mem_eof_return(socket->rbio, -1); BIO_set_mem_eof_return(socket->wbio, -1); SSL_set_bio(socket->ssl, socket->rbio, socket->wbio); SSL_set_mode(socket->ssl, SSL_MODE_AUTO_RETRY); SSL_set_read_ahead(socket->ssl, 1); if (set_mtu) { BIO_ctrl(SSL_get_wbio(socket->ssl), BIO_CTRL_DGRAM_SET_MTU, TNET_DTLS_MTU - 28, NULL); } if ((socket->verify_peer = (SSL_CTX_get_verify_mode(ssl_ctx) != SSL_VERIFY_NONE))){ TSK_DEBUG_INFO("SSL cert verify: ON"); socket->verify_peer = tsk_true; SSL_set_verify(socket->ssl, (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), _tnet_dtls_verify_cert); } else { TSK_DEBUG_ERROR("Verity not enabled"); } SSL_set_app_data(socket->ssl, socket); } return socket; #endif }
connection *connection_accepted(server *srv, server_socket *srv_socket, sock_addr *cnt_addr, int cnt) { connection *con; srv->cur_fds++; /* ok, we have the connection, register it */ #if 0 log_error_write(srv, __FILE__, __LINE__, "sd", "appected()", cnt); #endif srv->con_opened++; con = connections_get_new_connection(srv); con->fd = cnt; con->fde_ndx = -1; fdevent_register(srv->ev, con->fd, connection_handle_fdevent, con); connection_set_state(srv, con, CON_STATE_REQUEST_START); con->connection_start = srv->cur_ts; con->dst_addr = *cnt_addr; buffer_copy_string(con->dst_addr_buf, inet_ntop_cache_get_ip(srv, &(con->dst_addr))); con->srv_socket = srv_socket; if (-1 == fdevent_fcntl_set_nb_cloexec_sock(srv->ev, con->fd)) { log_error_write(srv, __FILE__, __LINE__, "ss", "fcntl failed: ", strerror(errno)); connection_close(srv, con); return NULL; } #ifdef USE_OPENSSL /* connect FD to SSL */ if (srv_socket->is_ssl) { if (NULL == (con->ssl = SSL_new(srv_socket->ssl_ctx))) { log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ERR_error_string(ERR_get_error(), NULL)); connection_close(srv, con); return NULL; } con->renegotiations = 0; SSL_set_app_data(con->ssl, con); SSL_set_accept_state(con->ssl); if (1 != (SSL_set_fd(con->ssl, cnt))) { log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ERR_error_string(ERR_get_error(), NULL)); connection_close(srv, con); return NULL; } } #endif return con; }
static serf_ssl_context_t *ssl_init_context(void) { serf_ssl_context_t *ssl_ctx; apr_pool_t *pool; serf_bucket_alloc_t *allocator; init_ssl_libraries(); apr_pool_create(&pool, NULL); allocator = serf_bucket_allocator_create(pool, NULL, NULL); ssl_ctx = serf_bucket_mem_alloc(allocator, sizeof(*ssl_ctx)); ssl_ctx->refcount = 0; ssl_ctx->pool = pool; ssl_ctx->allocator = allocator; ssl_ctx->ctx = SSL_CTX_new(SSLv23_client_method()); SSL_CTX_set_client_cert_cb(ssl_ctx->ctx, ssl_need_client_cert); ssl_ctx->cached_cert = 0; ssl_ctx->cached_cert_pw = 0; ssl_ctx->pending_err = APR_SUCCESS; SSL_CTX_set_verify(ssl_ctx->ctx, SSL_VERIFY_PEER, validate_server_certificate); SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_ALL); ssl_ctx->ssl = SSL_new(ssl_ctx->ctx); ssl_ctx->bio = BIO_new(&bio_bucket_method); ssl_ctx->bio->ptr = ssl_ctx; SSL_set_bio(ssl_ctx->ssl, ssl_ctx->bio, ssl_ctx->bio); SSL_set_connect_state(ssl_ctx->ssl); SSL_set_app_data(ssl_ctx->ssl, ssl_ctx); ssl_ctx->encrypt.stream = NULL; ssl_ctx->encrypt.stream_next = NULL; ssl_ctx->encrypt.pending = serf_bucket_aggregate_create(allocator); ssl_ctx->encrypt.status = APR_SUCCESS; serf_databuf_init(&ssl_ctx->encrypt.databuf); ssl_ctx->encrypt.databuf.read = ssl_encrypt; ssl_ctx->encrypt.databuf.read_baton = ssl_ctx; ssl_ctx->decrypt.stream = NULL; ssl_ctx->decrypt.pending = serf_bucket_aggregate_create(allocator); ssl_ctx->decrypt.status = APR_SUCCESS; serf_databuf_init(&ssl_ctx->decrypt.databuf); ssl_ctx->decrypt.databuf.read = ssl_decrypt; ssl_ctx->decrypt.databuf.read_baton = ssl_ctx; return ssl_ctx; }
BOOL transport_connect_tls(rdpTransport* transport) { int tlsStatus; rdpTls* tls = NULL; rdpContext* context = transport->context; rdpSettings* settings = transport->settings; if (!(tls = tls_new(settings))) return FALSE; transport->tls = tls; if (transport->GatewayEnabled) transport->layer = TRANSPORT_LAYER_TSG_TLS; else transport->layer = TRANSPORT_LAYER_TLS; tls->hostname = settings->ServerHostname; tls->port = settings->ServerPort; if (tls->port == 0) tls->port = 3389; tls->isGatewayTransport = FALSE; tlsStatus = tls_connect(tls, transport->frontBio); if (tlsStatus < 1) { if (tlsStatus < 0) { if (!freerdp_get_last_error(context)) freerdp_set_last_error(context, FREERDP_ERROR_TLS_CONNECT_FAILED); } else { if (!freerdp_get_last_error(context)) freerdp_set_last_error(context, FREERDP_ERROR_CONNECT_CANCELLED); } return FALSE; } transport->frontBio = tls->bio; BIO_callback_ctrl(tls->bio, BIO_CTRL_SET_CALLBACK, (bio_info_cb*) transport_ssl_cb); SSL_set_app_data(tls->ssl, transport); if (!transport->frontBio) { WLog_ERR(TAG, "unable to prepend a filtering TLS bio"); return FALSE; } return TRUE; }
VALUE engine_init_client(VALUE klass) { VALUE obj; ms_conn* conn = engine_alloc(klass, &obj); conn->ctx = SSL_CTX_new(DTLSv1_method()); conn->ssl = SSL_new(conn->ctx); SSL_set_app_data(conn->ssl, NULL); SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); SSL_set_bio(conn->ssl, conn->read, conn->write); SSL_set_connect_state(conn->ssl); return obj; }
void spice_openssl_verify_free(SpiceOpenSSLVerify* verify) { if (!verify) return; free(verify->pubkey); free(verify->subject); free(verify->hostname); if (verify->in_subject) X509_NAME_free(verify->in_subject); if (verify->ssl) SSL_set_app_data(verify->ssl, NULL); free(verify); }
static int tunala_world_new_item(tunala_world_t * world, int fd, const char *ip, unsigned short port, int flipped) { tunala_item_t *item; int newfd; SSL *new_ssl = NULL; if (!tunala_world_make_room(world)) return 0; if ((new_ssl = SSL_new(world->ssl_ctx)) == NULL) { fprintf(stderr, "Error creating new SSL\n"); ERR_print_errors_fp(stderr); return 0; } item = world->tunnels + (world->tunnels_used++); state_machine_init(&item->sm); item->clean_read = item->clean_send = item->dirty_read = item->dirty_send = -1; if ((newfd = ip_create_connection_split(ip, port)) == -1) goto err; /* * Which way round? If we're a server, "fd" is the dirty side and the * connection we open is the clean one. For a client, it's the other way * around. Unless, of course, we're "flipped" in which case everything * gets reversed. :-) */ if ((world->server_mode && !flipped) || (!world->server_mode && flipped)) { item->dirty_read = item->dirty_send = fd; item->clean_read = item->clean_send = newfd; } else { item->clean_read = item->clean_send = fd; item->dirty_read = item->dirty_send = newfd; } /* * We use the SSL's "app_data" to indicate a call-back induced "kill" */ SSL_set_app_data(new_ssl, NULL); if (!state_machine_set_SSL(&item->sm, new_ssl, world->server_mode)) goto err; return 1; err: tunala_world_del_item(world, world->tunnels_used - 1); return 0; }
openssl_con * openssl_connect_fd(openssl_env *env, int fd, int timeout) { openssl_con *c = (openssl_con *)calloc(1, sizeof(*c)); if (!c) return 0; c->env = env; #ifdef HAVE_OPENSSL c->con = (SSL *)SSL_new(env->ctx); #elif HAVE_MATRIXSSL c->con = (SSL *)SSL_new(env->keys, 0); #endif c->sock = fd; c->timeout = timeout; SSL_set_fd(c->con, c->sock); #ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL_ENGINE SSL_set_app_data(c->con, c); #endif SSL_set_connect_state(c->con); if (SSL_connect(c->con) < 0) { char is_error = 0; #if(_debug_) unsigned long error; while ((error = ERR_get_error())) { syslog(LOG_DEBUG, "%s(%d): TLS: %s", __FUNCTION__, __LINE__, ERR_error_string(error, NULL)); is_error = 1; } #endif if (is_error) { openssl_free(c); return 0; } } #elif HAVE_MATRIXSSL if (!SSL_connect(c->con, certValidator, c)) { syslog(LOG_ERR, "%s: openssl_connect_fd", strerror(errno)); openssl_free(c); return 0; } #endif return c; }
int tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write) { struct tls *conn_ctx = *cctx; int ret, err; if ((ctx->flags & TLS_SERVER) == 0) { tls_set_error(ctx, "not a server context"); goto err; } if (conn_ctx == NULL) { if ((conn_ctx = tls_server_conn(ctx)) == NULL) { tls_set_error(ctx, "connection context failure"); goto err; } *cctx = conn_ctx; if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { tls_set_error(ctx, "ssl failure"); goto err; } if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 || SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) { tls_set_error(ctx, "ssl set fd failure"); goto err; } SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx); } if ((ret = SSL_accept(conn_ctx->ssl_conn)) != 1) { err = tls_ssl_error(ctx, conn_ctx->ssl_conn, ret, "accept"); if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) { return (err); } goto err; } return (0); err: return (-1); }
int ne_sock_use_ssl_os(ne_socket *sock, SSL_CTX *ctx, SSL_SESSION *sess, SSL **ssl, void *appdata) { int ret; if (!prng_seeded && RAND_status() != 1) { set_error(sock, _("SSL disabled due to lack of entropy")); return NE_SOCK_ERROR; } sock->ssl = SSL_new(ctx); if (!sock->ssl) { set_error(sock, _("Could not create SSL structure")); return NE_SOCK_ERROR; } if (appdata) { SSL_set_app_data(sock->ssl, appdata); } sock->ops = &iofns_ossl; SSL_set_mode(sock->ssl, SSL_MODE_AUTO_RETRY); SSL_set_fd(sock->ssl, sock->fd); if (sess) SSL_set_session(sock->ssl, sess); ret = SSL_connect(sock->ssl); if (ret != 1) { error_ossl(sock, ret); SSL_free(sock->ssl); sock->ssl = NULL; return NE_SOCK_ERROR; } if (ssl) *ssl = sock->ssl; return 0; }
PUBLIC int sslUpgrade(Webs *wp) { WebsSocket *sptr; BIO *bio; assert(wp); sptr = socketPtr(wp->sid); if ((wp->ssl = SSL_new(sslctx)) == 0) { return -1; } if ((bio = BIO_new_socket(sptr->sock, BIO_NOCLOSE)) == 0) { return -1; } SSL_set_bio(wp->ssl, bio, bio); SSL_set_accept_state(wp->ssl); SSL_set_app_data(wp->ssl, (void*) wp); return 0; }
/* * Begin or continue negotiating a secure session. */ PostgresPollingStatusType pqsecure_open_client(PGconn *conn) { #ifdef USE_SSL /* First time through? */ if (conn->ssl == NULL) { /* We cannot use MSG_NOSIGNAL to block SIGPIPE when using SSL */ conn->sigpipe_flag = false; /* Create a connection-specific SSL object */ if (!(conn->ssl = SSL_new(SSL_context)) || !SSL_set_app_data(conn->ssl, conn) || !SSL_set_fd(conn->ssl, conn->sock)) { char *err = SSLerrmessage(); printfPQExpBuffer(&conn->errorMessage, libpq_gettext("could not establish SSL connection: %s\n"), err); SSLerrfree(err); close_SSL(conn); return PGRES_POLLING_FAILED; } /* * Load client certificate, private key, and trusted CA certs. */ if (initialize_SSL(conn) != 0) { /* initialize_SSL already put a message in conn->errorMessage */ close_SSL(conn); return PGRES_POLLING_FAILED; } } /* Begin or continue the actual handshake */ return open_client_SSL(conn); #else /* shouldn't get here */ return PGRES_POLLING_FAILED; #endif }
int tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write) { struct tls *conn_ctx = NULL; if ((ctx->flags & TLS_SERVER) == 0) { tls_set_errorx(ctx, "not a server context"); goto err; } if ((conn_ctx = tls_server_conn(ctx)) == NULL) { tls_set_errorx(ctx, "connection context failure"); goto err; } if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { tls_set_errorx(ctx, "ssl failure"); goto err; } if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) { tls_set_errorx(ctx, "ssl application data failure"); goto err; } if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 || SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) { tls_set_errorx(ctx, "ssl file descriptor failure"); goto err; } *cctx = conn_ctx; return (0); err: tls_free(conn_ctx); *cctx = NULL; return (-1); }
void *ma_tls_init(MYSQL *mysql) { int verify; SSL *ssl= NULL; #ifdef HAVE_TLS_SESSION_CACHE MA_SSL_SESSION *session= ma_tls_get_session(mysql); #endif pthread_mutex_lock(&LOCK_openssl_config); if (ma_tls_set_certs(mysql)) { goto error; } if (!(ssl= SSL_new(SSL_context))) goto error; if (!SSL_set_app_data(ssl, mysql)) goto error; #ifdef HAVE_TLS_SESSION_CACHE if (session) SSL_set_session(ssl, session->session); #endif verify= (!mysql->options.ssl_ca && !mysql->options.ssl_capath) ? SSL_VERIFY_NONE : SSL_VERIFY_PEER; SSL_CTX_set_verify(SSL_context, verify, my_verify_callback); SSL_CTX_set_verify_depth(SSL_context, 1); pthread_mutex_unlock(&LOCK_openssl_config); return (void *)ssl; error: pthread_mutex_unlock(&LOCK_openssl_config); if (ssl) SSL_free(ssl); return NULL; }
/* Upgrade a socket to use SSL */ PUBLIC int sslUpgrade(Webs *wp) { WebsSocket *sptr; BIO *bio; assert(wp); sptr = socketPtr(wp->sid); if ((wp->ssl = SSL_new(sslctx)) == 0) { return -1; } /* Create a socket bio. We don't use the BIO except as storage for the fd. */ if ((bio = BIO_new_socket((int) sptr->sock, BIO_NOCLOSE)) == 0) { return -1; } SSL_set_bio(wp->ssl, bio, bio); SSL_set_accept_state(wp->ssl); SSL_set_app_data(wp->ssl, (void*) wp); return 0; }
static int _evhtp_connection_accept(evbase_t * evbase, evhtp_connection_t * connection) { if (connection->htp->ssl_ctx != NULL) { connection->ssl = SSL_new(connection->htp->ssl_ctx); connection->bev = bufferevent_openssl_socket_new(evbase, connection->sock, connection->ssl, BUFFEREVENT_SSL_ACCEPTING, BEV_OPT_CLOSE_ON_FREE | BEV_OPT_DEFER_CALLBACKS); SSL_set_app_data(connection->ssl, connection); goto end; } //创建一个socket-based bufferevent connection->bev = bufferevent_socket_new(evbase, connection->sock, BEV_OPT_CLOSE_ON_FREE | BEV_OPT_DEFER_CALLBACKS); end: bufferevent_set_timeouts(connection->bev, connection->htp->recv_timeo, connection->htp->send_timeo); connection->resume_ev = event_new(evbase, -1, EV_READ | EV_PERSIST, _evhtp_connection_resumecb, connection); event_add(connection->resume_ev, NULL); bufferevent_enable(connection->bev, EV_READ); bufferevent_setcb(connection->bev, _evhtp_connection_readcb, _evhtp_connection_writecb, _evhtp_connection_eventcb, connection); return 0; } /* _evhtp_connection_accept */
int tls_connection_ca_cert(void *ssl_ctx, struct tls_connection *conn, const char *ca_cert, const char *subject_match) { if (conn == NULL) return -1; free(conn->subject_match); conn->subject_match = NULL; if (subject_match) { conn->subject_match = strdup(subject_match); if (conn->subject_match == NULL) return -1; } if (ca_cert) { if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, NULL) != 1) { wpa_printf(MSG_WARNING, "TLS: Failed to load root " "certificates: %s", ERR_error_string(ERR_get_error(), NULL)); return -1; } else { wpa_printf(MSG_DEBUG, "TLS: Trusted root " "certificate(s) loaded"); tls_get_errors(ssl_ctx); } SSL_set_app_data(conn->ssl, conn); SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); } else { /* No ca_cert configured - do not try to verify server * certificate */ SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); } return 0; }
int ssl_init_ssl_connection(conn_rec *c) { SSLSrvConfigRec *sc; SSL *ssl; SSLConnRec *sslconn = myConnConfig(c); char *vhost_md5; modssl_ctx_t *mctx; server_rec *server; if (!sslconn) { sslconn = ssl_init_connection_ctx(c); } server = sslconn->server; sc = mySrvConfig(server); /* * Seed the Pseudo Random Number Generator (PRNG) */ ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, ""); mctx = sslconn->is_proxy ? sc->proxy : sc->server; /* * Create a new SSL connection with the configured server SSL context and * attach this to the socket. Additionally we register this attachment * so we can detach later. */ if (!(ssl = SSL_new(mctx->ssl_ctx))) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "Unable to create a new SSL connection from the SSL " "context"); ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server); c->aborted = 1; return DECLINED; /* XXX */ } vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id, sc->vhost_id_len); if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5, APR_MD5_DIGESTSIZE*2)) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "Unable to set session id context to `%s'", vhost_md5); ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server); c->aborted = 1; return DECLINED; /* XXX */ } SSL_set_app_data(ssl, c); SSL_set_app_data2(ssl, NULL); /* will be request_rec */ sslconn->ssl = ssl; /* * Configure callbacks for SSL connection */ SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA); SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH); SSL_set_verify_result(ssl, X509_V_OK); ssl_io_filter_init(c, ssl); return APR_SUCCESS; }