bool SSLClient::sslConnect(int fd, std::string &hostname, short port) { GNASH_REPORT_FUNCTION; int ret; if (!_ctx) { if (!sslSetupCTX()) { return false; } } _ssl.reset(SSL_new(_ctx.get())); // // Make a tcp/ip connect to the server // if (createClient(hostname, getPort()) == false) { // log_error("Can't connect to server %s", hostname); // return false; // } // Handshake the server ERR_clear_error(); #if 0 _bio.reset(BIO_new_socket(fd, BIO_NOCLOSE)); #else // BIO_set_conn_hostname(_bio.get(), _hostname.c_str()); _bio.reset(BIO_new_connect(const_cast<char *>(_hostname.c_str()))); BIO_set_conn_int_port(_bio.get(), &port); log_debug("PORT is: %d", BIO_get_conn_port(_bio.get())); if (BIO_do_connect(_bio.get()) <= 0) { log_error("Error connecting to remote machine: %s", ERR_reason_error_string(ERR_get_error())); } #endif SSL_set_bio(_ssl.get(), _bio.get(), _bio.get()); SSL_set_connect_state(_ssl.get()); if ((ret = SSL_connect(_ssl.get())) < 0) { log_error("Can't connect to SSL server %s", hostname); log_error("Error was: \"%s\"!", ERR_reason_error_string(ERR_get_error())); return false; } else { log_debug("Connected to SSL server %s", hostname); } ERR_clear_error(); #if 0 if (_need_server_auth) { checkCert(hostname); } #endif return true; }
bool SSLConnection::negotiate () { int err; const char *errmsg; buffer_t msg; buffer_init(&msg); #if OPENSSL_VERSION_NUMBER >= 0x00906000L /* This only exists in 0.9.6 and above. Without it we may get interrupted * reads or writes. Bummer. */ SSL_set_mode (ssl, SSL_MODE_AUTO_RETRY); #endif if ((err = SSL_connect (ssl)) != 1) { switch (SSL_get_error (ssl, err)) { case SSL_ERROR_SYSCALL: errmsg = _("I/O error"); break; case SSL_ERROR_SSL: errmsg = ERR_error_string (ERR_get_error (), NULL); break; default: errmsg = _("unknown error"); } buffer_shrink(&msg,0); buffer_add_str(&msg,(_("OpenSSL's connect() failed: ")),-1); buffer_add_str(&msg,errmsg,-1); displayError.emit(&msg); buffer_free(&msg); return false; } if (!(cert = SSL_get_peer_certificate (ssl))) { buffer_shrink(&msg,0); buffer_add_str(&msg,_("Unable to get certificate from peer"),-1); displayError.emit(&msg); buffer_free(&msg); return false; } if (!checkCert()) return false; return true; }
bool SSLClient::checkCert() { GNASH_REPORT_FUNCTION; return checkCert(_hostname); }
/* int ctr_drbg_randomx( void *p_rng, unsigned char *output, size_t output_len ){ char *getEntropyFromZRTP_tmp(unsigned char *p, int iBytes); getEntropyFromZRTP_tmp(output,(int)output_len); return 0; } */ int CTTLS::_connect(ADDR *address) { addrConnected=*address; // int server_fd=((T_SSL*)pSSL)->sock; ssl_context *ssl=&((T_SSL*)pSSL)->ssl; x509_cert *ca=&((T_SSL*)pSSL)->cacert; #if 0 static int ssl_default_ciphersuitesz[] = { #if defined(POLARSSL_DHM_C) #if defined(POLARSSL_AES_C) // SSL_EDH_RSA_AES_128_SHA, SSL_EDH_RSA_AES_256_SHA, #endif #if defined(POLARSSL_CAMELLIA_C) SSL_EDH_RSA_CAMELLIA_128_SHA, SSL_EDH_RSA_CAMELLIA_256_SHA, #endif #if defined(POLARSSL_DES_C) SSL_EDH_RSA_DES_168_SHA, #endif #endif #if defined(POLARSSL_AES_C) SSL_RSA_AES_256_SHA, #endif #if defined(POLARSSL_CAMELLIA_C) SSL_RSA_CAMELLIA_256_SHA, #endif #if defined(POLARSSL_AES_C) // SSL_RSA_AES_128_SHA, #endif #if defined(POLARSSL_CAMELLIA_C) // SSL_RSA_CAMELLIA_128_SHA, #endif #if defined(POLARSSL_DES_C) SSL_RSA_DES_168_SHA, #endif #if defined(POLARSSL_ARC4_C) SSL_RSA_RC4_128_SHA, SSL_RSA_RC4_128_MD5, #endif 0 }; #else const int ssl_default_ciphersuitesz[] = { #if defined(POLARSSL_DHM_C) #if defined(POLARSSL_AES_C) #if defined(POLARSSL_SHA2_C) TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, #endif /* POLARSSL_SHA2_C */ #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, #endif TLS_DHE_RSA_WITH_AES_256_CBC_SHA, #if defined(POLARSSL_SHA2_C) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, #endif #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, #endif TLS_DHE_RSA_WITH_AES_128_CBC_SHA, #endif #if defined(POLARSSL_CAMELLIA_C) #if defined(POLARSSL_SHA2_C) TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, #endif /* POLARSSL_SHA2_C */ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, #if defined(POLARSSL_SHA2_C) TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, #endif /* POLARSSL_SHA2_C */ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, #endif #if defined(POLARSSL_DES_C) TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, #endif #endif #if defined(POLARSSL_AES_C) #if defined(POLARSSL_SHA2_C) TLS_RSA_WITH_AES_256_CBC_SHA256, #endif /* POLARSSL_SHA2_C */ #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C) TLS_RSA_WITH_AES_256_GCM_SHA384, #endif /* POLARSSL_SHA2_C */ TLS_RSA_WITH_AES_256_CBC_SHA, #endif #if defined(POLARSSL_CAMELLIA_C) #if defined(POLARSSL_SHA2_C) TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, #endif /* POLARSSL_SHA2_C */ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, #endif #if defined(POLARSSL_AES_C) #if defined(POLARSSL_SHA2_C) TLS_RSA_WITH_AES_128_CBC_SHA256, #endif /* POLARSSL_SHA2_C */ #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C) TLS_RSA_WITH_AES_128_GCM_SHA256, #endif /* POLARSSL_SHA2_C */ TLS_RSA_WITH_AES_128_CBC_SHA, #endif #if defined(POLARSSL_CAMELLIA_C) #if defined(POLARSSL_SHA2_C) TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, #endif /* POLARSSL_SHA2_C */ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, #endif #if defined(POLARSSL_DES_C) TLS_RSA_WITH_3DES_EDE_CBC_SHA, #endif #if defined(POLARSSL_ARC4_C) // TLS_RSA_WITH_RC4_128_SHA, // TLS_RSA_WITH_RC4_128_MD5, #endif 0 }; #endif if(iCallingConnect)return 0; CTAutoIntUnlock _a(&iCallingConnect); if(!iClosed) { puts("destr tls"); closeSocket(); Sleep(100); puts("destr tls ok"); } char bufX[64]; address->toStr(&bufX[0],0); int iIncPort=0; if(address->getPort()==5060)iIncPort++;//TODO fix iConnected=0; int ret; memset( ca, 0, sizeof( x509_cert ) ); do { #define CERT_VERIFY int iCertErr=1; #ifdef CERT_VERIFY char *p=cert; if(cert) { iCertErr = x509parse_crt( ca, (unsigned char *) p, strlen( p ) ); } #endif puts(&bufX[0]); if(net_connect(&(((T_SSL*)pSSL)->sock),&bufX[0],address->getPort()+iIncPort)) break; iLastTLSSOCK_TEST=(((T_SSL*)pSSL)->sock); iNeedCallCloseSocket=1; #ifndef _WIN32 int on=1; setsockopt((((T_SSL*)pSSL)->sock), SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on));//new 05052012 //TODO set this if need backgr only #endif relTcpBGSock(((T_SSL*)pSSL)->voipBCKGR); ((T_SSL*)pSSL)->voipBCKGR=prepareTcpSocketForBg(((T_SSL*)pSSL)->sock); initEntropy(); if( ( ret = ssl_init( ssl ) ) != 0 ) { error_strerror(ret,&bufErr[0],sizeof(bufErr)-1); tivi_slog("ssl_init[%s]",&bufErr[0]); break; } ssl_set_endpoint( ssl, SSL_IS_CLIENT ); ssl_set_authmode( ssl,iCertErr==0?SSL_VERIFY_OPTIONAL:SSL_VERIFY_NONE ); ssl_set_rng( ssl, ctr_drbg_random, &((T_SSL*)pSSL)->ctr_drbg ); ssl_set_dbg( ssl, my_debug, stdout ); ssl_set_bio( ssl, net_recv, (void*)&(((T_SSL*)pSSL)->sock), net_send, (void*)&(((T_SSL*)pSSL)->sock) ); ssl_set_ciphersuites( ssl, ssl_default_ciphersuitesz ); //ssl_set_session( ssl, 1, 600, &((T_SSL*)pSSL)->ssn );//will timeout after 600, and will be resumed // ssl_set_session( ssl, 1, 0, &((T_SSL*)pSSL)->ssn );//will never timeout, and will be resumed iCertFailed=0; #ifdef CERT_VERIFY if(iCertErr==0) { ssl_set_ca_chain( ssl, ca, NULL, &bufCertHost[0] ); ssl_set_hostname( ssl, &bufCertHost[0] ); checkCert(); } #endif iClosed=0; iConnected=1; addrConnected=*address; } while(0); return 0; }