bool
SSLClient::sslConnect(int fd, std::string &hostname, short port)
{
GNASH_REPORT_FUNCTION;
int ret;
if (!_ctx) {
if (!sslSetupCTX()) {
return false;
}
}
_ssl.reset(SSL_new(_ctx.get()));
// // Make a tcp/ip connect to the server
// if (createClient(hostname, getPort()) == false) {
// log_error("Can't connect to server %s", hostname);
// return false;
// }
// Handshake the server
ERR_clear_error();
#if 0
_bio.reset(BIO_new_socket(fd, BIO_NOCLOSE));
#else
// BIO_set_conn_hostname(_bio.get(), _hostname.c_str());
_bio.reset(BIO_new_connect(const_cast<char *>(_hostname.c_str())));
BIO_set_conn_int_port(_bio.get(), &port);
log_debug("PORT is: %d", BIO_get_conn_port(_bio.get()));
if (BIO_do_connect(_bio.get()) <= 0) {
log_error("Error connecting to remote machine: %s",
ERR_reason_error_string(ERR_get_error()));
}
#endif
SSL_set_bio(_ssl.get(), _bio.get(), _bio.get());
SSL_set_connect_state(_ssl.get());
if ((ret = SSL_connect(_ssl.get())) < 0) {
log_error("Can't connect to SSL server %s", hostname);
log_error("Error was: \"%s\"!", ERR_reason_error_string(ERR_get_error()));
return false;
} else {
log_debug("Connected to SSL server %s", hostname);
}
ERR_clear_error();
#if 0
if (_need_server_auth) {
checkCert(hostname);
}
#endif
return true;
}
bool SSLConnection::negotiate () {
int err;
const char *errmsg;
buffer_t msg;
buffer_init(&msg);
#if OPENSSL_VERSION_NUMBER >= 0x00906000L
/* This only exists in 0.9.6 and above. Without it we may get interrupted
* reads or writes. Bummer. */
SSL_set_mode (ssl, SSL_MODE_AUTO_RETRY);
#endif
if ((err = SSL_connect (ssl)) != 1) {
switch (SSL_get_error (ssl, err)) {
case SSL_ERROR_SYSCALL:
errmsg = _("I/O error");
break;
case SSL_ERROR_SSL:
errmsg = ERR_error_string (ERR_get_error (), NULL);
break;
default:
errmsg = _("unknown error");
}
buffer_shrink(&msg,0);
buffer_add_str(&msg,(_("OpenSSL's connect() failed: ")),-1);
buffer_add_str(&msg,errmsg,-1);
displayError.emit(&msg);
buffer_free(&msg);
return false;
}
if (!(cert = SSL_get_peer_certificate (ssl))) {
buffer_shrink(&msg,0);
buffer_add_str(&msg,_("Unable to get certificate from peer"),-1);
displayError.emit(&msg);
buffer_free(&msg);
return false;
}
if (!checkCert())
return false;
return true;
}
bool
SSLClient::checkCert()
{
GNASH_REPORT_FUNCTION;
return checkCert(_hostname);
}
/*
int ctr_drbg_randomx( void *p_rng,
unsigned char *output, size_t output_len ){
char *getEntropyFromZRTP_tmp(unsigned char *p, int iBytes);
getEntropyFromZRTP_tmp(output,(int)output_len);
return 0;
}
*/
int CTTLS::_connect(ADDR *address) {
addrConnected=*address;
// int server_fd=((T_SSL*)pSSL)->sock;
ssl_context *ssl=&((T_SSL*)pSSL)->ssl;
x509_cert *ca=&((T_SSL*)pSSL)->cacert;
#if 0
static int ssl_default_ciphersuitesz[] =
{
#if defined(POLARSSL_DHM_C)
#if defined(POLARSSL_AES_C)
// SSL_EDH_RSA_AES_128_SHA,
SSL_EDH_RSA_AES_256_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
SSL_EDH_RSA_CAMELLIA_128_SHA,
SSL_EDH_RSA_CAMELLIA_256_SHA,
#endif
#if defined(POLARSSL_DES_C)
SSL_EDH_RSA_DES_168_SHA,
#endif
#endif
#if defined(POLARSSL_AES_C)
SSL_RSA_AES_256_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
SSL_RSA_CAMELLIA_256_SHA,
#endif
#if defined(POLARSSL_AES_C)
// SSL_RSA_AES_128_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
// SSL_RSA_CAMELLIA_128_SHA,
#endif
#if defined(POLARSSL_DES_C)
SSL_RSA_DES_168_SHA,
#endif
#if defined(POLARSSL_ARC4_C)
SSL_RSA_RC4_128_SHA,
SSL_RSA_RC4_128_MD5,
#endif
0
};
#else
const int ssl_default_ciphersuitesz[] =
{
#if defined(POLARSSL_DHM_C)
#if defined(POLARSSL_AES_C)
#if defined(POLARSSL_SHA2_C)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
#endif
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
#if defined(POLARSSL_SHA2_C)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
#endif
#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
#endif
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
#if defined(POLARSSL_SHA2_C)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
#if defined(POLARSSL_SHA2_C)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
#endif
#if defined(POLARSSL_DES_C)
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
#endif
#endif
#if defined(POLARSSL_AES_C)
#if defined(POLARSSL_SHA2_C)
TLS_RSA_WITH_AES_256_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
TLS_RSA_WITH_AES_256_GCM_SHA384,
#endif /* POLARSSL_SHA2_C */
TLS_RSA_WITH_AES_256_CBC_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
#if defined(POLARSSL_SHA2_C)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
#endif
#if defined(POLARSSL_AES_C)
#if defined(POLARSSL_SHA2_C)
TLS_RSA_WITH_AES_128_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
TLS_RSA_WITH_AES_128_GCM_SHA256,
#endif /* POLARSSL_SHA2_C */
TLS_RSA_WITH_AES_128_CBC_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
#if defined(POLARSSL_SHA2_C)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
#endif
#if defined(POLARSSL_DES_C)
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
#endif
#if defined(POLARSSL_ARC4_C)
// TLS_RSA_WITH_RC4_128_SHA,
// TLS_RSA_WITH_RC4_128_MD5,
#endif
0
};
#endif
if(iCallingConnect)return 0;
CTAutoIntUnlock _a(&iCallingConnect);
if(!iClosed) {
puts("destr tls");
closeSocket();
Sleep(100);
puts("destr tls ok");
}
char bufX[64];
address->toStr(&bufX[0],0);
int iIncPort=0;
if(address->getPort()==5060)iIncPort++;//TODO fix
iConnected=0;
int ret;
memset( ca, 0, sizeof( x509_cert ) );
do {
#define CERT_VERIFY
int iCertErr=1;
#ifdef CERT_VERIFY
char *p=cert;
if(cert) {
iCertErr = x509parse_crt( ca, (unsigned char *) p, strlen( p ) );
}
#endif
puts(&bufX[0]);
if(net_connect(&(((T_SSL*)pSSL)->sock),&bufX[0],address->getPort()+iIncPort))
break;
iLastTLSSOCK_TEST=(((T_SSL*)pSSL)->sock);
iNeedCallCloseSocket=1;
#ifndef _WIN32
int on=1;
setsockopt((((T_SSL*)pSSL)->sock), SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on));//new 05052012
//TODO set this if need backgr only
#endif
relTcpBGSock(((T_SSL*)pSSL)->voipBCKGR);
((T_SSL*)pSSL)->voipBCKGR=prepareTcpSocketForBg(((T_SSL*)pSSL)->sock);
initEntropy();
if( ( ret = ssl_init( ssl ) ) != 0 )
{
error_strerror(ret,&bufErr[0],sizeof(bufErr)-1);
tivi_slog("ssl_init[%s]",&bufErr[0]);
break;
}
ssl_set_endpoint( ssl, SSL_IS_CLIENT );
ssl_set_authmode( ssl,iCertErr==0?SSL_VERIFY_OPTIONAL:SSL_VERIFY_NONE );
ssl_set_rng( ssl, ctr_drbg_random, &((T_SSL*)pSSL)->ctr_drbg );
ssl_set_dbg( ssl, my_debug, stdout );
ssl_set_bio( ssl, net_recv, (void*)&(((T_SSL*)pSSL)->sock),
net_send, (void*)&(((T_SSL*)pSSL)->sock) );
ssl_set_ciphersuites( ssl, ssl_default_ciphersuitesz );
//ssl_set_session( ssl, 1, 600, &((T_SSL*)pSSL)->ssn );//will timeout after 600, and will be resumed
// ssl_set_session( ssl, 1, 0, &((T_SSL*)pSSL)->ssn );//will never timeout, and will be resumed
iCertFailed=0;
#ifdef CERT_VERIFY
if(iCertErr==0) {
ssl_set_ca_chain( ssl, ca, NULL, &bufCertHost[0] );
ssl_set_hostname( ssl, &bufCertHost[0] );
checkCert();
}
#endif
iClosed=0;
iConnected=1;
addrConnected=*address;
} while(0);
return 0;
}
