static void virgo__global_init(virgo_t **p_v) { #if !defined(OPENSSL_NO_COMP) STACK_OF(SSL_COMP)* comp_methods; #endif if (global_virgo_init++) { return; } SSL_library_init(); OpenSSL_add_all_algorithms(); OpenSSL_add_all_digests(); SSL_load_error_strings(); ERR_load_crypto_strings(); /* Turn off compression. Saves memory - do it in userland. */ #if !defined(OPENSSL_NO_COMP) #if OPENSSL_VERSION_NUMBER < 0x00908000L comp_methods = SSL_COMP_get_compression_method() #else comp_methods = SSL_COMP_get_compression_methods(); #endif sk_SSL_COMP_zero(comp_methods); assert(sk_SSL_COMP_num(comp_methods) == 0); #endif /* TODO: other platform init */ }
int SPDYF_openssl_init(struct SPDY_Daemon *daemon) { int options; //create ssl context. TLSv1 used if(NULL == (daemon->io_context = SSL_CTX_new(TLSv1_server_method()))) { SPDYF_DEBUG("Couldn't create ssl context"); return SPDY_NO; } //set options for tls //TODO DH is not enabled for easier debugging //SSL_CTX_set_options(daemon->io_context, SSL_OP_SINGLE_DH_USE); //TODO here session tickets are disabled for easier debuging with //wireshark when using Chrome // SSL_OP_NO_COMPRESSION disables TLS compression to avoid CRIME attack options = SSL_OP_NO_TICKET; #ifdef SSL_OP_NO_COMPRESSION options |= SSL_OP_NO_COMPRESSION; #elif OPENSSL_VERSION_NUMBER >= 0x00908000L /* workaround for OpenSSL 0.9.8 */ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); #endif SSL_CTX_set_options(daemon->io_context, options); if(1 != SSL_CTX_use_certificate_file(daemon->io_context, daemon->certfile , SSL_FILETYPE_PEM)) { SPDYF_DEBUG("Couldn't load the cert file"); SSL_CTX_free(daemon->io_context); return SPDY_NO; } if(1 != SSL_CTX_use_PrivateKey_file(daemon->io_context, daemon->keyfile, SSL_FILETYPE_PEM)) { SPDYF_DEBUG("Couldn't load the name file"); SSL_CTX_free(daemon->io_context); return SPDY_NO; } SSL_CTX_set_next_protos_advertised_cb(daemon->io_context, &spdyf_next_protos_advertised_cb, NULL); //TODO only RC4-SHA is used to make it easy to debug with wireshark if (1 != SSL_CTX_set_cipher_list(daemon->io_context, "RC4-SHA")) { SPDYF_DEBUG("Couldn't set the desired cipher list"); SSL_CTX_free(daemon->io_context); return SPDY_NO; } return SPDY_YES; }
void lwp_init () { if (init_called) return; init_called = lw_true; #ifdef ENABLE_SSL STACK_OF (SSL_COMP) * comp_methods; SSL_library_init (); SSL_load_error_strings (); ERR_load_crypto_strings (); comp_methods = SSL_COMP_get_compression_methods (); sk_SSL_COMP_zero (comp_methods); #endif }
SSL_CTX * _SSL_context_init (void (*info_cb_func), int server) { SSL_CTX *ctx; #ifdef WIN32 int i, r; #endif SSLeay_add_ssl_algorithms (); SSL_load_error_strings (); ctx = SSL_CTX_new (server ? SSLv23_server_method() : SSLv23_client_method ()); SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH); SSL_CTX_set_timeout (ctx, 300); SSL_CTX_set_options (ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 |SSL_OP_NO_COMPRESSION |SSL_OP_SINGLE_DH_USE|SSL_OP_SINGLE_ECDH_USE |SSL_OP_NO_TICKET |SSL_OP_CIPHER_SERVER_PREFERENCE); #if OPENSSL_VERSION_NUMBER >= 0x00908000L /* workaround for OpenSSL 0.9.8 */ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); #endif /* used in SSL_connect(), SSL_accept() */ SSL_CTX_set_info_callback (ctx, info_cb_func); #ifdef WIN32 /* under win32, OpenSSL needs to be seeded with some randomness */ for (i = 0; i < 128; i++) { r = rand (); RAND_seed ((unsigned char *)&r, sizeof (r)); } #endif return(ctx); }
/* * called once from main.c (main process) */ int init_tls(void) { int i; #if (OPENSSL_VERSION_NUMBER >= 0x00908000L) && !defined(OPENSSL_NO_COMP) STACK_OF(SSL_COMP)* comp_methods; #endif LM_DBG("entered\n"); #if OPENSSL_VERSION_NUMBER < 0x00907000L LM_WARN("using an old version of OpenSSL (< 0.9.7). Upgrade!\n"); #endif /* * this has to be called before any function calling CRYPTO_malloc, * CRYPTO_malloc will set allow_customize in openssl to 0 */ if (!CRYPTO_set_mem_functions(ser_malloc, ser_realloc, ser_free)) { LM_ERR("unable to set the memory allocation functions\n"); return -1; } #if (OPENSSL_VERSION_NUMBER >= 0x00908000L) && !defined(OPENSSL_NO_COMP) /* disabling compression */ LM_WARN("disabling compression due ZLIB problems\n"); comp_methods = SSL_COMP_get_compression_methods(); if (comp_methods==0) { LM_INFO("openssl compression already disabled\n"); } else { sk_SSL_COMP_zero(comp_methods); } #endif if (tls_init_multithread() < 0) { LM_ERR("failed to init multi-threading support\n"); return -1; } SSL_library_init(); SSL_load_error_strings(); init_ssl_methods(); i = check_for_krb(); if (i==-1) { LM_ERR("kerberos check failed\n"); return -1; } if ( ( i ^ #ifndef OPENSSL_NO_KRB5 1 #else 0 #endif )!=0 ) { LM_ERR("compiled agaist an openssl with %s" "kerberos, but run with one with %skerberos\n", (i==1)?"":"no ",(i!=1)?"no ":""); return -1; } /* * now initialize tls default domains */ if ( (i=init_tls_domains(tls_default_server_domain)) ) { return i; } if ( (i=init_tls_domains(tls_default_client_domain)) ) { return i; } /* * now initialize tls virtual domains */ if ( (i=init_tls_domains(tls_server_domains)) ) { return i; } if ( (i=init_tls_domains(tls_client_domains)) ) { return i; } /* * we are all set */ return 0; }
static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout, ssl_handshake_func_t func, unsigned long *ssl_errno_holder) { int r; SSL *ssl; my_socket sd= mysql_socket_getfd(vio->mysql_socket); /* Declared here to make compiler happy */ #if !defined(HAVE_YASSL) && !defined(DBUG_OFF) int j, n; #endif DBUG_ENTER("ssl_do"); DBUG_PRINT("enter", ("ptr: 0x%lx, sd: %d ctx: 0x%lx", (long) ptr, sd, (long) ptr->ssl_context)); if (!(ssl= SSL_new(ptr->ssl_context))) { DBUG_PRINT("error", ("SSL_new failure")); *ssl_errno_holder= ERR_get_error(); DBUG_RETURN(1); } DBUG_PRINT("info", ("ssl: 0x%lx timeout: %ld", (long) ssl, timeout)); SSL_clear(ssl); SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout); SSL_set_fd(ssl, sd); #if !defined(HAVE_YASSL) && defined(SSL_OP_NO_COMPRESSION) SSL_set_options(ssl, SSL_OP_NO_COMPRESSION); /* OpenSSL >= 1.0 only */ #elif OPENSSL_VERSION_NUMBER >= 0x00908000L /* workaround for OpenSSL 0.9.8 */ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); #endif #if !defined(HAVE_YASSL) && !defined(DBUG_OFF) { STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; ssl_comp_methods = SSL_COMP_get_compression_methods(); n= sk_SSL_COMP_num(ssl_comp_methods); DBUG_PRINT("info", ("Available compression methods:\n")); if (n == 0) DBUG_PRINT("info", ("NONE\n")); else for (j = 0; j < n; j++) { SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); DBUG_PRINT("info", (" %d: %s\n", c->id, c->name)); } } #endif /* Since yaSSL does not support non-blocking send operations, use special transport functions that properly handles non-blocking sockets. These functions emulate the behavior of blocking I/O operations by waiting for I/O to become available. */ #ifdef HAVE_YASSL /* Set first argument of the transport functions. */ yaSSL_transport_set_ptr(ssl, vio); /* Set functions to use in order to send and receive data. */ yaSSL_transport_set_recv_function(ssl, yassl_recv); yaSSL_transport_set_send_function(ssl, yassl_send); #endif if ((r= ssl_handshake_loop(vio, ssl, func, ssl_errno_holder)) < 1) { DBUG_PRINT("error", ("SSL_connect/accept failure")); SSL_free(ssl); DBUG_RETURN(1); } /* Connection succeeded. Install new function handlers, change type, set sd to the fd used when connecting and set pointer to the SSL structure */ if (vio_reset(vio, VIO_TYPE_SSL, SSL_get_fd(ssl), ssl, 0)) DBUG_RETURN(1); #ifndef DBUG_OFF { /* Print some info about the peer */ X509 *cert; char buf[512]; DBUG_PRINT("info",("SSL connection succeeded")); DBUG_PRINT("info",("Using cipher: '%s'" , SSL_get_cipher_name(ssl))); if ((cert= SSL_get_peer_certificate (ssl))) { DBUG_PRINT("info",("Peer certificate:")); X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); DBUG_PRINT("info",("\t subject: '%s'", buf)); X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)); DBUG_PRINT("info",("\t issuer: '%s'", buf)); X509_free(cert); } else DBUG_PRINT("info",("Peer does not have certificate.")); if (SSL_get_shared_ciphers(ssl, buf, sizeof(buf))) { DBUG_PRINT("info",("shared_ciphers: '%s'", buf)); } else DBUG_PRINT("info",("no shared ciphers!")); } #endif DBUG_RETURN(0); }
static int mod_init(void){ str s; int n; LM_INFO("initializing TLS protocol\n"); if (tls_db_enabled != 0 && tls_db_enabled != 1) { tls_db_enabled = 1; } if (tls_db_enabled) { /* create & init lock */ if ((dom_lock = lock_init_rw()) == NULL) { LM_CRIT("failed to init lock\n"); return -1; } init_db_url(tls_db_url, 0 /*cannot be null*/); tls_db_table.len = strlen(tls_db_table.s); if (tls_db_table.len == 0) { LM_ERR("db url not specified\n"); return -1; } id_col.len = strlen(id_col.s); address_col.len = strlen(address_col.s); type_col.len = strlen(type_col.s); method_col.len = strlen(method_col.s); verify_cert_col.len = strlen(verify_cert_col.s); require_cert_col.len = strlen(require_cert_col.s); certificate_col.len = strlen(certificate_col.s); pk_col.len = strlen(pk_col.s); crl_check_col.len = strlen(crl_check_col.s); calist_col.len = strlen(calist_col.s); cadir_col.len = strlen(cadir_col.s); cplist_col.len = strlen(cplist_col.s); dhparams_col.len = strlen(dhparams_col.s); eccurve_col.len = strlen(eccurve_col.s); if (db_bind_mod(&tls_db_url, &dr_dbf)) { LM_CRIT("cannot bind to database module! " "Did you forget to load a database module ?\n"); return -1; } /* init DB connection */ if ((db_hdl = dr_dbf.init(&tls_db_url)) == 0) { LM_CRIT("cannot initialize database connection\n"); return -1; } if (dr_dbf.use_table(db_hdl, &tls_db_table) < 0) { LM_ERR("cannot select table \"%.*s\"\n", tls_db_table.len, tls_db_table.s); return -1; } } if (tls_domain_avp) { s.s = tls_domain_avp; s.len = strlen(s.s); if (parse_avp_spec( &s, &tls_client_domain_avp)) { LM_ERR("cannot parse tls_client_avp"); return -1; } } /* * this has to be called before any function calling CRYPTO_malloc, * CRYPTO_malloc will set allow_customize in openssl to 0 */ if (!CRYPTO_set_mem_functions(os_malloc, os_realloc, os_free)) { LM_ERR("unable to set the memory allocation functions\n"); LM_ERR("NOTE: check if you have openssl 1.0.1e-fips, as this " "version is know to be broken; if so, you need to upgrade or " "downgrade to a differen openssl version !!\n"); return -1; } #if !defined(OPENSSL_NO_COMP) STACK_OF(SSL_COMP)* comp_methods; /* disabling compression */ LM_WARN("disabling compression due ZLIB problems\n"); comp_methods = SSL_COMP_get_compression_methods(); if (comp_methods==0) { LM_INFO("openssl compression already disabled\n"); } else { sk_SSL_COMP_zero(comp_methods); } #endif if (tls_init_multithread() < 0) { LM_ERR("failed to init multi-threading support\n"); return -1; } SSL_library_init(); SSL_load_error_strings(); init_ssl_methods(); n = check_for_krb(); if (n==-1) { LM_ERR("kerberos check failed\n"); return -1; } if ( ( n ^ #ifndef OPENSSL_NO_KRB5 1 #else 0 #endif )!=0 ) { LM_ERR("compiled agaist an openssl with %s" "kerberos, but run with one with %skerberos\n", (n==1)?"":"no ",(n!=1)?"no ":""); return -1; } /* * finish setting up the tls default domains */ tls_default_client_domain.type = TLS_DOMAIN_DEF|TLS_DOMAIN_CLI ; tls_default_client_domain.addr.af = AF_INET; tls_default_server_domain.type = TLS_DOMAIN_DEF|TLS_DOMAIN_SRV; tls_default_server_domain.addr.af = AF_INET; /* * now initialize tls default domains */ if ( (n=init_tls_domains(&tls_default_server_domain)) ) { return n; } if ( (n=init_tls_domains(&tls_default_client_domain)) ) { return n; } /* * now initialize tls virtual domains */ if (tls_db_enabled && load_info(&dr_dbf, db_hdl, &tls_db_table, &tls_server_domains, &tls_client_domains)){ return -1; } if ( (n=init_tls_domains(tls_server_domains)) ) { return n; } if ( (n=init_tls_domains(tls_client_domains)) ) { return n; } /* * we are all set */ return 0; }
/* * Initialize OpenSSL and verify the random number generator works. * Returns -1 on failure, 0 on success. */ int ssl_init(void) { #ifndef PURIFY int fd; #endif /* !PURIFY */ char buf[256]; if (ssl_initialized) return 0; /* general initialization */ SSL_library_init(); #ifdef PURIFY CRYPTO_umalloc_init(); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #endif /* PURIFY */ SSL_load_error_strings(); OpenSSL_add_all_algorithms(); /* thread-safety */ #ifdef OPENSSL_THREADS ssl_mutex_num = CRYPTO_num_locks(); ssl_mutex = umalloc(ssl_mutex_num * sizeof(*ssl_mutex)); int i; for (i = 0; i < ssl_mutex_num; i++) { pthread_mutex_init(&ssl_mutex[i], NULL); } CRYPTO_set_locking_callback(ssl_thr_locking_cb); CRYPTO_set_dynlock_create_callback(ssl_thr_dyn_create_cb); CRYPTO_set_dynlock_lock_callback(ssl_thr_dyn_lock_cb); CRYPTO_set_dynlock_destroy_callback(ssl_thr_dyn_destroy_cb); #ifdef OPENSSL_NO_THREADID CRYPTO_set_id_callback(ssl_thr_id_cb); #else /* !OPENSSL_NO_THREADID */ CRYPTO_THREADID_set_callback(ssl_thr_id_cb); #endif /* !OPENSSL_NO_THREADID */ #endif /* OPENSSL_THREADS */ /* randomness */ #ifndef PURIFY if ((fd = open("/dev/urandom", O_RDONLY)) == -1) { log_err_printf("Error opening /dev/urandom for reading: %s\n", strerror(errno)); return -1; } while (!RAND_status()) { if (read(fd, buf, sizeof(buf)) == -1) { log_err_printf("Error reading from /dev/urandom: %s\n", strerror(errno)); close(fd); return -1; } RAND_seed(buf, sizeof(buf)); } close(fd); if (!RAND_poll()) { log_err_printf("RAND_poll() failed.\n"); return -1; } #else /* PURIFY */ log_err_printf("Warning: not seeding OpenSSL RAND due to PURITY!\n"); memset(buf, 0, sizeof(buf)); while (!RAND_status()) { RAND_seed(buf, sizeof(buf)); } #endif /* PURIFY */ #ifdef USE_FOOTPRINT_HACKS /* HACK: disable compression by zeroing the global comp algo stack. * This lowers the per-connection memory footprint by ~500k. */ STACK_OF(SSL_COMP)* comp_methods = SSL_COMP_get_compression_methods(); sk_SSL_COMP_zero(comp_methods); #endif /* USE_FOOTPRINT_HACKS */ ssl_initialized = 1; return 0; }
int evhtp_ssl_init(evhtp * htp, evhtp_ssl_cfg * cfg) { long cache_mode; evhtp_ssl_scache_init init_cb = NULL; evhtp_ssl_scache_add add_cb = NULL; evhtp_ssl_scache_get get_cb = NULL; evhtp_ssl_scache_del del_cb = NULL; if (cfg == NULL || htp == NULL || cfg->pemfile == NULL) { return -1; } SSL_library_init(); SSL_load_error_strings(); RAND_poll(); STACK_OF(SSL_COMP) * comp_methods = SSL_COMP_get_compression_methods(); sk_SSL_COMP_zero(comp_methods); htp->ssl_cfg = cfg; htp->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); #if OPENSSL_VERSION_NUMBER >= 0x10000000L SSL_CTX_set_options(htp->ssl_ctx, SSL_MODE_RELEASE_BUFFERS); SSL_CTX_set_timeout(htp->ssl_ctx, 60 * 60 * 48); #endif SSL_CTX_set_options(htp->ssl_ctx, cfg->ssl_opts); if (cfg->ciphers != NULL) { SSL_CTX_set_cipher_list(htp->ssl_ctx, cfg->ciphers); } SSL_CTX_load_verify_locations(htp->ssl_ctx, cfg->cafile, cfg->capath); X509_STORE_set_flags(SSL_CTX_get_cert_store(htp->ssl_ctx), cfg->store_flags); SSL_CTX_set_verify(htp->ssl_ctx, cfg->verify_peer, cfg->x509_verify_cb); if (cfg->x509_chk_issued_cb != NULL) { htp->ssl_ctx->cert_store->check_issued = cfg->x509_chk_issued_cb; } if (cfg->verify_depth) { SSL_CTX_set_verify_depth(htp->ssl_ctx, cfg->verify_depth); } switch (cfg->scache_type) { case evhtp_ssl_scache_type_disabled: cache_mode = SSL_SESS_CACHE_OFF; break; case evhtp_ssl_scache_type_user: cache_mode = SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_INTERNAL_LOOKUP; init_cb = cfg->scache_init; add_cb = cfg->scache_add; get_cb = cfg->scache_get; del_cb = cfg->scache_del; break; case evhtp_ssl_scache_type_builtin: cache_mode = SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_INTERNAL_LOOKUP; #if 0 init_cb = _evhtp_ssl_builtin_init; add_cb = _evhtp_ssl_builtin_add; get_cb = _evhtp_ssl_builtin_get; del_cb = _evhtp_ssl_builtin_del; #endif break; case evhtp_ssl_scache_type_internal: default: cache_mode = SSL_SESS_CACHE_SERVER; break; } /* switch */ SSL_CTX_use_certificate_file(htp->ssl_ctx, cfg->pemfile, SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(htp->ssl_ctx, cfg->privfile ? cfg->privfile: cfg->pemfile, SSL_FILETYPE_PEM); SSL_CTX_set_session_id_context(htp->ssl_ctx, (const unsigned char*)&session_id_context, sizeof(session_id_context)); SSL_CTX_set_app_data(htp->ssl_ctx, htp); SSL_CTX_set_session_cache_mode(htp->ssl_ctx, cache_mode); if (cache_mode != SSL_SESS_CACHE_OFF) { SSL_CTX_sess_set_cache_size(htp->ssl_ctx, cfg->scache_size ? cfg->scache_size : 1024); if (cfg->scache_type == evhtp_ssl_scache_type_builtin || cfg->scache_type == evhtp_ssl_scache_type_user) { SSL_CTX_sess_set_new_cb(htp->ssl_ctx, _evhtp_ssl_add_scache_ent); SSL_CTX_sess_set_get_cb(htp->ssl_ctx, _evhtp_ssl_get_scache_ent); SSL_CTX_sess_set_remove_cb(htp->ssl_ctx, _evhtp_ssl_delete_scache_ent); if (cfg->scache_init) { cfg->args = (cfg->scache_init)(htp); } } } return 0; } /* evhtp_use_ssl */
static int mod_init(void) { str s; int n; LM_INFO("initializing TLS protocol\n"); if (tls_domain_avp) { s.s = tls_domain_avp; s.len = strlen(s.s); if (parse_avp_spec( &s, &tls_client_domain_avp)) { LM_ERR("cannot parse tls_client_avp"); return -1; } } /* * this has to be called before any function calling CRYPTO_malloc, * CRYPTO_malloc will set allow_customize in openssl to 0 */ if (!CRYPTO_set_mem_functions(os_malloc, os_realloc, os_free)) { LM_ERR("unable to set the memory allocation functions\n"); return -1; } #if !defined(OPENSSL_NO_COMP) STACK_OF(SSL_COMP)* comp_methods; /* disabling compression */ LM_WARN("disabling compression due ZLIB problems\n"); comp_methods = SSL_COMP_get_compression_methods(); if (comp_methods==0) { LM_INFO("openssl compression already disabled\n"); } else { sk_SSL_COMP_zero(comp_methods); } #endif if (tls_init_multithread() < 0) { LM_ERR("failed to init multi-threading support\n"); return -1; } SSL_library_init(); SSL_load_error_strings(); init_ssl_methods(); n = check_for_krb(); if (n==-1) { LM_ERR("kerberos check failed\n"); return -1; } if ( ( n ^ #ifndef OPENSSL_NO_KRB5 1 #else 0 #endif )!=0 ) { LM_ERR("compiled agaist an openssl with %s" "kerberos, but run with one with %skerberos\n", (n==1)?"":"no ",(n!=1)?"no ":""); return -1; } /* * finish setting up the tls default domains */ tls_default_client_domain.type = TLS_DOMAIN_DEF|TLS_DOMAIN_CLI ; tls_default_client_domain.addr.af = AF_INET; tls_default_server_domain.type = TLS_DOMAIN_DEF|TLS_DOMAIN_SRV; tls_default_server_domain.addr.af = AF_INET; /* * now initialize tls default domains */ if ( (n=init_tls_domains(&tls_default_server_domain)) ) { return n; } if ( (n=init_tls_domains(&tls_default_client_domain)) ) { return n; } /* * now initialize tls virtual domains */ if ( (n=init_tls_domains(tls_server_domains)) ) { return n; } if ( (n=init_tls_domains(tls_client_domains)) ) { return n; } /* * we are all set */ return 0; }