static int _tnet_transport_ssl_init(tnet_transport_t* transport)
{
if(!transport){
TSK_DEBUG_ERROR("Invalid parameter");
return -1;
}
#if HAVE_OPENSSL
{
tnet_socket_type_t type = tnet_transport_get_type(transport);
tsk_bool_t is_tls = (TNET_SOCKET_TYPE_IS_TLS(type) || TNET_SOCKET_TYPE_IS_WSS(type));
tsk_bool_t is_dtls = TNET_SOCKET_TYPE_IS_DTLS(type);
if(is_dtls && !tnet_dtls_is_supported()){
TSK_DEBUG_ERROR("Requesting to create DTLS transport but source code not built with support for this feature");
return -1;
}
if(is_tls && !tnet_tls_is_supported()){
TSK_DEBUG_ERROR("Requesting to create TLS transport but source code not built with support for this feature");
return -1;
}
if((transport->tls.enabled = is_tls)){
if(!transport->tls.ctx_client && !(transport->tls.ctx_client = SSL_CTX_new(SSLv23_client_method()))){
TSK_DEBUG_ERROR("Failed to create SSL client context");
return -2;
}
if(!transport->tls.ctx_server && !(transport->tls.ctx_server = SSL_CTX_new(SSLv23_server_method()))){
TSK_DEBUG_ERROR("Failed to create SSL server context");
return -3;
}
SSL_CTX_set_mode(transport->tls.ctx_client, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_mode(transport->tls.ctx_server, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(transport->tls.ctx_server, SSL_VERIFY_NONE, tsk_null); // to be updated by tnet_transport_tls_set_certs()
SSL_CTX_set_verify(transport->tls.ctx_client, SSL_VERIFY_NONE, tsk_null); // to be updated by tnet_transport_tls_set_certs()
if(SSL_CTX_set_cipher_list(transport->tls.ctx_client, TNET_CIPHER_LIST) <= 0 || SSL_CTX_set_cipher_list(transport->tls.ctx_server, TNET_CIPHER_LIST) <= 0){
TSK_DEBUG_ERROR("SSL_CTX_set_cipher_list failed [%s]", ERR_error_string(ERR_get_error(), tsk_null));
return -4;
}
}
#if HAVE_OPENSSL_DTLS
if((transport->dtls.enabled = is_dtls)){
if(!transport->dtls.ctx && !(transport->dtls.ctx = SSL_CTX_new(DTLSv1_method()))){
TSK_DEBUG_ERROR("Failed to create DTLSv1 context");
TSK_OBJECT_SAFE_FREE(transport);
return -5;
}
SSL_CTX_set_read_ahead(transport->dtls.ctx, 1);
// SSL_CTX_set_options(transport->dtls.ctx, SSL_OP_ALL);
// SSL_CTX_set_mode(transport->dtls.ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(transport->dtls.ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, tsk_null); // to be updated by tnet_transport_tls_set_certs()
if(SSL_CTX_set_cipher_list(transport->dtls.ctx, TNET_CIPHER_LIST) <= 0){
TSK_DEBUG_ERROR("SSL_CTX_set_cipher_list failed [%s]", ERR_error_string(ERR_get_error(), tsk_null));
return -6;
}
transport->dtls.activated = tsk_true;
}
#endif /* HAVE_OPENSSL_DTLS */
}
#endif /* HAVE_OPENSSL */
return 0;
}
SSLModule(const Anope::string &modname, const Anope::string &creator) : Module(modname, creator, EXTRA | VENDOR)
, service(this, "ssl")
{
me = this;
this->SetPermanent(true);
SSL_library_init();
SSL_load_error_strings();
client_ctx = SSL_CTX_new(SSLv23_client_method());
server_ctx = SSL_CTX_new(SSLv23_server_method());
if (!client_ctx || !server_ctx)
throw ModuleException("Error initializing SSL CTX");
long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE;
SSL_CTX_set_options(client_ctx, opts);
SSL_CTX_set_options(server_ctx, opts);
SSL_CTX_set_mode(client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_mode(server_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
Anope::string context_name = "Anope";
SSL_CTX_set_session_id_context(client_ctx, reinterpret_cast<const unsigned char *>(context_name.c_str()), context_name.length());
SSL_CTX_set_session_id_context(server_ctx, reinterpret_cast<const unsigned char *>(context_name.c_str()), context_name.length());
}
int
tls_configure_ssl(struct tls *ctx)
{
SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
if (ctx->config->ciphers != NULL) {
if (SSL_CTX_set_cipher_list(ctx->ssl_ctx,
ctx->config->ciphers) != 1) {
tls_set_errorx(ctx, "failed to set ciphers");
goto err;
}
}
SSL_CTX_set_info_callback(ctx->ssl_ctx, tls_info_callback);
return (0);
err:
return (-1);
}
/*
* Setup SSL/TLS context.
*/
static void init_ssl_ctx(SSL_CTX *ssl_ctx)
{
/* Disable SSLv2 and enable all workarounds for buggy servers */
SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
/* Set NPN callback */
SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, NULL);
}
static inline int tls_setup(shout_tls_t *tls)
{
SSL_METHOD *meth;
SSL_library_init();
SSL_load_error_strings();
SSLeay_add_all_algorithms();
SSLeay_add_ssl_algorithms();
meth = TLSv1_client_method();
if (!meth)
goto error;
tls->ssl_ctx = SSL_CTX_new(meth);
if (!tls->ssl_ctx)
goto error;
SSL_CTX_set_default_verify_paths(tls->ssl_ctx);
SSL_CTX_load_verify_locations(tls->ssl_ctx, tls->ca_file, tls->ca_directory);
SSL_CTX_set_verify(tls->ssl_ctx, SSL_VERIFY_NONE, NULL);
if (tls->client_certificate) {
if (SSL_CTX_use_certificate_file(tls->ssl_ctx, tls->client_certificate, SSL_FILETYPE_PEM) != 1)
goto error;
if (SSL_CTX_use_PrivateKey_file(tls->ssl_ctx, tls->client_certificate, SSL_FILETYPE_PEM) != 1)
goto error;
}
if (SSL_CTX_set_cipher_list(tls->ssl_ctx, tls->allowed_ciphers) <= 0)
goto error;
SSL_CTX_set_mode(tls->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_mode(tls->ssl_ctx, SSL_MODE_AUTO_RETRY);
tls->ssl = SSL_new(tls->ssl_ctx);
if (!tls->ssl)
goto error;
if (!SSL_set_fd(tls->ssl, tls->socket))
goto error;
SSL_set_tlsext_host_name(tls->ssl, tls->host);
SSL_set_connect_state(tls->ssl);
tls->ssl_ret = SSL_connect(tls->ssl);
return SHOUTERR_SUCCESS;
error:
if (tls->ssl)
SSL_free(tls->ssl);
if (tls->ssl_ctx)
SSL_CTX_free(tls->ssl_ctx);
return SHOUTERR_UNSUPPORTED;
}
/*
* Setup SSL context. We pass |spdy_proto_version| to get negotiated
* SPDY protocol version in NPN callback.
*/
void
spdy_ssl_init_ssl_ctx(SSL_CTX *ssl_ctx,
uint16_t *spdy_proto_version)
{
/* Disable SSLv2 and enable all workarounds for buggy servers */
SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
/* Set NPN callback */
SSL_CTX_set_next_proto_select_cb(ssl_ctx, spdy_cb_ssl_select_next_proto,
spdy_proto_version);
}
int
tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
{
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1);
SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
if (ctx->config->alpn != NULL) {
if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,
ctx->config->alpn_len) != 0) {
tls_set_errorx(ctx, "failed to set alpn");
goto err;
}
}
if (ctx->config->ciphers != NULL) {
if (SSL_CTX_set_cipher_list(ssl_ctx,
ctx->config->ciphers) != 1) {
tls_set_errorx(ctx, "failed to set ciphers");
goto err;
}
}
if (ctx->config->verify_time == 0) {
X509_VERIFY_PARAM_set_flags(ssl_ctx->param,
X509_V_FLAG_NO_CHECK_TIME);
}
/* Disable any form of session caching by default */
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
return (0);
err:
return (-1);
}
/**
* cURL SSL setup callback
*
* \param curl_handle The curl handle to perform the ssl operation on.
* \param _sslctx The ssl context.
* \param parm The callback context.
* \return A curl result code.
*/
static CURLcode
fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm)
{
struct curl_fetch_info *f = (struct curl_fetch_info *) parm;
SSL_CTX *sslctx = _sslctx;
long options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
/* set verify callback for each certificate in chain */
SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, fetch_curl_verify_callback);
/* set callback used to verify certificate chain */
SSL_CTX_set_cert_verify_callback(sslctx,
fetch_curl_cert_verify_callback,
parm);
if (f->downgrade_tls) {
/* Disable TLS 1.1/1.2 if the server can't cope with them */
#ifdef SSL_OP_NO_TLSv1_1
options |= SSL_OP_NO_TLSv1_1;
#endif
#ifdef SSL_OP_NO_TLSv1_2
options |= SSL_OP_NO_TLSv1_2;
#endif
#ifdef SSL_MODE_SEND_FALLBACK_SCSV
/* Ensure server rejects the connection if downgraded too far */
SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV);
#endif
}
SSL_CTX_set_options(sslctx, options);
return CURLE_OK;
}
int evt_ctx_init(evt_ctx_t *tls)
{
tls_begin();
//Currently we support only TLS, No DTLS
tls->ctx = SSL_CTX_new(SSLv23_method());
if(!tls->ctx) {
return ENOMEM;
}
long options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
SSL_CTX_set_options(tls->ctx, options);
SSL_CTX_set_mode(tls->ctx, SSL_MODE_AUTO_RETRY |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_RELEASE_BUFFERS
);
tls->cert_set = 0;
tls->key_set = 0;
tls->ssl_err_ = 0;
tls->writer = NULL;
QUEUE_INIT(&(tls->live_con));
return 0;
}
static int ssl_setup(git_transport *t, const char *host)
{
int ret;
SSL_library_init();
SSL_load_error_strings();
t->ssl.ctx = SSL_CTX_new(SSLv23_method());
if (t->ssl.ctx == NULL)
return ssl_set_error(&t->ssl, 0);
SSL_CTX_set_mode(t->ssl.ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(t->ssl.ctx, SSL_VERIFY_PEER, NULL);
if (!SSL_CTX_set_default_verify_paths(t->ssl.ctx))
return ssl_set_error(&t->ssl, 0);
t->ssl.ssl = SSL_new(t->ssl.ctx);
if (t->ssl.ssl == NULL)
return ssl_set_error(&t->ssl, 0);
if((ret = SSL_set_fd(t->ssl.ssl, t->socket)) == 0)
return ssl_set_error(&t->ssl, ret);
if ((ret = SSL_connect(t->ssl.ssl)) <= 0)
return ssl_set_error(&t->ssl, ret);
if (t->check_cert && verify_server_cert(t, host) < 0)
return -1;
return 0;
}
BOOL tls_prepare(rdpTls* tls, BIO *underlying, const SSL_METHOD *method, int options, BOOL clientMode)
#endif
{
tls->ctx = SSL_CTX_new(method);
if (!tls->ctx)
{
fprintf(stderr, "%s: SSL_CTX_new failed\n", __FUNCTION__);
return FALSE;
}
SSL_CTX_set_mode(tls->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_options(tls->ctx, options);
SSL_CTX_set_read_ahead(tls->ctx, 1);
tls->bio = BIO_new_rdp_tls(tls->ctx, clientMode);
if (BIO_get_ssl(tls->bio, &tls->ssl) < 0)
{
fprintf(stderr, "%s: unable to retrieve the SSL of the connection\n", __FUNCTION__);
return FALSE;
}
BIO_push(tls->bio, underlying);
return TRUE;
}
static CURLcode sslctxfun( CURL * curl, void * sslctx, void * parm ) {
sslctxparm * p = (sslctxparm *) parm;
SSL_CTX * ctx = (SSL_CTX *) sslctx ;
if ( !SSL_CTX_use_certificate( ctx,p->usercert ) ) {
BIO_printf( p->errorbio, "SSL_CTX_use_certificate problem\n" ); goto err;
}
if ( !SSL_CTX_use_PrivateKey( ctx,p->pkey ) ) {
BIO_printf( p->errorbio, "SSL_CTX_use_PrivateKey\n" ); goto err;
}
if ( !SSL_CTX_check_private_key( ctx ) ) {
BIO_printf( p->errorbio, "SSL_CTX_check_private_key\n" ); goto err;
}
SSL_CTX_set_quiet_shutdown( ctx,1 );
SSL_CTX_set_cipher_list( ctx,"RC4-MD5" );
SSL_CTX_set_mode( ctx, SSL_MODE_AUTO_RETRY );
X509_STORE_add_cert( ctx->cert_store,sk_X509_value( p->ca,sk_X509_num( p->ca ) - 1 ) );
SSL_CTX_set_verify_depth( ctx,2 );
SSL_CTX_set_verify( ctx,SSL_VERIFY_PEER,NULL );
SSL_CTX_set_cert_verify_callback( ctx, ssl_app_verify_callback, parm );
return CURLE_OK ;
err:
ERR_print_errors( p->errorbio );
return CURLE_SSL_CERTPROBLEM;
}
BOOL CSSLTcpSocket::CreateSSLTcpSocketForServer( LPCSTR pszCertFile , LPCSTR pszKeyFile )
{
SSL_load_error_strings(); /*为打印调试信息作准备*/
OpenSSL_add_ssl_algorithms(); /*初始化*/
m_meth = (SSL_METHOD *)TLSv1_server_method(); /*采用什么协议(SSLv2/SSLv3/TLSv1)在此指定,TLSv1_server_method,SSLv23_server_method()*/
m_ctx = SSL_CTX_new (m_meth);
//设置为要求强制校验对方(客户端)证书SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT
SSL_CTX_set_verify(m_ctx,SSL_VERIFY_NONE,NULL); /*验证与否SSL_VERIFY_PEER*/
//SSL_CTX_load_verify_locations(ctx,CACERT,NULL); /*若验证,则放置CA证书*/
if (SSL_CTX_use_certificate_file(m_ctx, pszCertFile, SSL_FILETYPE_PEM) <= 0)
{
printf("加载证书失败!\n");
}
if (SSL_CTX_use_PrivateKey_file(m_ctx, pszKeyFile, SSL_FILETYPE_PEM) <= 0)
{
printf("加载私钥失败!\n");
}
if (!SSL_CTX_check_private_key(m_ctx)) {
printf("密钥证书不匹配!\n");
}
SSL_CTX_set_cipher_list(m_ctx,"DES-CBC3-SHA");
SSL_CTX_set_mode(m_ctx, SSL_MODE_AUTO_RETRY);
return CreateTcpSocket();
}
ape_ssl_t *ape_ssl_init_global_client_ctx()
{
ape_ssl_t *ssl = NULL;
SSL_CTX *ctx = SSL_CTX_new(SSLv23_client_method());
ssl = malloc(sizeof(*ssl));
ssl->ctx = ctx;
ssl->con = NULL;
SSL_CTX_set_options(ssl->ctx, SSL_OP_ALL);
SSL_CTX_set_default_read_ahead(ssl->ctx, 1);
/* see APE_socket_write() ape_socket.c */
SSL_CTX_set_mode(ssl->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
// SSL_MODE_AUTO_RETRY
if (SSL_CTX_set_cipher_list(ssl->ctx, CIPHER_LIST) <= 0) {
printf("Failed to set cipher\n");
SSL_CTX_free(ctx);
free(ssl);
return NULL;
}
return ssl;
}
tls_t *tls_new(xmpp_ctx_t *ctx, xmpp_sock_t sock)
{
tls_t *tls = xmpp_alloc(ctx, sizeof(*tls));
if (tls) {
int ret;
memset(tls, 0, sizeof(*tls));
tls->ctx = ctx;
tls->sock = sock;
tls->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_client_cert_cb(tls->ssl_ctx, NULL);
SSL_CTX_set_mode (tls->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_verify (tls->ssl_ctx, SSL_VERIFY_NONE, NULL);
tls->ssl = SSL_new(tls->ssl_ctx);
ret = SSL_set_fd(tls->ssl, sock);
if (ret <= 0) {
tls->lasterror = SSL_get_error(tls->ssl, ret);
tls_error(tls);
tls_free(tls);
tls = NULL;
}
}
return tls;
}
int git_openssl_stream_global_init(void)
{
#ifdef GIT_OPENSSL
long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
/* Older OpenSSL and MacOS OpenSSL doesn't have this */
#ifdef SSL_OP_NO_COMPRESSION
ssl_opts |= SSL_OP_NO_COMPRESSION;
#endif
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
/*
* Load SSLv{2,3} and TLSv1 so that we can talk with servers
* which use the SSL hellos, which are often used for
* compatibility. We then disable SSL so we only allow OpenSSL
* to speak TLSv1 to perform the encryption itself.
*/
git__ssl_ctx = SSL_CTX_new(SSLv23_method());
SSL_CTX_set_options(git__ssl_ctx, ssl_opts);
SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {
SSL_CTX_free(git__ssl_ctx);
git__ssl_ctx = NULL;
return -1;
}
#endif
git__on_shutdown(shutdown_ssl);
return 0;
}
wi_socket_tls_t * wi_socket_tls_init_with_type(wi_socket_tls_t *tls, wi_socket_tls_type_t type) {
SSL_METHOD *method;
switch(type) {
default:
case WI_SOCKET_TLS_CLIENT:
method = TLSv1_client_method();
break;
case WI_SOCKET_TLS_SERVER:
method = TLSv1_server_method();
break;
}
tls->ssl_ctx = SSL_CTX_new(method);
if(!tls->ssl_ctx) {
wi_error_set_openssl_error();
wi_release(NULL);
return NULL;
}
SSL_CTX_set_mode(tls->ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_quiet_shutdown(tls->ssl_ctx, 1);
return tls;
}
static CURLcode sslctxfun(CURL * curl, void * sslctx, void * parm)
{
sslctxparm * p = (sslctxparm *) parm;
SSL_CTX * ctx = (SSL_CTX *) sslctx ;
fprintf(stderr,"sslctxfun start curl=%p ctx=%p parm=%p\n",
(void *)curl,(void *)ctx,(void *)p);
SSL_CTX_set_quiet_shutdown(ctx,1);
SSL_CTX_set_cipher_list(ctx,"RC4-MD5");
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
/* one might assume that the cert validaton would not fail when setting this,
but it still does, see the error handling in the call back */
SSL_CTX_set_verify_depth(ctx,0);
SSL_CTX_set_verify(ctx,SSL_VERIFY_NONE,ZERO_NULL);
#if OPENSSL_VERSION_NUMBER<0x00907000L
/* in newer openssl versions we can set a parameter for the call back. */
fprintf(stderr,"This version %s of openssl does not support a parm,"
" setting global one\n", OPENSSL_VERSION_TEXT);
/* this is only done to support 0.9.6 version */
globalparm = parm;
/* in 0.9.6 the parm is not taken */
#endif
SSL_CTX_set_cert_verify_callback(ctx, ssl_app_verify_callback, parm);
fprintf(stderr,"sslctxfun end\n");
return CURLE_OK ;
}
static int openssl_ssl_ctx_mode(lua_State*L)
{
SSL_CTX* ctx = CHECK_OBJECT(1, SSL_CTX, "openssl.ssl_ctx");
int mode = 0;
int ret;
int i;
if (!lua_isnoneornil(L, 2))
{
int clear = lua_isboolean(L, 2) ? lua_toboolean(L, 2) : 0;
i = lua_isboolean(L, 2) ? 3 : 2;
while (i <= lua_gettop(L))
{
mode = mode | auxiliar_checkoption(L, i++, NULL, sMode_options, iMode_options);
}
if (clear != 0)
mode = SSL_CTX_set_mode(ctx, mode);
else
mode = SSL_CTX_clear_mode(ctx, mode);
}
else
mode = SSL_CTX_get_mode(ctx);
ret = 0;
for (i = 0; i < sizeof(iMode_options) / sizeof(int); i++)
{
if (mode & iMode_options[i])
{
lua_pushstring(L, sMode_options[i]);
ret++;
}
}
return ret;
};
SSL_CTX *ssl_init() {
SSL_CTX *ctx = NULL;
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
ssl_data_index = SSL_get_ex_new_index(0,0,0,0,0);
if ((locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t)))) {
for (int i = 0; i < CRYPTO_num_locks(); i++) {
pthread_mutex_init(&locks[i], NULL);
}
CRYPTO_set_locking_callback(ssl_lock);
CRYPTO_set_id_callback(ssl_id);
if ((ctx = SSL_CTX_new(SSLv23_client_method()))) {
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_verify_depth(ctx, 0);
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
SSL_CTX_sess_set_new_cb(ctx, new_session_callback);
SSL_CTX_set_info_callback(ctx, ssl_info_callback);
}
}
return ctx;
}
BOOL tls_prepare(rdpTls* tls, BIO *underlying, const SSL_METHOD *method, int options, BOOL clientMode)
#endif
{
tls->ctx = SSL_CTX_new(method);
if (!tls->ctx)
{
DEBUG_WARN( "%s: SSL_CTX_new failed\n", __FUNCTION__);
return FALSE;
}
SSL_CTX_set_mode(tls->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_options(tls->ctx, options);
SSL_CTX_set_read_ahead(tls->ctx, 1);
if (tls->settings->PermittedTLSCiphers) {
if(!SSL_CTX_set_cipher_list(tls->ctx, tls->settings->PermittedTLSCiphers)) {
DEBUG_WARN( "SSL_CTX_set_cipher_list %s failed\n", tls->settings->PermittedTLSCiphers);
return FALSE;
}
}
tls->bio = BIO_new_rdp_tls(tls->ctx, clientMode);
if (BIO_get_ssl(tls->bio, &tls->ssl) < 0)
{
DEBUG_WARN( "%s: unable to retrieve the SSL of the connection\n", __FUNCTION__);
return FALSE;
}
BIO_push(tls->bio, underlying);
return TRUE;
}
static int ssl_setup(gitno_socket *socket, const char *host, int flags)
{
int ret;
SSL_library_init();
SSL_load_error_strings();
socket->ssl.ctx = SSL_CTX_new(SSLv23_method());
if (socket->ssl.ctx == NULL)
return ssl_set_error(&socket->ssl, 0);
SSL_CTX_set_mode(socket->ssl.ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(socket->ssl.ctx, SSL_VERIFY_NONE, NULL);
if (!SSL_CTX_set_default_verify_paths(socket->ssl.ctx))
return ssl_set_error(&socket->ssl, 0);
socket->ssl.ssl = SSL_new(socket->ssl.ctx);
if (socket->ssl.ssl == NULL)
return ssl_set_error(&socket->ssl, 0);
if((ret = SSL_set_fd(socket->ssl.ssl, socket->socket)) == 0)
return ssl_set_error(&socket->ssl, ret);
if ((ret = SSL_connect(socket->ssl.ssl)) <= 0)
return ssl_set_error(&socket->ssl, ret);
if (GITNO_CONNECT_SSL_NO_CHECK_CERT & flags)
return 0;
return verify_server_cert(&socket->ssl, host);
}
static herror_t
_hssl_server_context_init(void)
{
log_verbose3("enabled=%i, certificate=%p", enabled, certificate);
if (!enabled || !certificate)
return H_OK;
if (!(context = SSL_CTX_new(SSLv23_method())))
{
log_error1("Cannot create SSL context");
return herror_new("_hssl_server_context_init", HSSL_ERROR_CONTEXT,
"Unable to create SSL context");
}
if (!(SSL_CTX_use_certificate_file(context, certificate, SSL_FILETYPE_PEM)))
{
log_error2("Cannot read certificate file: \"%s\"", certificate);
SSL_CTX_free(context);
return herror_new("_hssl_server_context_init", HSSL_ERROR_CERTIFICATE,
"Unable to use SSL certificate \"%s\"", certificate);
}
SSL_CTX_set_default_passwd_cb(context, _hssl_password_callback);
if (!(SSL_CTX_use_PrivateKey_file(context, certificate, SSL_FILETYPE_PEM)))
{
log_error2("Cannot read key file: \"%s\"", certificate);
SSL_CTX_free(context);
return herror_new("_hssl_server_context_init", HSSL_ERROR_PEM,
"Unable to use private key");
}
if (ca_list != NULL && *ca_list != '\0')
{
if (!(SSL_CTX_load_verify_locations(context, ca_list, NULL)))
{
SSL_CTX_free(context);
log_error2("Cannot read CA list: \"%s\"", ca_list);
return herror_new("_hssl_server_context_init", HSSL_ERROR_CA_LIST,
"Unable to read certification authorities \"%s\"");
}
SSL_CTX_set_client_CA_list(context, SSL_load_client_CA_file(ca_list));
log_verbose1("Certification authority contacted");
}
SSL_CTX_set_verify(context, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
_hssl_cert_verify_callback);
log_verbose1("Certificate verification callback registered");
SSL_CTX_set_mode(context, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);
_hssl_superseed();
return H_OK;
}
void conn_init_ssl(void)
{
SSL_library_init();
SSL_load_error_strings();
global_ssl_context = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_mode(global_ssl_context,
SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
}
bool
ConnSSL_InitLibrary( void )
{
#ifdef HAVE_LIBSSL
SSL_CTX *newctx;
if (!ssl_ctx) {
SSL_library_init();
SSL_load_error_strings();
}
if (!RAND_status()) {
Log(LOG_ERR, "OpenSSL PRNG not seeded: /dev/urandom missing?");
/*
* it is probably best to fail and let the user install EGD or a similar program if no kernel random device is available.
* According to OpenSSL RAND_egd(3): "The automatic query of /var/run/egd-pool et al was added in OpenSSL 0.9.7";
* so it makes little sense to deal with PRNGD seeding ourselves.
*/
return false;
}
newctx = SSL_CTX_new(SSLv23_method());
if (!newctx) {
LogOpenSSLError("SSL_CTX_new()", NULL);
return false;
}
if (!ConnSSL_LoadServerKey_openssl(newctx))
goto out;
SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);
SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_free(ssl_ctx);
ssl_ctx = newctx;
Log(LOG_INFO, "%s initialized.", SSLeay_version(SSLEAY_VERSION));
return true;
out:
SSL_CTX_free(newctx);
return false;
#endif
#ifdef HAVE_LIBGNUTLS
int err;
static bool initialized;
if (initialized) /* TODO: cannot reload gnutls keys: can't simply free x509 context -- it may still be in use */
return false;
err = gnutls_global_init();
if (err) {
Log(LOG_ERR, "gnutls_global_init(): %s", gnutls_strerror(err));
return false;
}
if (!ConnSSL_LoadServerKey_gnutls())
return false;
Log(LOG_INFO, "gnutls %s initialized.", gnutls_check_version(NULL));
initialized = true;
return true;
#endif
}
SSLManager::SSLManager(const Params& params) :
_validateCertificates(false),
_weakValidation(params.weakCertificateValidation) {
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
if (params.fipsMode) {
_setupFIPS();
}
// Add all digests and ciphers to OpenSSL's internal table
// so that encryption/decryption is backwards compatible
OpenSSL_add_all_algorithms();
_context = SSL_CTX_new(SSLv23_method());
massert(15864,
mongoutils::str::stream() << "can't create SSL Context: " <<
_getSSLErrorMessage(ERR_get_error()),
_context);
// Activate all bug workaround options, to support buggy client SSL's.
SSL_CTX_set_options(_context, SSL_OP_ALL);
// If renegotiation is needed, don't return from recv() or send() until it's successful.
// Note: this is for blocking sockets only.
SSL_CTX_set_mode(_context, SSL_MODE_AUTO_RETRY);
// Set context within which session can be reused
int status = SSL_CTX_set_session_id_context(
_context,
static_cast<unsigned char*>(static_cast<void*>(&_context)),
sizeof(_context));
if (!status) {
uasserted(16768,"ssl initialization problem");
}
SSLThreadInfo::init();
SSLThreadInfo::get();
if (!params.pemfile.empty()) {
if (!_setupPEM(params.pemfile, params.pempwd)) {
uasserted(16562, "ssl initialization problem");
}
}
if (!params.cafile.empty()) {
// Set up certificate validation with a certificate authority
if (!_setupCA(params.cafile)) {
uasserted(16563, "ssl initialization problem");
}
}
if (!params.crlfile.empty()) {
if (!_setupCRL(params.crlfile)) {
uasserted(16582, "ssl initialization problem");
}
}
}
/*
* Enable SSL on a connection.
*/
int
fetch_ssl(conn_t *conn, int verbose)
{
#ifdef WITH_SSL
int ret, ssl_err;
/* Init the SSL library and context */
if (!SSL_library_init()){
fprintf(stderr, "SSL library init failed\n");
return (-1);
}
SSL_load_error_strings();
conn->ssl_meth = SSLv23_client_method();
conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
conn->ssl = SSL_new(conn->ssl_ctx);
if (conn->ssl == NULL){
fprintf(stderr, "SSL context creation failed\n");
return (-1);
}
SSL_set_fd(conn->ssl, conn->sd);
while ((ret = SSL_connect(conn->ssl)) == -1) {
ssl_err = SSL_get_error(conn->ssl, ret);
if (ssl_err != SSL_ERROR_WANT_READ &&
ssl_err != SSL_ERROR_WANT_WRITE) {
ERR_print_errors_fp(stderr);
return (-1);
}
}
if (verbose) {
X509_NAME *name;
char *str;
fprintf(stderr, "SSL connection established using %s\n",
SSL_get_cipher(conn->ssl));
conn->ssl_cert = SSL_get_peer_certificate(conn->ssl);
name = X509_get_subject_name(conn->ssl_cert);
str = X509_NAME_oneline(name, 0, 0);
printf("Certificate subject: %s\n", str);
free(str);
name = X509_get_issuer_name(conn->ssl_cert);
str = X509_NAME_oneline(name, 0, 0);
printf("Certificate issuer: %s\n", str);
free(str);
}
return (0);
#else
(void)conn;
(void)verbose;
fprintf(stderr, "SSL support disabled\n");
return (-1);
#endif
}
Context(SSL_CTX* context)
: ctx(context)
{
SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
const unsigned char session_id[] = "inspircd";
SSL_CTX_set_session_id_context(ctx, session_id, sizeof(session_id) - 1);
}
bool SSLManager::_initSSLContext(SSL_CTX** context, const Params& params) {
*context = SSL_CTX_new(SSLv23_method());
massert(15864,
mongoutils::str::stream() << "can't create SSL Context: " <<
getSSLErrorMessage(ERR_get_error()),
context);
// SSL_OP_ALL - Activate all bug workaround options, to support buggy client SSL's.
// SSL_OP_NO_SSLv2 - Disable SSL v2 support
SSL_CTX_set_options(*context, SSL_OP_ALL|SSL_OP_NO_SSLv2);
// If renegotiation is needed, don't return from recv() or send() until it's successful.
// Note: this is for blocking sockets only.
SSL_CTX_set_mode(*context, SSL_MODE_AUTO_RETRY);
// Set context within which session can be reused
int status = SSL_CTX_set_session_id_context(
*context,
static_cast<unsigned char*>(static_cast<void*>(context)),
sizeof(*context));
if (!status) {
error() << "failed to set session id context: " <<
getSSLErrorMessage(ERR_get_error()) << endl;
return false;
}
// Use the clusterfile for internal outgoing SSL connections if specified
if (context == &_clientContext && !params.clusterfile.empty()) {
EVP_set_pw_prompt("Enter cluster certificate passphrase");
if (!_setupPEM(*context, params.clusterfile, params.clusterpwd)) {
return false;
}
}
// Use the pemfile for everything else
else if (!params.pemfile.empty()) {
EVP_set_pw_prompt("Enter PEM passphrase");
if (!_setupPEM(*context, params.pemfile, params.pempwd)) {
return false;
}
}
if (!params.cafile.empty()) {
// Set up certificate validation with a certificate authority
if (!_setupCA(*context, params.cafile)) {
return false;
}
}
if (!params.crlfile.empty()) {
if (!_setupCRL(*context, params.crlfile)) {
return false;
}
}
return true;
}
int git_openssl_stream_global_init(void)
{
#ifdef GIT_OPENSSL
long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
const char *ciphers = git_libgit2__ssl_ciphers();
/* Older OpenSSL and MacOS OpenSSL doesn't have this */
#ifdef SSL_OP_NO_COMPRESSION
ssl_opts |= SSL_OP_NO_COMPRESSION;
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
#else
OPENSSL_init_ssl(0, NULL);
#endif
/*
* Load SSLv{2,3} and TLSv1 so that we can talk with servers
* which use the SSL hellos, which are often used for
* compatibility. We then disable SSL so we only allow OpenSSL
* to speak TLSv1 to perform the encryption itself.
*/
git__ssl_ctx = SSL_CTX_new(SSLv23_method());
SSL_CTX_set_options(git__ssl_ctx, ssl_opts);
SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {
SSL_CTX_free(git__ssl_ctx);
git__ssl_ctx = NULL;
return -1;
}
if (!ciphers) {
ciphers = GIT_SSL_DEFAULT_CIPHERS;
}
if(!SSL_CTX_set_cipher_list(git__ssl_ctx, ciphers)) {
SSL_CTX_free(git__ssl_ctx);
git__ssl_ctx = NULL;
return -1;
}
if (init_bio_method() < 0) {
SSL_CTX_free(git__ssl_ctx);
git__ssl_ctx = NULL;
return -1;
}
#endif
git__on_shutdown(shutdown_ssl);
return 0;
}