void ConnectionManager(ServerGame& aGame, Ogre::String aAddress, int32 aPort) { LOG(INFO) << "Init SRP"; boost::asio::ssl::context sslCtx(boost::asio::ssl::context::tlsv1_server); SSL_CTX* ctx = sslCtx.native_handle(); SSL_CTX_set_info_callback(ctx, SSLInfoCallback); SSL_CTX_SRP_CTX_init(ctx); if (SSL_CTX_set_cipher_list(ctx, "SRP") != 1) { LOG(ERROR) << "Can not set SRP ciphers"; return; } SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); SSL_CTX_set_srp_username_callback(ctx, SSLSRPServerParamCallback); AddUser("test", "test"); LOG(INFO) << "Listening to " << aAddress << ":" << aPort; boost::asio::io_service IOService; boost::asio::ip::tcp::acceptor gate(IOService, boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), aPort)); while (true) { SSLStreamPtr sslStream(new SSLStream(IOService, sslCtx)); gate.accept(sslStream->lowest_layer()); boost::thread thrd(boost::bind(ClientConnection, boost::ref(aGame), sslStream)); } }
/* * This starts a minimal TLS server that only does a * handshake and then closes the connection. This is * strictly used to test TLS session negotiation * behavior with EST. */ static void us1060_start_tls_server (char *cipherstring) { BIO *conn; BIO *listener; BIO *berr; char h_p[25]; SSL *ssl; SSL_CTX *ssl_ctx = NULL; int nid, rv; EC_KEY *ecdh = NULL; berr = BIO_new_fp(stderr, BIO_NOCLOSE); ssl_ctx = SSL_CTX_new(SSLv23_server_method()); if (!ssl_ctx) { printf("Failed to create SSL context\n"); ERR_print_errors(berr); return; } SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); if (SSL_CTX_use_certificate_chain_file(ssl_ctx, US1060_RSA_CERT) != 1) { printf("Failed to load server certificate\n"); ERR_print_errors(berr); return; } if (SSL_CTX_use_PrivateKey_file(ssl_ctx, US1060_RSA_KEY, SSL_FILETYPE_PEM) != 1) { printf("Failed to load server private key\n"); ERR_print_errors(berr); return; } SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET); nid = OBJ_sn2nid("prime256v1"); ecdh = EC_KEY_new_by_curve_name(nid); if (ecdh == NULL) { printf("Failed to retreive ECDH curve\n"); ERR_print_errors(berr); return; } SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh); EC_KEY_free(ecdh); if (SSL_CTX_set_cipher_list(ssl_ctx, cipherstring) != 1) { printf("Failed to set server cipher list\n"); ERR_print_errors(berr); return; } SSL_CTX_set_srp_username_callback(ssl_ctx, us1060_srp_cb); sprintf(h_p, "%s:%d", US1060_SERVER_IP, US1060_TLS_PORT); listener = BIO_new_accept(h_p); if (listener == NULL) { printf("IP connection failed\n"); return; } BIO_set_bind_mode(listener, BIO_BIND_REUSEADDR); /* * The first call to do_accept binds the socket */ if (BIO_do_accept(listener) <= 0) { printf("TCP bind failed\n"); BIO_free_all(listener); return; } /* * The second call to do_accept waits for a new * connection request on the listener. * Note that we are in blocking mode for this socket */ if (BIO_do_accept(listener) <= 0) { printf("TCP accept failed\n"); BIO_free_all(listener); return; } conn = BIO_pop(listener); ssl = SSL_new(ssl_ctx); SSL_set_bio(ssl, conn, conn); /* * Now that we have everything ready, let's start waiting for * a client to contact us. Normally we might using a pthread * or some other construct to avoid blocking on the main * thread while waiting for an incoming connection. This * code is simply a contrived example, we will wait on the * main thread for an incoming connection. */ rv = SSL_accept(ssl); if (rv <= 0) { printf("\nFailed to complete TLS handshake %d\n", rv); ERR_print_errors(berr); } SSL_shutdown(ssl); SSL_free(ssl); SSL_CTX_free(ssl_ctx); BIO_free(berr); (void)BIO_reset(listener); BIO_free_all(listener); pthread_exit(0); }
int LLVMFuzzerInitialize(int* argc, char*** argv) { rand_predictable = 1; SSL_library_init(); OpenSSL_add_ssl_algorithms(); ERR_load_crypto_strings(); if (RAND_reset_for_fuzzing) RAND_reset_for_fuzzing(); ctx = SSL_CTX_new(SSLv23_method()); const uint8_t* bufp = kRSAPrivateKeyDER; RSA* privkey = d2i_RSAPrivateKey(NULL, &bufp, sizeof(kRSAPrivateKeyDER)); assert(privkey != NULL); EVP_PKEY* pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, privkey); int ret = SSL_CTX_use_PrivateKey(ctx, pkey); assert(ret == 1); EVP_PKEY_free(pkey); bufp = kCertificateDER; X509* cert = d2i_X509(NULL, &bufp, sizeof(kCertificateDER)); assert(cert != NULL); ret = SSL_CTX_use_certificate(ctx, cert); assert(ret == 1); X509_free(cert); ret = SSL_CTX_set_cipher_list(ctx, "ALL:eNULL:aNULL:DSS"); assert(ret == 1); X509_STORE* store = X509_STORE_new(); assert(store != NULL); bufp = kRSACACertDER; cert = d2i_X509(NULL, &bufp, sizeof(kRSACACertDER)); assert(cert != NULL); ret = SSL_CTX_add_client_CA(ctx, cert); assert(ret == 1); ret = X509_STORE_add_cert(store, cert); assert(ret == 1); X509_free(cert); bufp = kECCACertDER; cert = d2i_X509(NULL, &bufp, sizeof(kECCACertDER)); assert(cert != NULL); ret = SSL_CTX_add_client_CA(ctx, cert); assert(ret == 1); ret = X509_STORE_add_cert(store, cert); assert(ret == 1); X509_free(cert); bufp = kDSACertDER; cert = d2i_X509(NULL, &bufp, sizeof(kDSACertDER)); ret = SSL_CTX_add_client_CA(ctx, cert); assert(ret == 1); ret = X509_STORE_add_cert(store, cert); assert(ret == 1); X509_free(cert); SSL_CTX_set_cert_store(ctx, store); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL); SSL_CTX_set_verify_depth(ctx, 10); #if !defined(LIBRESSL_VERSION_NUMBER) SSL_CTX_set_psk_server_callback(ctx, psk_callback); ret = SSL_CTX_use_psk_identity_hint(ctx, "ABCDEFUZZ"); assert(ret == 1); #endif /* !defined(LIBRESSL_VERSION_NUMBER) */ #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION) ret = SSL_CTX_set_srp_username_callback(ctx, srp_callback); assert(ret == 1); ret = SSL_CTX_set_srp_cb_arg(ctx, NULL); assert(ret == 1); #endif /* !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION) */ SSL_CTX_set_alpn_select_cb(ctx, alpn_callback, NULL); SSL_CTX_set_next_protos_advertised_cb(ctx, npn_callback, NULL); SSL_CTX_set_ecdh_auto(ctx, 1); return 1; }