int ssl_init(void) { /* init SSL before parsing configuration file */
SSL_load_error_strings();
SSL_library_init();
index_cli=SSL_get_ex_new_index(0, "cli index",
NULL, NULL, NULL);
index_opt=SSL_CTX_get_ex_new_index(0, "opt index",
NULL, NULL, NULL);
index_redirect=SSL_SESSION_get_ex_new_index(0, "redirect index",
NULL, NULL, NULL);
index_addr=SSL_SESSION_get_ex_new_index(0, "addr index",
NULL, NULL, cb_free);
if(index_cli<0 || index_opt<0 || index_redirect<0 || index_addr<0) {
s_log(LOG_ERR, "Application specific data initialization failed");
return 1;
}
#ifndef OPENSSL_NO_ENGINE
ENGINE_load_builtin_engines();
#endif
#ifndef OPENSSL_NO_DH
dh_params=get_dh2048();
if(!dh_params) {
s_log(LOG_ERR, "Failed to get default DH parameters");
return 1;
}
#endif /* OPENSSL_NO_DH */
return 0;
}
static int get_ssl_session_cache_index(void)
{
static int index = -1;
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
pthread_mutex_lock(&mutex);
if (index == -1) {
index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, on_dispose_ssl_ctx_ex_data);
assert(index != -1);
}
pthread_mutex_unlock(&mutex);
return index;
}
int
lws_context_init_ssl_library(struct lws_context_creation_info *info)
{
#ifdef USE_WOLFSSL
#ifdef USE_OLD_CYASSL
lwsl_notice(" Compiled with CyaSSL support\n");
#else
lwsl_notice(" Compiled with wolfSSL support\n");
#endif
#else
#if defined(LWS_USE_POLARSSL)
lwsl_notice(" Compiled with PolarSSL support\n");
#else
#if defined(LWS_USE_MBEDTLS)
lwsl_notice(" Compiled with mbedTLS support\n");
#else
lwsl_notice(" Compiled with OpenSSL support\n");
#endif
#endif
#endif
if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT)) {
lwsl_notice(" SSL disabled: no LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT\n");
return 0;
}
/* basic openssl init */
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
openssl_websocket_private_data_index =
SSL_get_ex_new_index(0, "lws", NULL, NULL, NULL);
openssl_SSL_CTX_private_data_index = SSL_CTX_get_ex_new_index(0,
NULL, NULL, NULL, NULL);
#endif
#endif
return 0;
}
void bb_socket_ssl(struct bb_acceptor *acceptor) {
if (!blastbeat.ssl_initialized) {
OPENSSL_config(NULL);
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
blastbeat.ssl_initialized = 1;
blastbeat.ssl_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
}
acceptor->ctx = SSL_CTX_new(SSLv23_server_method());
if (!acceptor->ctx) {
fprintf(stderr, "unable to initialize SSL context: SSL_CTX_new()");
exit(1);
}
long ssloptions = SSL_OP_NO_SSLv2 | SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
// disable compression (if possibile)
#ifdef SSL_OP_NO_COMPRESSION
ssloptions |= SSL_OP_NO_COMPRESSION;
#endif
SSL_CTX_set_options(acceptor->ctx, ssloptions);
// release/reuse buffers as soon as possibile
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(acceptor->ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
if (SSL_CTX_set_cipher_list(acceptor->ctx, "HIGH") == 0) {
fprintf(stderr,"unable to set SSL ciphers: SSL_CTX_set_cipher_list()");
exit(1);
}
SSL_CTX_set_options(acceptor->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_info_callback(acceptor->ctx, bb_ssl_info_cb);
#ifdef OPENSSL_NPN_UNSUPPORTED
SSL_CTX_set_next_protos_advertised_cb(acceptor->ctx, bb_ssl_npn, NULL);
#endif
SSL_CTX_set_session_cache_mode(acceptor->ctx, SSL_SESS_CACHE_SERVER);
acceptor->read = bb_ssl_read;
acceptor->write = bb_ssl_write;
}
int
lws_context_init_ssl_library(const struct lws_context_creation_info *info)
{
#ifdef USE_WOLFSSL
#ifdef USE_OLD_CYASSL
lwsl_info(" Compiled with CyaSSL support\n");
#else
lwsl_info(" Compiled with wolfSSL support\n");
#endif
#else
#if defined(LWS_WITH_BORINGSSL)
lwsl_info(" Compiled with BoringSSL support\n");
#else
lwsl_info(" Compiled with OpenSSL support\n");
#endif
#endif
if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT)) {
lwsl_info(" SSL disabled: no "
"LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT\n");
return 0;
}
/* basic openssl init */
lwsl_info("Doing SSL library init\n");
#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
#else
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
#endif
#if defined(LWS_WITH_NETWORK)
openssl_websocket_private_data_index =
SSL_get_ex_new_index(0, "lws", NULL, NULL, NULL);
openssl_SSL_CTX_private_data_index = SSL_CTX_get_ex_new_index(0,
NULL, NULL, NULL, NULL);
#endif
return 0;
}
void bb_socket_ssl(struct bb_acceptor *acceptor) {
if (!blastbeat.ssl_initialized) {
OPENSSL_config(NULL);
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
blastbeat.ssl_initialized = 1;
blastbeat.ssl_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
}
acceptor->ctx = bb_new_ssl_ctx();
if (!acceptor->ctx) {
exit(1);
}
acceptor->read = bb_ssl_read;
acceptor->write = bb_ssl_write;
}
bud_error_t bud_config_init(bud_config_t* config) {
bud_error_t err;
int i;
int r;
/* Get addresses of frontend and backend */
r = bud_config_str_to_addr(config->frontend.host,
config->frontend.port,
&config->frontend.addr);
if (r != 0)
return bud_error_num(kBudErrPton, r);
for (i = 0; i < config->frontend.interface.count; i++) {
bud_config_addr_t* addr;
addr = &config->frontend.interface.list[i];
r = bud_config_str_to_addr(addr->host, addr->port, &addr->addr);
if (r != 0)
return bud_error_num(kBudErrPton, r);
}
err = bud_config_format_proxyline(config);
if (!bud_is_ok(err))
return err;
i = 0;
config->balance_e = bud_config_balance_to_enum(config->balance);
/* At least one backend should be present for non-SNI balancing */
if (config->contexts[0].backend.count == 0 &&
config->balance_e != kBudBalanceSNI) {
err = bud_error(kBudErrNoBackend);
goto fatal;
}
/* Get indexes for SSL_set_ex_data()/SSL_get_ex_data() */
if (kBudSSLClientIndex == -1) {
kBudSSLConfigIndex = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
kBudSSLClientIndex = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
kBudSSLSNIIndex = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
kBudSSLTicketKeyIndex = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
if (kBudSSLConfigIndex == -1 ||
kBudSSLClientIndex == -1 ||
kBudSSLSNIIndex == -1 ||
kBudSSLTicketKeyIndex == -1) {
err = bud_error(kBudErrNoSSLIndex);
goto fatal;
}
}
#ifndef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
if (config->context_count != 0) {
err = bud_error(kBudErrSNINotSupported);
goto fatal;
}
#endif /* !SSL_CTRL_SET_TLSEXT_SERVERNAME_CB */
/* Allocate workers */
if (!config->is_worker && config->worker_count != 0) {
config->workers = calloc(config->worker_count, sizeof(*config->workers));
if (config->workers == NULL) {
err = bud_error_str(kBudErrNoMem, "workers");
goto fatal;
}
}
/* Initialize logger */
config->logger = bud_logger_new(config, &err);
if (!bud_is_ok(err))
goto fatal;
err = bud_config_init_tracing(&config->trace);
if (!bud_is_ok(err))
goto fatal;
if (config->is_worker || config->worker_count == 0) {
/* Connect to SNI server */
if (config->sni.enabled) {
config->sni.pool = bud_http_pool_new(config,
config->sni.host,
config->sni.port,
&err);
if (config->sni.pool == NULL)
goto fatal;
}
/* Connect to OCSP Stapling server */
if (config->stapling.enabled) {
config->stapling.pool = bud_http_pool_new(config,
config->stapling.host,
config->stapling.port,
&err);
if (config->stapling.pool == NULL)
goto fatal;
}
}
/* Init all contexts */
for (i = 0; i < config->context_count + 1; i++) {
err = bud_context_init(config, &config->contexts[i]);
if (!bud_is_ok(err))
goto fatal;
}
return bud_ok();
fatal:
/* Free all allocated contexts */
do
bud_context_free(&config->contexts[i--]);
while (i >= 0);
return err;
}
void uwsgi_opt_https2(char *opt, char *value, void *cr) {
struct uwsgi_corerouter *ucr = (struct uwsgi_corerouter *) cr;
char *s2_addr = NULL;
char *s2_cert = NULL;
char *s2_key = NULL;
char *s2_ciphers = NULL;
char *s2_clientca = NULL;
char *s2_spdy = NULL;
if (uwsgi_kvlist_parse(value, strlen(value), ',', '=',
"addr", &s2_addr,
"cert", &s2_cert,
"crt", &s2_cert,
"key", &s2_key,
"ciphers", &s2_ciphers,
"clientca", &s2_clientca,
"client_ca", &s2_clientca,
"spdy", &s2_spdy,
NULL)) {
uwsgi_log("error parsing --https2 option\n");
exit(1);
}
if (!s2_addr || !s2_cert || !s2_key) {
uwsgi_log("--https2 option needs addr, cert and key items\n");
exit(1);
}
struct uwsgi_gateway_socket *ugs = uwsgi_new_gateway_socket(s2_addr, ucr->name);
// ok we have the socket, initialize ssl if required
if (!uwsgi.ssl_initialized) {
uwsgi_ssl_init();
}
// initialize ssl context
char *name = uhttp.https_session_context;
if (!name) {
name = uwsgi_concat3(ucr->short_name, "-", ugs->name);
}
#ifdef UWSGI_SPDY
if (s2_spdy) {
uhttp.spdy_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
uhttp.spdy3_settings = uwsgi_buffer_new(uwsgi.page_size);
if (uwsgi_buffer_append(uhttp.spdy3_settings, "\x80\x03\x00\x04\x01", 5)) goto spdyerror;
if (uwsgi_buffer_u24be(uhttp.spdy3_settings, (8 * 2) + 4)) goto spdyerror;
if (uwsgi_buffer_u32be(uhttp.spdy3_settings, 2)) goto spdyerror;
// SETTINGS_ROUND_TRIP_TIME
if (uwsgi_buffer_append(uhttp.spdy3_settings, "\x01\x00\x00\x03", 4)) goto spdyerror;
if (uwsgi_buffer_u32be(uhttp.spdy3_settings, 30 * 1000)) goto spdyerror;
// SETTINGS_INITIAL_WINDOW_SIZE
if (uwsgi_buffer_append(uhttp.spdy3_settings, "\x01\x00\x00\x07", 4)) goto spdyerror;
if (uwsgi_buffer_u32be(uhttp.spdy3_settings, 8192)) goto spdyerror;
uhttp.spdy3_settings_size = uhttp.spdy3_settings->pos;
}
#endif
ugs->ctx = uwsgi_ssl_new_server_context(name, s2_cert, s2_key, s2_ciphers, s2_clientca);
if (!ugs->ctx) {
exit(1);
}
#ifdef UWSGI_SPDY
if (s2_spdy) {
SSL_CTX_set_info_callback(ugs->ctx, uwsgi_spdy_info_cb);
SSL_CTX_set_next_protos_advertised_cb(ugs->ctx, uwsgi_spdy_npn, NULL);
}
#endif
// set the ssl mode
ugs->mode = UWSGI_HTTP_SSL;
ucr->has_sockets++;
return;
#ifdef UWSGI_SPDY
spdyerror:
uwsgi_log("unable to initialize SPDY settings buffers\n");
exit(1);
#endif
}
int ssl_init(void)
{
hlog(LOG_INFO, "Initializing OpenSSL, built against %s ...", OPENSSL_VERSION_TEXT);
OPENSSL_config(NULL);
SSL_library_init();
SSL_load_error_strings();
ssl_thread_setup();
OpenSSL_add_all_algorithms();
load_tqsl_custom_objects();
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
#ifndef SSL_OP_NO_COMPRESSION
{
/*
* Disable gzip compression in OpenSSL prior to 1.0.0 version,
* this saves about 522K per connection.
*/
int n;
STACK_OF(SSL_COMP) *ssl_comp_methods;
ssl_comp_methods = SSL_COMP_get_compression_methods();
n = sk_SSL_COMP_num(ssl_comp_methods);
while (n--) {
(void) sk_SSL_COMP_pop(ssl_comp_methods);
}
}
#endif
#endif
ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
if (ssl_connection_index == -1) {
ssl_error(LOG_ERR, "SSL_get_ex_new_index for connection");
return -1;
}
ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
if (ssl_server_conf_index == -1) {
ssl_error(LOG_ERR, "SSL_CTX_get_ex_new_index for conf");
return -1;
}
ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
if (ssl_session_cache_index == -1) {
ssl_error(LOG_ERR, "SSL_CTX_get_ex_new_index for session cache");
return -1;
}
ssl_available = 1;
return 0;
}
/* Init and free functions */
qvdclient *qvd_init(const char *hostname, const int port, const char *username, const char *password) {
qvdclient *qvd;
qvd_printf("Starting qvd_init. %s", qvd_get_version_text);
if (strlen(username) + strlen(password) + 2 > MAX_USERPWD) {
qvd_error(qvd, "Length of username and password + 2 is longer than %d\n", MAX_USERPWD);
return NULL;
}
if (strlen(hostname) + 6 + strlen("https:///") + 2 > MAX_BASEURL) {
qvd_error(qvd, "Length of hostname and port + scheme + 2 is longer than %d\n", MAX_BASEURL);
return NULL;
}
if (! (qvd = (qvdclient *) malloc(sizeof(qvdclient)))) {
qvd_error(qvd, "Error allocating memory: %s", strerror(errno));
return NULL;
}
if (snprintf(qvd->userpwd, MAX_USERPWD, "%s:%s", username, password) >= MAX_USERPWD) {
qvd_error(qvd, "Error initializing userpwd (string too long)\n");
free(qvd);
return NULL;
}
if (_qvd_set_base64_auth(qvd)) {
qvd_error(qvd, "Error initializing authdigest\n");
free(qvd);
return NULL;
}
if (snprintf(qvd->baseurl, MAX_BASEURL, "https://%s:%d", hostname, port) >= MAX_BASEURL) {
qvd_error(qvd, "Error initializing baseurl(string too long)\n");
free(qvd);
return NULL;
}
if (snprintf(qvd->useragent, MAX_USERAGENT, "%s %s", DEFAULT_USERAGENT_PRODUCT, curl_version()) >= MAX_USERAGENT) {
qvd_error(qvd, "Error initializing useragent (string too long)\n");
free(qvd);
return NULL;
}
qvd->curl = curl_easy_init();
if (!qvd->curl) {
qvd_error(qvd, "Error initializing curl\n");
free(qvd);
return NULL;
}
qvd_printf("Curl pointer is %p", qvd->curl);
if (get_debug_level()) {
curl_easy_setopt(qvd->curl, CURLOPT_VERBOSE, 1L);
curl_easy_setopt(qvd->curl, CURLOPT_DEBUGFUNCTION, qvd_curl_debug_callback);
}
curl_easy_setopt(qvd->curl, CURLOPT_ERRORBUFFER, qvd->error_buffer); /* curl_easy_setopt(qvd->curl, CURLOPT_SSL_VERIFYPEER, 1L); */
/* curl_easy_setopt(qvd->curl, CURLOPT_SSL_VERIFYHOST, 2L); */
curl_easy_setopt(qvd->curl, CURLOPT_CERTINFO, 1L);
curl_easy_setopt(qvd->curl, CURLOPT_CAPATH, qvd->certpath);
curl_easy_setopt(qvd->curl, CURLOPT_SSL_CTX_FUNCTION, _qvd_sslctxfun);
curl_easy_setopt(qvd->curl, CURLOPT_SSL_CTX_DATA, (void *)qvd);
/* curl_easy_setopt(qvd->curl, CURLOPT_CAINFO, NULL);*/
_qvd_ssl_index = SSL_CTX_get_ex_new_index(0, (void *)qvd, NULL, NULL, NULL);
curl_easy_setopt(qvd->curl, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(qvd->curl, CURLOPT_SSL_VERIFYHOST, 0L);
curl_easy_setopt(qvd->curl, CURLOPT_TCP_NODELAY, 1L);
/* curl_easy_setopt(qvd->curl, CURLOPT_FAILONERROR, 1L);*/
curl_easy_setopt(qvd->curl, CURLOPT_HTTPAUTH, (long)CURLAUTH_BASIC);
curl_easy_setopt(qvd->curl, CURLOPT_USERPWD, qvd->userpwd);
curl_easy_setopt(qvd->curl, CURLOPT_WRITEFUNCTION, _qvd_write_buffer_callback);
curl_easy_setopt(qvd->curl, CURLOPT_WRITEDATA, &(qvd->buffer));
curl_easy_setopt(qvd->curl, CURLOPT_USERAGENT, qvd->useragent);
/* If client certificate CURLOPT_SSLCERT , CURLOPT_SSLKEY, CURLOPT_SSLCERTTYPE "PEM" */
/* Copy parameters */
strncpy(qvd->hostname, hostname, MAX_BASEURL);
qvd->hostname[MAX_BASEURL - 1] = '\0';
qvd->port = port;
strncpy(qvd->username, username, MAX_USERPWD);
qvd->username[MAX_USERPWD - 1] = '\0';
strncpy(qvd->password, password, MAX_USERPWD);
qvd->password[MAX_USERPWD - 1] = '\0';
strncpy(qvd->client_cert, "", MAX_PATH_STRING);
strncpy(qvd->client_key, "", MAX_PATH_STRING);
qvd->use_client_cert = 0;
qvd->numvms = 0;
qvd_set_link(qvd, DEFAULT_LINK);
qvd_set_geometry(qvd, DEFAULT_GEOMETRY);
qvd_set_os(qvd, DEFAULT_OS);
qvd->keyboard = "pc%2F105";
qvd->fullscreen = 0;
qvd->print_enabled = 0;
qvd->ssl_no_cert_check = 0;
qvd->ssl_verify_callback = NULL;
qvd->progress_callback = NULL;
qvd->userdata = NULL;
qvd->nx_options = NULL;
*(qvd->display) = '\0';
*(qvd->home) = '\0';
strcpy(qvd->error_buffer, "");
QvdBufferInit(&(qvd->buffer));
if (!(qvd->vmlist = malloc(sizeof(vmlist)))) {
free(qvd);
return NULL;
}
QvdVmListInit(qvd->vmlist);
return qvd;
}
