static int get_desc(str* res, sip_msg_t* msg)
{
static char buf[128];
struct tcp_connection* c;
SSL* ssl;
c = get_cur_connection(msg);
if (!c) {
INFO("TLS connection not found in select_desc\n");
goto err;
}
ssl = get_ssl(c);
if (!ssl) goto err;
buf[0] = '\0';
SSL_CIPHER_description(SSL_get_current_cipher(ssl), buf, 128);
res->s = buf;
res->len = strlen(buf);
tcpconn_put(c);
return 0;
err:
if (c) tcpconn_put(c);
return -1;
}
static const char *
openssl_iostream_get_security_string(struct ssl_iostream *ssl_io)
{
const SSL_CIPHER *cipher;
#ifdef HAVE_SSL_COMPRESSION
const COMP_METHOD *comp;
#endif
const char *comp_str;
int bits, alg_bits;
if (!ssl_io->handshaked)
return "";
cipher = SSL_get_current_cipher(ssl_io->ssl);
bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
#ifdef HAVE_SSL_COMPRESSION
comp = SSL_get_current_compression(ssl_io->ssl);
comp_str = comp == NULL ? "" :
t_strconcat(" ", SSL_COMP_get_name(comp), NULL);
#else
comp_str = "";
#endif
return t_strdup_printf("%s with cipher %s (%d/%d bits)%s",
SSL_get_version(ssl_io->ssl),
SSL_CIPHER_get_name(cipher),
bits, alg_bits, comp_str);
}
int tlsops_cipher(struct sip_msg *msg, pv_param_t *param,
pv_value_t *res)
{
str cipher;
static char buf[1024];
struct tcp_connection* c;
SSL* ssl;
c = get_cur_connection(msg);
if (!c) {
LM_INFO("TLS connection not found in select_cipher\n");
goto err;
}
ssl = get_ssl(c);
if (!ssl) goto err;
cipher.s = (char*)SSL_CIPHER_get_name(SSL_get_current_cipher(ssl));
cipher.len = cipher.s ? strlen(cipher.s) : 0;
if (cipher.len >= 1024) {
LM_ERR("cipher name too long\n");
goto err;
}
memcpy(buf, cipher.s, cipher.len);
res->rs.s = buf;
res->rs.len = cipher.len;
res->flags = PV_VAL_STR;
tcpconn_put(c);
return 0;
err:
if (c) tcpconn_put(c);
return pv_get_null(msg, param, res);
}
size_t DTLS_get_data_mtu(const SSL *s)
{
size_t mac_overhead, int_overhead, blocksize, ext_overhead;
const SSL_CIPHER *ciph = SSL_get_current_cipher(s);
size_t mtu = s->d1->mtu;
if (ciph == NULL)
return 0;
if (!ssl_cipher_get_overhead(ciph, &mac_overhead, &int_overhead,
&blocksize, &ext_overhead))
return 0;
if (SSL_USE_ETM(s))
ext_overhead += mac_overhead;
else
int_overhead += mac_overhead;
/* Subtract external overhead (e.g. IV/nonce, separate MAC) */
if (ext_overhead + DTLS1_RT_HEADER_LENGTH >= mtu)
return 0;
mtu -= ext_overhead + DTLS1_RT_HEADER_LENGTH;
/* Round encrypted payload down to cipher block size (for CBC etc.)
* No check for overflow since 'mtu % blocksize' cannot exceed mtu. */
if (blocksize)
mtu -= (mtu % blocksize);
/* Subtract internal overhead (e.g. CBC padding len byte) */
if (int_overhead >= mtu)
return 0;
mtu -= int_overhead;
return mtu;
}
int tlsops_desc(struct sip_msg *msg, pv_param_t *param,
pv_value_t *res)
{
static char buf[128];
struct tcp_connection* c;
SSL* ssl;
c = get_cur_connection(msg);
if (!c) {
LM_INFO("TLS connection not found in select_desc\n");
goto err;
}
ssl = get_ssl(c);
if (!ssl) goto err;
buf[0] = '\0';
SSL_CIPHER_description(SSL_get_current_cipher(ssl), buf, 128);
res->rs.s = buf;
res->rs.len = strlen(buf);
res->flags = PV_VAL_STR;
tcpconn_put(c);
return 0;
err:
if (c) tcpconn_put(c);
return pv_get_null(msg, param, res);
}
static int get_cipher(str* res, sip_msg_t* msg)
{
str cipher;
static char buf[1024];
struct tcp_connection* c;
SSL* ssl;
c = get_cur_connection(msg);
if (!c) {
INFO("TLS connection not found in select_cipher\n");
goto err;
}
ssl = get_ssl(c);
if (!ssl) goto err;
cipher.s = (char*)SSL_CIPHER_get_name(SSL_get_current_cipher(ssl));
cipher.len = cipher.s ? strlen(cipher.s) : 0;
if (cipher.len >= 1024) {
ERR("Cipher name too long\n");
goto err;
}
memcpy(buf, cipher.s, cipher.len);
res->s = buf;
res->len = cipher.len;
tcpconn_put(c);
return 0;
err:
if (c) tcpconn_put(c);
return -1;
}
static int get_bits(str* res, int* i, sip_msg_t* msg)
{
str bits;
int b;
static char buf[1024];
struct tcp_connection* c;
SSL* ssl;
c = get_cur_connection(msg);
if (!c) {
INFO("TLS connection not found in select_bits\n");
goto err;
}
ssl = get_ssl(c);
if (!ssl) goto err;
b = SSL_CIPHER_get_bits(SSL_get_current_cipher(ssl), 0);
bits.s = int2str(b, &bits.len);
if (bits.len >= 1024) {
ERR("Bits string too long\n");
goto err;
}
memcpy(buf, bits.s, bits.len);
res->s = buf;
res->len = bits.len;
if (i) *i = b;
tcpconn_put(c);
return 0;
err:
if (c) tcpconn_put(c);
return -1;
}
static int ssl_socket_open (CONNECTION * conn)
{
sslsockdata *data;
int maxbits;
if (raw_socket_open (conn) < 0)
return -1;
data = (sslsockdata *) safe_calloc (1, sizeof (sslsockdata));
conn->sockdata = data;
data->ctx = SSL_CTX_new (SSLv23_client_method ());
/* disable SSL protocols as needed */
if (!option(OPTTLSV1))
{
SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1);
}
/* TLSv1.1/1.2 support was added in OpenSSL 1.0.1, but some OS distros such
* as Fedora 17 are on OpenSSL 1.0.0.
*/
#ifdef SSL_OP_NO_TLSv1_1
if (!option(OPTTLSV1_1))
{
SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_1);
}
#endif
#ifdef SSL_OP_NO_TLSv1_2
if (!option(OPTTLSV1_2))
{
SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_2);
}
#endif
if (!option(OPTSSLV2))
{
SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2);
}
if (!option(OPTSSLV3))
{
SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv3);
}
ssl_get_client_cert(data, conn);
data->ssl = SSL_new (data->ctx);
SSL_set_fd (data->ssl, conn->fd);
if (ssl_negotiate(conn, data))
{
mutt_socket_close (conn);
return -1;
}
data->isopen = 1;
conn->ssf = SSL_CIPHER_get_bits (SSL_get_current_cipher (data->ssl),
&maxbits);
return 0;
}
bool
ConnSSL_GetCipherInfo(CONNECTION *c, char *buf, size_t len)
{
#ifdef HAVE_LIBSSL
char *nl;
SSL *ssl = c->ssl_state.ssl;
if (!ssl)
return false;
*buf = 0;
SSL_CIPHER_description(SSL_get_current_cipher(ssl), buf, len);
nl = strchr(buf, '\n');
if (nl)
*nl = 0;
return true;
#endif
#ifdef HAVE_LIBGNUTLS
if (Conn_OPTION_ISSET(c, CONN_SSL)) {
const char *name_cipher, *name_mac, *name_proto, *name_keyexchange;
unsigned keysize;
gnutls_session_t sess = c->ssl_state.gnutls_session;
gnutls_cipher_algorithm_t cipher = gnutls_cipher_get(sess);
name_cipher = gnutls_cipher_get_name(cipher);
name_mac = gnutls_mac_get_name(gnutls_mac_get(sess));
keysize = gnutls_cipher_get_key_size(cipher) * 8;
name_proto = gnutls_protocol_get_name(gnutls_protocol_get_version(sess));
name_keyexchange = gnutls_kx_get_name(gnutls_kx_get(sess));
return snprintf(buf, len, "%s-%s%15s Kx=%s Enc=%s(%u) Mac=%s",
name_cipher, name_mac, name_proto, name_keyexchange, name_cipher, keysize, name_mac) > 0;
}
return false;
#endif
}
static void print_ciphersuite_data(BIO *io, SSL *ssl, int js)
{
SSL_SESSION* session = SSL_get_session(ssl);
long protocol = SSL_version(ssl);
const char *protocol_name = get_protocol_name(protocol);
const char *eol = js ? "\\n\\\n" : "\n";
if(BIO_printf(io, "Version: 0x%lx %s%s", protocol, protocol_name, eol) <= 0)
err_exit("Write error");
if(BIO_printf(io, "Current cipher: %s%s", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)), eol) <= 0)
err_exit("Write error");
STACK_OF(SSL_CIPHER) *ciphers = session->ciphers;
SSL_CIPHER *c;
int n = sk_SSL_CIPHER_num(ciphers);
if(BIO_printf(io, "client sent %d ciphers%s", n, eol) <= 0)
err_exit("Write error");
int i;
for (i = 0; i < n; i++)
{
c = sk_SSL_CIPHER_value(ciphers, i);
if(BIO_printf(io, "client [%2d of %2d]: %s%s", i, n, SSL_CIPHER_get_name(c), eol) <= 0)
err_exit("Write error");
}
}
static int openssl_ssl_current_cipher(lua_State *L)
{
SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl");
const SSL_CIPHER* c = SSL_get_current_cipher(s);
if (c)
{
int bits, algbits;
char err[LUAL_BUFFERSIZE] = {0};;
lua_newtable(L);
AUXILIAR_SET(L, -1, "name", SSL_CIPHER_get_name(c), string);
AUXILIAR_SET(L, -1, "version", SSL_CIPHER_get_version(c), string);
#if OPENSSL_VERSION_NUMBER > 0x10000000L
AUXILIAR_SET(L, -1, "id", SSL_CIPHER_get_id(c), integer);
#endif
bits = SSL_CIPHER_get_bits(c, &algbits);
AUXILIAR_SET(L, -1, "bits", bits, integer);
AUXILIAR_SET(L, -1, "algbits", algbits, integer);
AUXILIAR_SET(L, -1, "description", SSL_CIPHER_description((SSL_CIPHER*)c, err, sizeof(err)), string);
return 1;
}
return 0;
}
static int
tlso_session_strength( tls_session *sess )
{
tlso_session *s = (tlso_session *)sess;
return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL);
}
const char *OpenSSLQueryCipher(STREAM *S)
{
void *ptr;
if (! S) return(NULL);
ptr=STREAMGetItem(S,"LIBUSEFUL-SSL-CTX");
if (! ptr) return(NULL);
#ifdef HAVE_LIBSSL
const SSL_CIPHER *Cipher;
char *Tempstr=NULL;
Cipher=SSL_get_current_cipher((const SSL *) ptr);
if (Cipher)
{
Tempstr=FormatStr(Tempstr,"%d bit %s",SSL_CIPHER_get_bits(Cipher,NULL), SSL_CIPHER_get_name(Cipher));
STREAMSetValue(S,"SSL-Cipher",Tempstr);
Tempstr=SetStrLen(Tempstr,1024);
Tempstr=SSL_CIPHER_description(Cipher, Tempstr, 1024);
STREAMSetValue(S,"SSL-Cipher-Details",Tempstr);
}
DestroyString(Tempstr);
return(STREAMGetValue(S,"SSL-Cipher"));
#else
return(NULL);
#endif
}
int pn_ssl_get_ssf(pn_ssl_t *ssl0)
{
const SSL_CIPHER *c;
pni_ssl_t *ssl = get_ssl_internal(ssl0);
if (ssl && ssl->ssl && (c = SSL_get_current_cipher( ssl->ssl ))) {
return SSL_CIPHER_get_bits(c, NULL);
}
return 0;
}
static void set_cipher_info(TLS_REC *tls, SSL *ssl)
{
g_return_if_fail(tls != NULL);
g_return_if_fail(ssl != NULL);
tls_rec_set_protocol_version(tls, SSL_get_version(ssl));
tls_rec_set_cipher(tls, SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)));
tls_rec_set_cipher_size(tls, SSL_get_cipher_bits(ssl, NULL));
}
MONO_API int
mono_btls_ssl_get_cipher (MonoBtlsSsl *ptr)
{
const SSL_CIPHER *cipher;
cipher = SSL_get_current_cipher (ptr->ssl);
if (!cipher)
return 0;
return (uint16_t)SSL_CIPHER_get_id (cipher);
}
void describeConnection(SSL* ssl)
{
char buff[128];
const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl);
CHECK(cipher != NULL);
char *desc = SSL_CIPHER_description(cipher,buff,128);
CHECK(desc != NULL);
fprintf(stderr,"renegotiation: %s\n",
SSL_get_secure_renegotiation_support(ssl)?"allowed":"disallowed");
fprintf(stderr,"%s: %s", SSL_get_version(ssl), desc);
}
const char* Connection::currentCipher() const
{
//char desc[512];
//SSL_CIPHER_description(c, desc, sizeof(desc));
//bits = SSL_CIPHER_get_bits(c, &usedBits);
//name = SSL_CIPHER_get_name(c);
//version = SSL_CIPHER_get_version(c);
const SSL_CIPHER* c = SSL_get_current_cipher(_ssl);
const char* name = SSL_CIPHER_get_name(c);
return name;
}
const SSL_CIPHER *RodsConnection::cipherInfo() const
{
// if we have a valid OpenSSL handle
if (this->isSSL())
{
// return pointer to OpenSSL cipher in use
return (SSL_get_current_cipher(this->rodsCommPtr->ssl));
}
// if no SSL, just return NULL
return (NULL);
}
int ssl_check_cert(SSL *ssl, struct conf **confs)
{
X509 *peer;
char tmpbuf[256]="";
const char *ssl_peer_cn=get_string(confs[OPT_SSL_PEER_CN]);
if(!ssl_peer_cn)
{
logp("ssl_peer_cn not set.\n");
return -1;
}
SSL_CIPHER_description(SSL_get_current_cipher(ssl),
tmpbuf, sizeof(tmpbuf));
logp("SSL is using cipher: %s\n", tmpbuf);
if(!(peer=SSL_get_peer_certificate(ssl)))
{
logp("Could not get peer certificate.\n");
return -1;
}
if(SSL_get_verify_result(ssl)!=X509_V_OK)
{
logp_ssl_err("Certificate doesn't verify.\n");
return -1;
}
X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
NID_commonName, tmpbuf, sizeof(tmpbuf));
if(strcasecmp(tmpbuf, ssl_peer_cn))
{
logp("cert common name doesn't match configured ssl_peer_cn\n");
logp("'%s'!='%s'\n", tmpbuf, ssl_peer_cn);
return -1;
}
#ifndef HAVE_WIN32
if(setenv_x509(X509_get_subject_name(peer), "PEER")
|| setenv_x509(X509_get_issuer_name(peer), "ISSUER"))
return -1;
if(setenv_x509_date(X509_get_notBefore(peer), "X509_PEER_NOT_BEFORE")
|| setenv_x509_date(X509_get_notAfter(peer), "X509_PEER_NOT_AFTER"))
return -1;
if(setenv_x509_serialnumber(X509_get_serialNumber(peer),
"X509_PEER_SERIALNUMBER"))
return -1;
#endif
//if((comp=SSL_get_current_compression(ssl)))
// logp("SSL is using compression: %s\n", comp->name);
return 0;
}
int
SecureSocket::secureConnect(int socket)
{
createSSL();
// attach the socket descriptor
SSL_set_fd(m_ssl->m_ssl, socket);
LOG((CLOG_DEBUG2 "connecting secure socket"));
int r = SSL_connect(m_ssl->m_ssl);
static int retry;
checkResult(r, retry);
if (isFatal()) {
LOG((CLOG_ERR "failed to connect secure socket"));
return -1;
}
// If we should retry, not ready and return 0
if (retry > 0) {
LOG((CLOG_DEBUG2 "retry connect secure socket"));
m_secureReady = false;
return 0;
}
// No error, set ready, process and return ok
m_secureReady = true;
if (verifyCertFingerprint()) {
LOG((CLOG_INFO "connected to secure socket"));
if (!showCertificate()) {
disconnect();
return -1;// Cert fail, error
}
}
else {
LOG((CLOG_ERR "failed to verify server certificate fingerprint"));
disconnect();
return -1; // Fingerprint failed, error
}
LOG((CLOG_DEBUG2 "connected secure socket"));
const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl->m_ssl);
if(cipher != NULL) {
char * cipherVersion = SSL_CIPHER_description(cipher, NULL, 0);
if(cipherVersion != NULL) {
LOG((CLOG_INFO "%s", cipherVersion));
OPENSSL_free(cipherVersion);
}
}
return 1;
}
CAMLprim value ocaml_ssl_get_current_cipher(value socket)
{
CAMLparam1(socket);
SSL *ssl = SSL_val(socket);
caml_enter_blocking_section();
SSL_CIPHER *cipher = (SSL_CIPHER*)SSL_get_current_cipher(ssl);
caml_leave_blocking_section();
if (!cipher)
caml_raise_constant(*caml_named_value("ssl_exn_cipher_error"));
CAMLreturn((value)cipher);
}
SCM scm_tls_get_cipher_info(SCM tls_smob){
scm_assert_smob_type(tls_tag, tls_smob);
BIO *bio = (BIO*)SCM_SMOB_DATA(tls_smob);
SSL *ssl;
BIO_get_ssl(bio, &ssl);
//I'm not sure if scheme copies c strings or not, so make this static
//so it stays valid regardless.
static char cipher_buf[128];
SSL_CIPHER *cipher = SSL_get_current_cipher(ssl);
SSL_CIPHER_description(cipher, cipher_buf, 128);
return scm_from_utf8_string(cipher_buf);
}
const char *
rb_ssl_get_cipher(rb_fde_t *F)
{
const SSL_CIPHER *sslciph;
if(F == NULL || F->ssl == NULL)
return NULL;
if((sslciph = SSL_get_current_cipher(F->ssl)) == NULL)
return NULL;
return SSL_CIPHER_get_name(sslciph);
}
const char *net_get_cipher(void)
{
if (_use_ssl) {
const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl);
if (cipher)
return SSL_CIPHER_get_name(cipher);
else
return "unencrypted";
}
else
return "unencrypted";
}
static void benchmark(SSL *ssl, uint64_t send_bytes, uint64_t recv_bytes)
{
uint64_t bytes = 0;
char buf[BENCH_CHUNK];
record_time_t t0, t1, t2;
int sd;
memset(buf, 'a', BENCH_CHUNK);
record_time(&t0);
if (SSL_connect(ssl) != 1) {
ERR_print_errors_fp(stderr);
goto out;
}
printf("cipher: %s\n", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)));
record_time(&t1);
if (send_bytes) {
while (bytes < send_bytes) {
int to_send = (send_bytes - bytes > BENCH_CHUNK) ? BENCH_CHUNK : send_bytes - bytes;
if (SSL_write_all(ssl, buf, to_send))
break;
bytes += to_send;
}
} else {
while (bytes < recv_bytes) {
int to_recv = (recv_bytes - bytes > BENCH_CHUNK) ? BENCH_CHUNK : recv_bytes - bytes;
int recved;
recved = SSL_read(ssl, buf, sizeof(to_recv));
if (recved > 0)
bytes += recved;
else
break;
}
}
record_time(&t2);
print_time((send_bytes > 0) ? "sending" : "receiving",
(send_bytes > 0) ? send_bytes : recv_bytes,
&t1, &t2);
SSL_shutdown(ssl);
out:
sd = SSL_get_fd(ssl);
SSL_free(ssl);
close(sd);
}
// Returns the names of the SSL cipher suites which are currently
// enabled for use on this connection.
char* SSLSocket::getEnabledCipherSuites()
{
char cipdesc[128];
const SSL_CIPHER *sslciph = SSL_get_current_cipher(_ssl);
if (sslciph != NULL) {
SSL_CIPHER_description(sslciph, cipdesc, sizeof(cipdesc));
return strdup(cipdesc);
}
else
return NULL;
}
std::string SSLSocket::getEncryptionInfo() const noexcept {
if (!ssl)
return Util::emptyString;
const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl);
if (!cipher)
return Util::emptyString;
char* buf = SSL_CIPHER_description(cipher, NULL, 0);
StringTokenizer<std::string> st(buf, ' ');
std::string ret = st.getTokens()[1] + " / " + st.getTokens()[0];
delete[] buf;
return ret;
}
int
SecureSocket::secureAccept(int socket)
{
createSSL();
// set connection socket to SSL state
SSL_set_fd(m_ssl->m_ssl, socket);
LOG((CLOG_DEBUG2 "accepting secure socket"));
int r = SSL_accept(m_ssl->m_ssl);
static int retry;
checkResult(r, retry);
if (isFatal()) {
// tell user and sleep so the socket isn't hammered.
LOG((CLOG_ERR "failed to accept secure socket"));
LOG((CLOG_INFO "client connection may not be secure"));
m_secureReady = false;
ARCH->sleep(1);
return -1; // Failed, error out
}
// If not fatal and no retry, state is good
if (retry == 0) {
m_secureReady = true;
LOG((CLOG_INFO "accepted secure socket"));
const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl->m_ssl);
if(cipher != NULL) {
char * cipherVersion = SSL_CIPHER_description(cipher, NULL, 0);
if(cipherVersion != NULL) {
LOG((CLOG_INFO "%s", cipherVersion));
OPENSSL_free(cipherVersion);
}
}
return 1;
}
// If not fatal and retry is set, not ready, and return retry
if (retry > 0) {
LOG((CLOG_DEBUG2 "retry accepting secure socket"));
m_secureReady = false;
return 0;
}
// no good state exists here
LOG((CLOG_ERR "unexpected state attempting to accept connection"));
return -1;
}
bool pn_ssl_get_protocol_name(pn_ssl_t *ssl, char *buffer, size_t size )
{
const SSL_CIPHER *c;
*buffer = '\0';
if (ssl->ssl && (c = SSL_get_current_cipher( ssl->ssl ))) {
const char *v = SSL_CIPHER_get_version(c);
if (v) {
snprintf( buffer, size, "%s", v );
return true;
}
}
return false;
}
