Пример #1
0
static int _tnet_transport_ssl_init(tnet_transport_t* transport)
{
	if(!transport){
		TSK_DEBUG_ERROR("Invalid parameter");
		return -1;
	}
#if HAVE_OPENSSL
	{
		tnet_socket_type_t type = tnet_transport_get_type(transport);
		tsk_bool_t is_tls = (TNET_SOCKET_TYPE_IS_TLS(type) || TNET_SOCKET_TYPE_IS_WSS(type));
		tsk_bool_t is_dtls = TNET_SOCKET_TYPE_IS_DTLS(type);
		if(is_dtls && !tnet_dtls_is_supported()){
			TSK_DEBUG_ERROR("Requesting to create DTLS transport but source code not built with support for this feature");
			return -1;
		}
		if(is_tls && !tnet_tls_is_supported()){
			TSK_DEBUG_ERROR("Requesting to create TLS transport but source code not built with support for this feature");
			return -1;
		}
		if((transport->tls.enabled = is_tls)){
			if(!transport->tls.ctx_client && !(transport->tls.ctx_client = SSL_CTX_new(SSLv23_client_method()))){
				TSK_DEBUG_ERROR("Failed to create SSL client context");
				return -2;
			}
			if(!transport->tls.ctx_server && !(transport->tls.ctx_server = SSL_CTX_new(SSLv23_server_method()))){
				TSK_DEBUG_ERROR("Failed to create SSL server context");
				return -3;
			}
			SSL_CTX_set_mode(transport->tls.ctx_client, SSL_MODE_AUTO_RETRY);
			SSL_CTX_set_mode(transport->tls.ctx_server, SSL_MODE_AUTO_RETRY);
			SSL_CTX_set_verify(transport->tls.ctx_server, SSL_VERIFY_NONE, tsk_null); // to be updated by tnet_transport_tls_set_certs()
			SSL_CTX_set_verify(transport->tls.ctx_client, SSL_VERIFY_NONE, tsk_null); // to be updated by tnet_transport_tls_set_certs()
			if(SSL_CTX_set_cipher_list(transport->tls.ctx_client, TNET_CIPHER_LIST) <= 0 || SSL_CTX_set_cipher_list(transport->tls.ctx_server, TNET_CIPHER_LIST) <= 0){
				TSK_DEBUG_ERROR("SSL_CTX_set_cipher_list failed [%s]", ERR_error_string(ERR_get_error(), tsk_null));
				return -4;
			}
		}
#if HAVE_OPENSSL_DTLS
		if((transport->dtls.enabled = is_dtls)){
			if(!transport->dtls.ctx && !(transport->dtls.ctx = SSL_CTX_new(DTLSv1_method()))){
				TSK_DEBUG_ERROR("Failed to create DTLSv1 context");
				TSK_OBJECT_SAFE_FREE(transport);
				return -5;
			}
			SSL_CTX_set_read_ahead(transport->dtls.ctx, 1);
			// SSL_CTX_set_options(transport->dtls.ctx, SSL_OP_ALL);
			// SSL_CTX_set_mode(transport->dtls.ctx, SSL_MODE_AUTO_RETRY);
			SSL_CTX_set_verify(transport->dtls.ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, tsk_null); // to be updated by tnet_transport_tls_set_certs()
			if(SSL_CTX_set_cipher_list(transport->dtls.ctx, TNET_CIPHER_LIST) <= 0){
				TSK_DEBUG_ERROR("SSL_CTX_set_cipher_list failed [%s]", ERR_error_string(ERR_get_error(), tsk_null));
				return -6;
			}
			transport->dtls.activated = tsk_true;
		}
#endif /* HAVE_OPENSSL_DTLS */
	}
#endif /* HAVE_OPENSSL */

	return 0;
}
Пример #2
0
	SSLModule(const Anope::string &modname, const Anope::string &creator) : Module(modname, creator, EXTRA | VENDOR)
		, service(this, "ssl")
	{
		me = this;

		this->SetPermanent(true);

		SSL_library_init();
		SSL_load_error_strings();

		client_ctx = SSL_CTX_new(SSLv23_client_method());
		server_ctx = SSL_CTX_new(SSLv23_server_method());

		if (!client_ctx || !server_ctx)
			throw ModuleException("Error initializing SSL CTX");

		long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE;
		SSL_CTX_set_options(client_ctx, opts);
		SSL_CTX_set_options(server_ctx, opts);

		SSL_CTX_set_mode(client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
		SSL_CTX_set_mode(server_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);

		Anope::string context_name = "Anope";
		SSL_CTX_set_session_id_context(client_ctx, reinterpret_cast<const unsigned char *>(context_name.c_str()), context_name.length());
		SSL_CTX_set_session_id_context(server_ctx, reinterpret_cast<const unsigned char *>(context_name.c_str()), context_name.length());
	}
Пример #3
0
int
tls_configure_ssl(struct tls *ctx)
{
	SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
	SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);

	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);

	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);

	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);

	if (ctx->config->ciphers != NULL) {
		if (SSL_CTX_set_cipher_list(ctx->ssl_ctx,
		    ctx->config->ciphers) != 1) {
			tls_set_errorx(ctx, "failed to set ciphers");
			goto err;
		}
	}

	SSL_CTX_set_info_callback(ctx->ssl_ctx, tls_info_callback);

	return (0);

err:
	return (-1);
}
Пример #4
0
/*
 * Setup SSL/TLS context.
 */
static void init_ssl_ctx(SSL_CTX *ssl_ctx)
{
  /* Disable SSLv2 and enable all workarounds for buggy servers */
  SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
  /* Set NPN callback */
  SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, NULL);
}
Пример #5
0
static inline int tls_setup(shout_tls_t *tls)
{
	SSL_METHOD *meth;

	SSL_library_init();
	SSL_load_error_strings();
	SSLeay_add_all_algorithms();
 	SSLeay_add_ssl_algorithms();

	meth = TLSv1_client_method();
	if (!meth)
		goto error;

	tls->ssl_ctx = SSL_CTX_new(meth);
	if (!tls->ssl_ctx)
		goto error;

	SSL_CTX_set_default_verify_paths(tls->ssl_ctx);
	SSL_CTX_load_verify_locations(tls->ssl_ctx, tls->ca_file, tls->ca_directory);

	SSL_CTX_set_verify(tls->ssl_ctx, SSL_VERIFY_NONE, NULL);

	if (tls->client_certificate) {
		if (SSL_CTX_use_certificate_file(tls->ssl_ctx, tls->client_certificate, SSL_FILETYPE_PEM) != 1)
			goto error;
		if (SSL_CTX_use_PrivateKey_file(tls->ssl_ctx, tls->client_certificate, SSL_FILETYPE_PEM) != 1)
			goto error;
	}

	if (SSL_CTX_set_cipher_list(tls->ssl_ctx, tls->allowed_ciphers) <= 0)
		goto error;

	SSL_CTX_set_mode(tls->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
	SSL_CTX_set_mode(tls->ssl_ctx, SSL_MODE_AUTO_RETRY);

	tls->ssl = SSL_new(tls->ssl_ctx);
	if (!tls->ssl)
		goto error;

	if (!SSL_set_fd(tls->ssl, tls->socket))
		goto error;

	SSL_set_tlsext_host_name(tls->ssl, tls->host);
	SSL_set_connect_state(tls->ssl);
	tls->ssl_ret = SSL_connect(tls->ssl);

	return SHOUTERR_SUCCESS;

	error:
		if (tls->ssl)
			SSL_free(tls->ssl);
		if (tls->ssl_ctx)
			SSL_CTX_free(tls->ssl_ctx);
		return SHOUTERR_UNSUPPORTED;
}
Пример #6
0
/*
 * Setup SSL context. We pass |spdy_proto_version| to get negotiated
 * SPDY protocol version in NPN callback.
 */
void
spdy_ssl_init_ssl_ctx(SSL_CTX *ssl_ctx,
                      uint16_t *spdy_proto_version)
{
  /* Disable SSLv2 and enable all workarounds for buggy servers */
  SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);
  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
  /* Set NPN callback */
  SSL_CTX_set_next_proto_select_cb(ssl_ctx, spdy_cb_ssl_select_next_proto,
                                   spdy_proto_version);
}
Пример #7
0
int
tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
{
	SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
	SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);

	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);

	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1);
	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2);

	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);

	if (ctx->config->alpn != NULL) {
		if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,
		    ctx->config->alpn_len) != 0) {
			tls_set_errorx(ctx, "failed to set alpn");
			goto err;
		}
	}

	if (ctx->config->ciphers != NULL) {
		if (SSL_CTX_set_cipher_list(ssl_ctx,
		    ctx->config->ciphers) != 1) {
			tls_set_errorx(ctx, "failed to set ciphers");
			goto err;
		}
	}

	if (ctx->config->verify_time == 0) {
		X509_VERIFY_PARAM_set_flags(ssl_ctx->param,
		    X509_V_FLAG_NO_CHECK_TIME);
	}

	/* Disable any form of session caching by default */
	SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_OFF);
	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);

	return (0);

 err:
	return (-1);
}
Пример #8
0
/**
 * cURL SSL setup callback
 *
 * \param curl_handle The curl handle to perform the ssl operation on.
 * \param _sslctx The ssl context.
 * \param parm The callback context.
 * \return A curl result code.
 */
static CURLcode
fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm)
{
	struct curl_fetch_info *f = (struct curl_fetch_info *) parm;
	SSL_CTX *sslctx = _sslctx;
	long options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;

	/* set verify callback for each certificate in chain */
	SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, fetch_curl_verify_callback);

	/* set callback used to verify certificate chain */
	SSL_CTX_set_cert_verify_callback(sslctx,
					 fetch_curl_cert_verify_callback,
					 parm);

	if (f->downgrade_tls) {
		/* Disable TLS 1.1/1.2 if the server can't cope with them */
#ifdef SSL_OP_NO_TLSv1_1
		options |= SSL_OP_NO_TLSv1_1;
#endif
#ifdef SSL_OP_NO_TLSv1_2
		options |= SSL_OP_NO_TLSv1_2;
#endif
#ifdef SSL_MODE_SEND_FALLBACK_SCSV
		/* Ensure server rejects the connection if downgraded too far */
		SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV);
#endif
	}

	SSL_CTX_set_options(sslctx, options);

	return CURLE_OK;
}
Пример #9
0
int evt_ctx_init(evt_ctx_t *tls)
{
    tls_begin();

    //Currently we support only TLS, No DTLS
    tls->ctx = SSL_CTX_new(SSLv23_method());
    if(!tls->ctx) {
        return ENOMEM;
    }
    
    long options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
    SSL_CTX_set_options(tls->ctx, options);

    SSL_CTX_set_mode(tls->ctx, SSL_MODE_AUTO_RETRY |
         SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER       |
         SSL_MODE_ENABLE_PARTIAL_WRITE             |
         SSL_MODE_RELEASE_BUFFERS
    );

    tls->cert_set = 0;
    tls->key_set = 0;
    tls->ssl_err_ = 0;
    tls->writer = NULL;

    QUEUE_INIT(&(tls->live_con));

    return 0;
}
Пример #10
0
static int ssl_setup(git_transport *t, const char *host)
{
	int ret;

	SSL_library_init();
	SSL_load_error_strings();
	t->ssl.ctx = SSL_CTX_new(SSLv23_method());
	if (t->ssl.ctx == NULL)
		return ssl_set_error(&t->ssl, 0);

	SSL_CTX_set_mode(t->ssl.ctx, SSL_MODE_AUTO_RETRY);
	SSL_CTX_set_verify(t->ssl.ctx, SSL_VERIFY_PEER, NULL);
	if (!SSL_CTX_set_default_verify_paths(t->ssl.ctx))
		return ssl_set_error(&t->ssl, 0);

	t->ssl.ssl = SSL_new(t->ssl.ctx);
	if (t->ssl.ssl == NULL)
		return ssl_set_error(&t->ssl, 0);

	if((ret = SSL_set_fd(t->ssl.ssl, t->socket)) == 0)
		return ssl_set_error(&t->ssl, ret);

	if ((ret = SSL_connect(t->ssl.ssl)) <= 0)
		return ssl_set_error(&t->ssl, ret);

	if (t->check_cert && verify_server_cert(t, host) < 0)
		return -1;

	return 0;
}
Пример #11
0
BOOL tls_prepare(rdpTls* tls, BIO *underlying, const SSL_METHOD *method, int options, BOOL clientMode)
#endif
{
	tls->ctx = SSL_CTX_new(method);
	if (!tls->ctx)
	{
		fprintf(stderr, "%s: SSL_CTX_new failed\n", __FUNCTION__);
		return FALSE;
	}

	SSL_CTX_set_mode(tls->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);

	SSL_CTX_set_options(tls->ctx, options);
	SSL_CTX_set_read_ahead(tls->ctx, 1);

	tls->bio = BIO_new_rdp_tls(tls->ctx, clientMode);

	if (BIO_get_ssl(tls->bio, &tls->ssl) < 0)
	{
		fprintf(stderr, "%s: unable to retrieve the SSL of the connection\n", __FUNCTION__);
		return FALSE;
	}

	BIO_push(tls->bio, underlying);

	return TRUE;
}
Пример #12
0
static CURLcode sslctxfun( CURL * curl, void * sslctx, void * parm ) {

	sslctxparm * p = (sslctxparm *) parm;
	SSL_CTX * ctx = (SSL_CTX *) sslctx ;

	if ( !SSL_CTX_use_certificate( ctx,p->usercert ) ) {
		BIO_printf( p->errorbio, "SSL_CTX_use_certificate problem\n" ); goto err;
	}
	if ( !SSL_CTX_use_PrivateKey( ctx,p->pkey ) ) {
		BIO_printf( p->errorbio, "SSL_CTX_use_PrivateKey\n" ); goto err;
	}

	if ( !SSL_CTX_check_private_key( ctx ) ) {
		BIO_printf( p->errorbio, "SSL_CTX_check_private_key\n" ); goto err;
	}

	SSL_CTX_set_quiet_shutdown( ctx,1 );
	SSL_CTX_set_cipher_list( ctx,"RC4-MD5" );
	SSL_CTX_set_mode( ctx, SSL_MODE_AUTO_RETRY );

	X509_STORE_add_cert( ctx->cert_store,sk_X509_value( p->ca,sk_X509_num( p->ca ) - 1 ) );

	SSL_CTX_set_verify_depth( ctx,2 );

	SSL_CTX_set_verify( ctx,SSL_VERIFY_PEER,NULL );

	SSL_CTX_set_cert_verify_callback( ctx, ssl_app_verify_callback, parm );


	return CURLE_OK ;
err:
	ERR_print_errors( p->errorbio );
	return CURLE_SSL_CERTPROBLEM;

}
Пример #13
0
BOOL CSSLTcpSocket::CreateSSLTcpSocketForServer( LPCSTR pszCertFile , LPCSTR pszKeyFile )
{
	SSL_load_error_strings(); /*为打印调试信息作准备*/ 
	OpenSSL_add_ssl_algorithms(); /*初始化*/ 

	m_meth = (SSL_METHOD *)TLSv1_server_method(); /*采用什么协议(SSLv2/SSLv3/TLSv1)在此指定,TLSv1_server_method,SSLv23_server_method()*/ 

	m_ctx = SSL_CTX_new (m_meth);

	//设置为要求强制校验对方(客户端)证书SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT
	SSL_CTX_set_verify(m_ctx,SSL_VERIFY_NONE,NULL); /*验证与否SSL_VERIFY_PEER*/ 
	//SSL_CTX_load_verify_locations(ctx,CACERT,NULL); /*若验证,则放置CA证书*/

	if (SSL_CTX_use_certificate_file(m_ctx, pszCertFile, SSL_FILETYPE_PEM) <= 0) 
	{
		printf("加载证书失败!\n");
		
	}

	if (SSL_CTX_use_PrivateKey_file(m_ctx, pszKeyFile, SSL_FILETYPE_PEM) <= 0)
	{
		printf("加载私钥失败!\n");
		
	}

	if (!SSL_CTX_check_private_key(m_ctx)) {
		printf("密钥证书不匹配!\n");
	}

	SSL_CTX_set_cipher_list(m_ctx,"DES-CBC3-SHA"); 
	SSL_CTX_set_mode(m_ctx, SSL_MODE_AUTO_RETRY);

	return CreateTcpSocket();
}
Пример #14
0
ape_ssl_t *ape_ssl_init_global_client_ctx()
{
    ape_ssl_t *ssl = NULL;
    SSL_CTX *ctx   = SSL_CTX_new(SSLv23_client_method());

    ssl      = malloc(sizeof(*ssl));
    ssl->ctx = ctx;
    ssl->con = NULL;

    SSL_CTX_set_options(ssl->ctx, SSL_OP_ALL);
    SSL_CTX_set_default_read_ahead(ssl->ctx, 1);

    /* see APE_socket_write() ape_socket.c */
    SSL_CTX_set_mode(ssl->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
    // SSL_MODE_AUTO_RETRY

    if (SSL_CTX_set_cipher_list(ssl->ctx, CIPHER_LIST) <= 0) {
        printf("Failed to set cipher\n");
        SSL_CTX_free(ctx);
        free(ssl);
        return NULL;
    }

    return ssl;
}
Пример #15
0
tls_t *tls_new(xmpp_ctx_t *ctx, xmpp_sock_t sock)
{
    tls_t *tls = xmpp_alloc(ctx, sizeof(*tls));

    if (tls) {
        int ret;
	memset(tls, 0, sizeof(*tls));

	tls->ctx = ctx;
	tls->sock = sock;
	tls->ssl_ctx = SSL_CTX_new(SSLv23_client_method());

	SSL_CTX_set_client_cert_cb(tls->ssl_ctx, NULL);
	SSL_CTX_set_mode (tls->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
	SSL_CTX_set_verify (tls->ssl_ctx, SSL_VERIFY_NONE, NULL);

	tls->ssl = SSL_new(tls->ssl_ctx);

	ret = SSL_set_fd(tls->ssl, sock);
	if (ret <= 0) {
	    tls->lasterror = SSL_get_error(tls->ssl, ret);
	    tls_error(tls);
	    tls_free(tls);
	    tls = NULL;
	}
    }

    return tls;
}
Пример #16
0
int git_openssl_stream_global_init(void)
{
#ifdef GIT_OPENSSL
	long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;

	/* Older OpenSSL and MacOS OpenSSL doesn't have this */
#ifdef SSL_OP_NO_COMPRESSION
	ssl_opts |= SSL_OP_NO_COMPRESSION;
#endif

	SSL_load_error_strings();
	OpenSSL_add_ssl_algorithms();
	/*
	 * Load SSLv{2,3} and TLSv1 so that we can talk with servers
	 * which use the SSL hellos, which are often used for
	 * compatibility. We then disable SSL so we only allow OpenSSL
	 * to speak TLSv1 to perform the encryption itself.
	 */
	git__ssl_ctx = SSL_CTX_new(SSLv23_method());
	SSL_CTX_set_options(git__ssl_ctx, ssl_opts);
	SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
	SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
	if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {
		SSL_CTX_free(git__ssl_ctx);
		git__ssl_ctx = NULL;
		return -1;
	}
#endif

	git__on_shutdown(shutdown_ssl);

	return 0;
}
Пример #17
0
wi_socket_tls_t * wi_socket_tls_init_with_type(wi_socket_tls_t *tls, wi_socket_tls_type_t type) {
	SSL_METHOD		*method;
	
	switch(type) {
		default:
		case WI_SOCKET_TLS_CLIENT:
			method = TLSv1_client_method();
			break;

		case WI_SOCKET_TLS_SERVER:
			method = TLSv1_server_method();
			break;
	}
	
	tls->ssl_ctx = SSL_CTX_new(method);
	
	if(!tls->ssl_ctx) {
		wi_error_set_openssl_error();
		
		wi_release(NULL);
		
		return NULL;
	}
	
	SSL_CTX_set_mode(tls->ssl_ctx, SSL_MODE_AUTO_RETRY);
	SSL_CTX_set_quiet_shutdown(tls->ssl_ctx, 1);
	
	return tls;
}
Пример #18
0
static CURLcode sslctxfun(CURL * curl, void * sslctx, void * parm)
{
  sslctxparm * p = (sslctxparm *) parm;

  SSL_CTX * ctx = (SSL_CTX *) sslctx ;
  fprintf(stderr,"sslctxfun start curl=%p ctx=%p parm=%p\n",
          (void *)curl,(void *)ctx,(void *)p);

  SSL_CTX_set_quiet_shutdown(ctx,1);
  SSL_CTX_set_cipher_list(ctx,"RC4-MD5");
  SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);

/* one might assume that the cert validaton would not fail when setting this,
   but it still does, see the error handling in the call back */

  SSL_CTX_set_verify_depth(ctx,0);
  SSL_CTX_set_verify(ctx,SSL_VERIFY_NONE,ZERO_NULL);

#if OPENSSL_VERSION_NUMBER<0x00907000L
/* in newer openssl versions we can set a parameter for the call back. */
  fprintf(stderr,"This version %s of openssl does not support a parm,"
          " setting global one\n", OPENSSL_VERSION_TEXT);
  /* this is only done to support 0.9.6 version */
  globalparm = parm;

/* in 0.9.6 the parm is not taken */
#endif
  SSL_CTX_set_cert_verify_callback(ctx, ssl_app_verify_callback, parm);
  fprintf(stderr,"sslctxfun end\n");

  return CURLE_OK ;
}
Пример #19
0
static int openssl_ssl_ctx_mode(lua_State*L)
{
  SSL_CTX* ctx = CHECK_OBJECT(1, SSL_CTX, "openssl.ssl_ctx");
  int mode = 0;
  int ret;
  int i;
  if (!lua_isnoneornil(L, 2))
  {
    int clear = lua_isboolean(L, 2) ? lua_toboolean(L, 2) : 0;
    i =  lua_isboolean(L, 2) ? 3 : 2;
    while (i <= lua_gettop(L))
    {
      mode = mode | auxiliar_checkoption(L, i++, NULL, sMode_options, iMode_options);
    }
    if (clear != 0)
      mode = SSL_CTX_set_mode(ctx, mode);
    else
      mode = SSL_CTX_clear_mode(ctx, mode);
  }
  else
    mode = SSL_CTX_get_mode(ctx);
  ret = 0;
  for (i = 0; i < sizeof(iMode_options) / sizeof(int); i++)
  {
    if (mode & iMode_options[i])
    {
      lua_pushstring(L, sMode_options[i]);
      ret++;
    }
  }
  return ret;
};
Пример #20
0
Файл: ssl.c Проект: byronhe/wrk
SSL_CTX *ssl_init() {
    SSL_CTX *ctx = NULL;

    SSL_load_error_strings();
    SSL_library_init();
    OpenSSL_add_all_algorithms();
    ssl_data_index = SSL_get_ex_new_index(0,0,0,0,0);

    if ((locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t)))) {
        for (int i = 0; i < CRYPTO_num_locks(); i++) {
            pthread_mutex_init(&locks[i], NULL);
        }

        CRYPTO_set_locking_callback(ssl_lock);
        CRYPTO_set_id_callback(ssl_id);

        if ((ctx = SSL_CTX_new(SSLv23_client_method()))) {
            SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
            SSL_CTX_set_verify_depth(ctx, 0);
            SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
            SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
            SSL_CTX_sess_set_new_cb(ctx, new_session_callback);
            SSL_CTX_set_info_callback(ctx, ssl_info_callback);
        }
    }

    return ctx;
}
Пример #21
0
BOOL tls_prepare(rdpTls* tls, BIO *underlying, const SSL_METHOD *method, int options, BOOL clientMode)
#endif
{
	tls->ctx = SSL_CTX_new(method);
	if (!tls->ctx)
	{
		DEBUG_WARN( "%s: SSL_CTX_new failed\n", __FUNCTION__);
		return FALSE;
	}

	SSL_CTX_set_mode(tls->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);

	SSL_CTX_set_options(tls->ctx, options);
	SSL_CTX_set_read_ahead(tls->ctx, 1);

	if (tls->settings->PermittedTLSCiphers) {
		if(!SSL_CTX_set_cipher_list(tls->ctx, tls->settings->PermittedTLSCiphers)) {
			DEBUG_WARN( "SSL_CTX_set_cipher_list %s failed\n", tls->settings->PermittedTLSCiphers);
			return FALSE;
		}
	}
 
	tls->bio = BIO_new_rdp_tls(tls->ctx, clientMode);

	if (BIO_get_ssl(tls->bio, &tls->ssl) < 0)
	{
		DEBUG_WARN( "%s: unable to retrieve the SSL of the connection\n", __FUNCTION__);
		return FALSE;
	}

	BIO_push(tls->bio, underlying);

	return TRUE;
}
Пример #22
0
static int ssl_setup(gitno_socket *socket, const char *host, int flags)
{
	int ret;

	SSL_library_init();
	SSL_load_error_strings();
	socket->ssl.ctx = SSL_CTX_new(SSLv23_method());
	if (socket->ssl.ctx == NULL)
		return ssl_set_error(&socket->ssl, 0);

	SSL_CTX_set_mode(socket->ssl.ctx, SSL_MODE_AUTO_RETRY);
	SSL_CTX_set_verify(socket->ssl.ctx, SSL_VERIFY_NONE, NULL);
	if (!SSL_CTX_set_default_verify_paths(socket->ssl.ctx))
		return ssl_set_error(&socket->ssl, 0);

	socket->ssl.ssl = SSL_new(socket->ssl.ctx);
	if (socket->ssl.ssl == NULL)
		return ssl_set_error(&socket->ssl, 0);

	if((ret = SSL_set_fd(socket->ssl.ssl, socket->socket)) == 0)
		return ssl_set_error(&socket->ssl, ret);

	if ((ret = SSL_connect(socket->ssl.ssl)) <= 0)
		return ssl_set_error(&socket->ssl, ret);

	if (GITNO_CONNECT_SSL_NO_CHECK_CERT & flags)
		return 0;

	return verify_server_cert(&socket->ssl, host);
}
Пример #23
0
static herror_t
_hssl_server_context_init(void)
{
  log_verbose3("enabled=%i, certificate=%p", enabled, certificate);

  if (!enabled || !certificate)
    return H_OK;

  if (!(context = SSL_CTX_new(SSLv23_method())))
  {
    log_error1("Cannot create SSL context");
    return herror_new("_hssl_server_context_init", HSSL_ERROR_CONTEXT,
                      "Unable to create SSL context");
  }

  if (!(SSL_CTX_use_certificate_file(context, certificate, SSL_FILETYPE_PEM)))
  {
    log_error2("Cannot read certificate file: \"%s\"", certificate);
    SSL_CTX_free(context);
    return herror_new("_hssl_server_context_init", HSSL_ERROR_CERTIFICATE,
                      "Unable to use SSL certificate \"%s\"", certificate);
  }

  SSL_CTX_set_default_passwd_cb(context, _hssl_password_callback);

  if (!(SSL_CTX_use_PrivateKey_file(context, certificate, SSL_FILETYPE_PEM)))
  {
    log_error2("Cannot read key file: \"%s\"", certificate);
    SSL_CTX_free(context);
    return herror_new("_hssl_server_context_init", HSSL_ERROR_PEM,
                      "Unable to use private key");
  }

  if (ca_list != NULL && *ca_list != '\0')
  {
    if (!(SSL_CTX_load_verify_locations(context, ca_list, NULL)))
    {
      SSL_CTX_free(context);
      log_error2("Cannot read CA list: \"%s\"", ca_list);
      return herror_new("_hssl_server_context_init", HSSL_ERROR_CA_LIST,
                        "Unable to read certification authorities \"%s\"");
    }

    SSL_CTX_set_client_CA_list(context, SSL_load_client_CA_file(ca_list));
    log_verbose1("Certification authority contacted");
  }

  SSL_CTX_set_verify(context, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
                     _hssl_cert_verify_callback);
  log_verbose1("Certificate verification callback registered");

  SSL_CTX_set_mode(context, SSL_MODE_AUTO_RETRY);

  SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);

  _hssl_superseed();

  return H_OK;
}
Пример #24
0
void conn_init_ssl(void)
{
    SSL_library_init();
    SSL_load_error_strings();
    global_ssl_context = SSL_CTX_new(SSLv23_client_method());
    SSL_CTX_set_mode(global_ssl_context, 
        SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
}
Пример #25
0
bool
ConnSSL_InitLibrary( void )
{
#ifdef HAVE_LIBSSL
	SSL_CTX *newctx;

	if (!ssl_ctx) {
		SSL_library_init();
		SSL_load_error_strings();
	}

	if (!RAND_status()) {
		Log(LOG_ERR, "OpenSSL PRNG not seeded: /dev/urandom missing?");
		/*
		 * it is probably best to fail and let the user install EGD or a similar program if no kernel random device is available.
		 * According to OpenSSL RAND_egd(3): "The automatic query of /var/run/egd-pool et al was added in OpenSSL 0.9.7";
		 * so it makes little sense to deal with PRNGD seeding ourselves.
		 */
		return false;
	}

	newctx = SSL_CTX_new(SSLv23_method());
	if (!newctx) {
		LogOpenSSLError("SSL_CTX_new()", NULL);
		return false;
	}

	if (!ConnSSL_LoadServerKey_openssl(newctx))
		goto out;

	SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2);
	SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
	SSL_CTX_free(ssl_ctx);
	ssl_ctx = newctx;
	Log(LOG_INFO, "%s initialized.", SSLeay_version(SSLEAY_VERSION));
	return true;
out:
	SSL_CTX_free(newctx);
	return false;
#endif
#ifdef HAVE_LIBGNUTLS
	int err;
	static bool initialized;
	if (initialized) /* TODO: cannot reload gnutls keys: can't simply free x509 context -- it may still be in use */
		return false;

	err = gnutls_global_init();
	if (err) {
		Log(LOG_ERR, "gnutls_global_init(): %s", gnutls_strerror(err));
		return false;
	}
	if (!ConnSSL_LoadServerKey_gnutls())
		return false;
	Log(LOG_INFO, "gnutls %s initialized.", gnutls_check_version(NULL));
	initialized = true;
	return true;
#endif
}
Пример #26
0
    SSLManager::SSLManager(const Params& params) :
        _validateCertificates(false),
        _weakValidation(params.weakCertificateValidation) {

        SSL_library_init();
        SSL_load_error_strings();
        ERR_load_crypto_strings();

        if (params.fipsMode) {
            _setupFIPS();
        }

        // Add all digests and ciphers to OpenSSL's internal table
        // so that encryption/decryption is backwards compatible
        OpenSSL_add_all_algorithms();

        _context = SSL_CTX_new(SSLv23_method());
        massert(15864,
                mongoutils::str::stream() << "can't create SSL Context: " <<
                _getSSLErrorMessage(ERR_get_error()),
                _context);

        // Activate all bug workaround options, to support buggy client SSL's.
        SSL_CTX_set_options(_context, SSL_OP_ALL);

        // If renegotiation is needed, don't return from recv() or send() until it's successful.
        // Note: this is for blocking sockets only.
        SSL_CTX_set_mode(_context, SSL_MODE_AUTO_RETRY);

        // Set context within which session can be reused
        int status = SSL_CTX_set_session_id_context(
            _context,
            static_cast<unsigned char*>(static_cast<void*>(&_context)),
            sizeof(_context));
        if (!status) {
            uasserted(16768,"ssl initialization problem");
        }

        SSLThreadInfo::init();
        SSLThreadInfo::get();

        if (!params.pemfile.empty()) {
            if (!_setupPEM(params.pemfile, params.pempwd)) {
                uasserted(16562, "ssl initialization problem"); 
            }
        }
        if (!params.cafile.empty()) {
            // Set up certificate validation with a certificate authority
            if (!_setupCA(params.cafile)) {
                uasserted(16563, "ssl initialization problem"); 
            }
        }
        if (!params.crlfile.empty()) {
            if (!_setupCRL(params.crlfile)) {
                uasserted(16582, "ssl initialization problem");
            }
        }
    }
Пример #27
0
/*
 * Enable SSL on a connection.
 */
int
fetch_ssl(conn_t *conn, int verbose)
{
#ifdef WITH_SSL
	int ret, ssl_err;

	/* Init the SSL library and context */
	if (!SSL_library_init()){
		fprintf(stderr, "SSL library init failed\n");
		return (-1);
	}

	SSL_load_error_strings();

	conn->ssl_meth = SSLv23_client_method();
	conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
	SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);

	conn->ssl = SSL_new(conn->ssl_ctx);
	if (conn->ssl == NULL){
		fprintf(stderr, "SSL context creation failed\n");
		return (-1);
	}
	SSL_set_fd(conn->ssl, conn->sd);
	while ((ret = SSL_connect(conn->ssl)) == -1) {
		ssl_err = SSL_get_error(conn->ssl, ret);
		if (ssl_err != SSL_ERROR_WANT_READ &&
		    ssl_err != SSL_ERROR_WANT_WRITE) {
			ERR_print_errors_fp(stderr);
			return (-1);
		}
	}

	if (verbose) {
		X509_NAME *name;
		char *str;

		fprintf(stderr, "SSL connection established using %s\n",
		    SSL_get_cipher(conn->ssl));
		conn->ssl_cert = SSL_get_peer_certificate(conn->ssl);
		name = X509_get_subject_name(conn->ssl_cert);
		str = X509_NAME_oneline(name, 0, 0);
		printf("Certificate subject: %s\n", str);
		free(str);
		name = X509_get_issuer_name(conn->ssl_cert);
		str = X509_NAME_oneline(name, 0, 0);
		printf("Certificate issuer: %s\n", str);
		free(str);
	}

	return (0);
#else
	(void)conn;
	(void)verbose;
	fprintf(stderr, "SSL support disabled\n");
	return (-1);
#endif
}
Пример #28
0
		Context(SSL_CTX* context)
			: ctx(context)
		{
			SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
			SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);

			const unsigned char session_id[] = "inspircd";
			SSL_CTX_set_session_id_context(ctx, session_id, sizeof(session_id) - 1);
		}
Пример #29
0
    bool SSLManager::_initSSLContext(SSL_CTX** context, const Params& params) {
        *context = SSL_CTX_new(SSLv23_method());
        massert(15864,
                mongoutils::str::stream() << "can't create SSL Context: " <<
                getSSLErrorMessage(ERR_get_error()),
                context);

        // SSL_OP_ALL - Activate all bug workaround options, to support buggy client SSL's.
        // SSL_OP_NO_SSLv2 - Disable SSL v2 support 
        SSL_CTX_set_options(*context, SSL_OP_ALL|SSL_OP_NO_SSLv2);

        // If renegotiation is needed, don't return from recv() or send() until it's successful.
        // Note: this is for blocking sockets only.
        SSL_CTX_set_mode(*context, SSL_MODE_AUTO_RETRY);

        // Set context within which session can be reused
        int status = SSL_CTX_set_session_id_context(
            *context,
            static_cast<unsigned char*>(static_cast<void*>(context)),
            sizeof(*context));
 
        if (!status) {
            error() << "failed to set session id context: " << 
                getSSLErrorMessage(ERR_get_error()) << endl;
            return false;
        }

        // Use the clusterfile for internal outgoing SSL connections if specified 
        if (context == &_clientContext && !params.clusterfile.empty()) {
            EVP_set_pw_prompt("Enter cluster certificate passphrase");
            if (!_setupPEM(*context, params.clusterfile, params.clusterpwd)) {
                return false;
            }
        }
        // Use the pemfile for everything else
        else if (!params.pemfile.empty()) {
            EVP_set_pw_prompt("Enter PEM passphrase");
            if (!_setupPEM(*context, params.pemfile, params.pempwd)) {
                return false;
            }
        }

        if (!params.cafile.empty()) {
            // Set up certificate validation with a certificate authority
            if (!_setupCA(*context, params.cafile)) {
                return false;
            }
        }

        if (!params.crlfile.empty()) {
            if (!_setupCRL(*context, params.crlfile)) {
                return false;
            }
        }

        return true;
    }
Пример #30
0
int git_openssl_stream_global_init(void)
{
#ifdef GIT_OPENSSL
	long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
	const char *ciphers = git_libgit2__ssl_ciphers();

	/* Older OpenSSL and MacOS OpenSSL doesn't have this */
#ifdef SSL_OP_NO_COMPRESSION
	ssl_opts |= SSL_OP_NO_COMPRESSION;
#endif

#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
	SSL_load_error_strings();
	OpenSSL_add_ssl_algorithms();
#else
	OPENSSL_init_ssl(0, NULL);
#endif

	/*
	 * Load SSLv{2,3} and TLSv1 so that we can talk with servers
	 * which use the SSL hellos, which are often used for
	 * compatibility. We then disable SSL so we only allow OpenSSL
	 * to speak TLSv1 to perform the encryption itself.
	 */
	git__ssl_ctx = SSL_CTX_new(SSLv23_method());
	SSL_CTX_set_options(git__ssl_ctx, ssl_opts);
	SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
	SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
	if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {
		SSL_CTX_free(git__ssl_ctx);
		git__ssl_ctx = NULL;
		return -1;
	}

	if (!ciphers) {
		ciphers = GIT_SSL_DEFAULT_CIPHERS;
	}

	if(!SSL_CTX_set_cipher_list(git__ssl_ctx, ciphers)) {
		SSL_CTX_free(git__ssl_ctx);
		git__ssl_ctx = NULL;
		return -1;
	}

	if (init_bio_method() < 0) {
		SSL_CTX_free(git__ssl_ctx);
		git__ssl_ctx = NULL;
		return -1;
	}

#endif

	git__on_shutdown(shutdown_ssl);

	return 0;
}