bool SSLTCPSocket::initSSL(char* certPath, char* keyPath) {
    SSL_load_error_strings();
    SSL_library_init();
    OpenSSL_add_all_algorithms();

    serverContext = SSL_CTX_new(SSLv23_server_method());
    SSL_CTX_set_options(serverContext, SSL_OP_SINGLE_DH_USE);
    if (!SSL_CTX_use_certificate_file(serverContext, certPath, SSL_FILETYPE_PEM)) {
        return false;
    }

    if (!SSL_CTX_use_PrivateKey_file(serverContext, keyPath, SSL_FILETYPE_PEM)) {
        return false;
    }

    clientContext = SSL_CTX_new(SSLv23_client_method());
    SSL_CTX_set_options(clientContext, SSL_OP_SINGLE_DH_USE);

    return true;
}
Пример #2
0
int SslContext::setCertificateFile(const char *pFile, int type,
                                   int chained)
{
    int ret;
    if (!pFile)
        return 0;
    ::stat(pFile, &m_stCert);
    if (init(m_iMethod))
        return 0;
    if (chained)
        return SSL_CTX_use_certificate_chain_file(m_pCtx, pFile);
    else
    {
        ret = loadCertFile(m_pCtx, pFile, type);
        if (ret == -1)
            return SSL_CTX_use_certificate_file(m_pCtx, pFile,
                                                translateType(type));
        return ret;
    }
}
Пример #3
0
static int
vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
                   enum enum_ssl_init_error* error)
{
  DBUG_ENTER("vio_set_cert_stuff");
  DBUG_PRINT("enter", ("ctx: 0x%lx  cert_file: %s  key_file: %s",
		       (long) ctx, cert_file, key_file));

  if (!cert_file &&  key_file)
    cert_file= key_file;
  
  if (!key_file &&  cert_file)
    key_file= cert_file;

  if (cert_file &&
      SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
  {
    *error= SSL_INITERR_CERT;
    DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
    DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
void PosixSslServerSocket::loadCertificates( const std::string & certificateFile,
                                             const std::string & keyFile ) {
    SSL_CTX * sslContext;
    int rc;

    sslContext = SSL_CTX_new(SSLv3_server_method());
    rc = SSL_CTX_load_verify_locations(sslContext,certificateFile.c_str(),keyFile.c_str());
    if( rc <= 0 )
        ERR_print_errors_fp(stdout);
    rc = SSL_CTX_set_default_verify_paths(sslContext);
    if( rc <= 0 )
        ERR_print_errors_fp(stdout);
    rc = SSL_CTX_use_certificate_file(sslContext,certificateFile.c_str(),SSL_FILETYPE_PEM);
    if( rc <= 0 )
        ERR_print_errors_fp(stdout);
    rc = SSL_CTX_use_PrivateKey_file(sslContext,keyFile.c_str(),SSL_FILETYPE_PEM);
    if( rc <= 0 )
        ERR_print_errors_fp(stdout);
    setSslContext(sslContext);
}
Пример #5
0
struct cert* loadCert(const char* cert, const char* key) {
	const SSL_METHOD* method = SSLv23_method();
	SSL_CTX* ctx = SSL_CTX_new(method);
	SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
	if (SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM) < 0) {
		return NULL;
	}
	if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) < 0) {
		return NULL;
	}
	if (!SSL_CTX_check_private_key(ctx)) {
		return NULL;
	}
	struct cert* oc = xmalloc(sizeof(struct cert));
	oc->isDummy = 0;
	oc->ctx = ctx;
	oc->certf = cert;
	oc->key = key;
	return oc;
}
Пример #6
0
ssl_client * ssl_start_client(int fd, struct sockaddr * remote_addr){
  ssl_ensure_initialized();
  SSL_CTX * ctx = SSL_CTX_new(DTLSv1_client_method());
  SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!MD5:!RC4");
  
  if (!SSL_CTX_use_certificate_file(ctx, "certs/client-cert.pem", SSL_FILETYPE_PEM))
    printf("\nERROR: no certificate found!");
  
  if (!SSL_CTX_use_PrivateKey_file(ctx, "certs/client-key.pem", SSL_FILETYPE_PEM))
    printf("\nERROR: no private key found!");
  
  if (!SSL_CTX_check_private_key (ctx))
    printf("\nERROR: invalid private key!");
  
  SSL_CTX_set_verify_depth (ctx, 2);
  SSL_CTX_set_read_ahead(ctx, 1);
  
  SSL * ssl = SSL_new(ctx);
  
  // Create BIO, connect and set to already connected.
  BIO * bio = BIO_new_dgram(fd, BIO_CLOSE);
  
  BIO_ctrl(bio, BIO_CTRL_DGRAM_SET_CONNECTED, 0, remote_addr);
  SSL_set_bio(ssl, bio, bio);
  int ret = SSL_connect(ssl);
  if(ret < 0){
    handle_ssl_error(ssl, ret);
  }
  
  {
    struct timeval timeout;
    timeout.tv_sec = 3;
    timeout.tv_usec = 0;
    BIO_ctrl(bio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
  }

  ssl_client * cli = alloc0(sizeof(ssl_client));
  cli->ssl = ssl;
  cli->ctx = ctx;
  return cli;
}
Пример #7
0
SSL_CTX *setup_tls()
{
  SSL_CTX *tlsctx;

  SSL_library_init();
  SSL_load_error_strings();

  tlsctx = SSL_CTX_new(TLSv1_server_method());
  if (tlsctx == NULL){
#ifdef DEBUG
    fprintf(stderr, "wss: SSL error: %s\n", ERR_error_string(ERR_get_error(), NULL));
#endif
    return NULL;
  }

#ifdef DEBUG
  fprintf(stderr, "%s: tlsctx (%p)\n", __func__, tlsctx);
#endif

  SSL_CTX_set_options(tlsctx, SSL_OP_SINGLE_DH_USE);

  if (!SSL_CTX_use_certificate_file(tlsctx, TLS_CERT, SSL_FILETYPE_PEM)){
#ifdef DEBUG
    fprintf(stderr, "%s: SSL error: %s\n", __func__, ERR_error_string(ERR_get_error(), NULL));
#endif
    SSL_CTX_free(tlsctx);
    return NULL;
  }

  if (!SSL_CTX_use_PrivateKey_file(tlsctx, TLS_KEY, SSL_FILETYPE_PEM)) {
#ifdef DEBUG
    fprintf(stderr, "%s: SSL error: %s\n", __func__, ERR_error_string(ERR_get_error(), NULL));
#endif
    SSL_CTX_free(tlsctx);
    return NULL;
  }

  //SSL_CTX_set_session_cache_mode(tlsctx, SSL_SESS_CACHE_OFF);
  
  return tlsctx;
}
Пример #8
0
bool
SecureSocket::loadCertificates(String& filename)
{
	if (filename.empty()) {
		showError("ssl certificate is not specified");
		return false;
	}
	else {
		std::ifstream file(filename.c_str());
		bool exist = file.good();
		file.close();

		if (!exist) {
			String errorMsg("ssl certificate doesn't exist: ");
			errorMsg.append(filename);
			showError(errorMsg.c_str());
			return false;
		}
	}

	int r = 0;
	r = SSL_CTX_use_certificate_file(m_ssl->m_context, filename.c_str(), SSL_FILETYPE_PEM);
	if (r <= 0) {
		showError("could not use ssl certificate");
		return false;
	}

	r = SSL_CTX_use_PrivateKey_file(m_ssl->m_context, filename.c_str(), SSL_FILETYPE_PEM);
	if (r <= 0) {
		showError("could not use ssl private key");
		return false;
	}

	r = SSL_CTX_check_private_key(m_ssl->m_context);
	if (!r) {
		showError("could not verify ssl private key");
		return false;
	}

	return true;
}
Пример #9
0
int init_ssl(void)
{
	SSL_METHOD *method;
	SSL_library_init();
	SSL_load_error_strings();
	method = TLSv1_server_method();
	if(method == NULL) {
		syslog(LOG_ERR, "TLSv1_server_method() failed");
		syslogsslerr();
		return -1;
	}
	ssl_ctx = SSL_CTX_new(method);
	if(ssl_ctx == NULL) {
		syslog(LOG_ERR, "SSL_CTX_new() failed");
		syslogsslerr();
		return -1;
	}
	/* set the local certificate */
	if(!SSL_CTX_use_certificate_file(ssl_ctx, HTTPS_CERTFILE, SSL_FILETYPE_PEM)) {
		syslog(LOG_ERR, "SSL_CTX_use_certificate_file(%s) failed", HTTPS_CERTFILE);
		syslogsslerr();
		return -1;
	}
	/* set the private key */
	if(!SSL_CTX_use_PrivateKey_file(ssl_ctx, HTTPS_KEYFILE, SSL_FILETYPE_PEM)) {
		syslog(LOG_ERR, "SSL_CTX_use_PrivateKey_file(%s) failed", HTTPS_KEYFILE);
		syslogsslerr();
		return -1;
	}
	/* verify private key */
	if(!SSL_CTX_check_private_key(ssl_ctx)) {
		syslog(LOG_ERR, "SSL_CTX_check_private_key() failed");
		syslogsslerr();
		return -1;
	}
	/*SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, verify_callback);*/
	SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, verify_callback);
	/*SSL_CTX_set_verify_depth(depth);*/
	syslog(LOG_INFO, "using %s", SSLeay_version(SSLEAY_VERSION));
	return 0;
}
Пример #10
0
void Network::loadCertificates() {
	int out;
	std::cout << "Loading Certificate:";
	if ((out = SSL_CTX_use_certificate_file(sslContext, "/home/cameron/.heatSync/server.crt", SSL_FILETYPE_PEM)) != 1) { //todo: fix directory
		std::cerr << "(" << __FILE__ << ":" << __LINE__ << ") SSL: " << ERR_error_string(out, NULL) << std::endl;
		return;
	}
	std::cout << ".";
	if ((out = SSL_CTX_use_PrivateKey_file(sslContext, "/home/cameron/.heatSync/server.key", SSL_FILETYPE_PEM)) != 1) {
		std::cerr << "(" << __FILE__ << ":" << __LINE__ << ") SSL: " << ERR_error_string(out, NULL) << std::endl;
		return;
	}
	std::cout << ".";
	if (!(out = SSL_CTX_check_private_key(sslContext))) {
		std::cerr << "(" << __FILE__ << ":" << __LINE__ << ") SSL: " << ERR_error_string(out, NULL) << std::endl;
		return;
	}
	std::cout << ".";
	std::cout << "Success" << std::endl;

}
Пример #11
0
JNIEXPORT void JNICALL Java_com_wizzardo_epoll_EpollSSL_loadCertificates(JNIEnv *env, jclass clazz, jlong sslContextPointer, jstring certFile, jstring keyFile){
    SSL_CTX *ctx = (SSL_CTX *) sslContextPointer;
    const char *CertFile = ((*env)->GetStringUTFChars(env, certFile, NULL));
    const char *KeyFile = ((*env)->GetStringUTFChars(env, keyFile, NULL));

	/* set the local certificate from CertFile */
    if (SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0) {
        ERR_print_errors_fp(stderr);
        throwException(env, strerror(errno));
    }
    /* set the private key from KeyFile (may be the same as CertFile) */
    if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0) {
        ERR_print_errors_fp(stderr);
        throwException(env, strerror(errno));
    }
    /* verify private key */
    if (!SSL_CTX_check_private_key(ctx)) {
//        fprintf(stderr, "Private key does not match the public certificate\n");
        throwException(env, strerror(errno));
    }
}
Пример #12
0
static int setup_ssl(const char *cert_file, const char *key_file)
{
    SSL_load_error_strings();
    SSL_library_init();
    OpenSSL_add_all_algorithms();

    accept_ctx.ssl_ctx = SSL_CTX_new(SSLv23_server_method());
    SSL_CTX_set_options(accept_ctx.ssl_ctx, SSL_OP_NO_SSLv2);

    /* load certificate and private key */
    if (SSL_CTX_use_certificate_file(accept_ctx.ssl_ctx, cert_file, SSL_FILETYPE_PEM) != 1) {
        fprintf(stderr, "an error occurred while trying to load server certificate file:%s\n", cert_file);
        return -1;
    }
    if (SSL_CTX_use_PrivateKey_file(accept_ctx.ssl_ctx, key_file, SSL_FILETYPE_PEM) != 1) {
        fprintf(stderr, "an error occurred while trying to load private key file:%s\n", key_file);
        return -1;
    }

    return 0;
}
Пример #13
0
void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile)
{
    /* set the local certificate from CertFile */
    if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0 )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    /* set the private key from KeyFile (may be the same as CertFile) */
    if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    /* verify private key */
    if ( !SSL_CTX_check_private_key(ctx) )
    {
        fprintf(stderr, "Private key does not match the public certificate\n");
        abort();
    }
}
Пример #14
0
int ssl_init(void)
{
    if (!prng_init()) {
	Debug((DEBUG_NOTICE, "PRNG seeded"));
    }
    if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG))
	    (void)fprintf(stderr, "ssl_init(): SSL_load_error_strings()\n" );
    SSL_load_error_strings();
    if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG))
	    (void)fprintf(stderr, "ssl_init(): OpenSSL_add_ssl_algorythms()\n");
    OpenSSL_add_ssl_algorithms();
    if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG))
	    (void)fprintf(stderr, "ssl_init(): SSL_CTX_new()\n");
    ctx = SSL_CTX_new(SSLv23_server_method());
    if (!ctx) {
	Debug((DEBUG_ERROR, "CTX_new: %s", ERR_error_string(ERR_get_error(), NULL)));
	return 0;
    }
    if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG))
	    (void)fprintf(stderr, "ssl_init(): SSL_CTX_use_certificate_file()\n");
    if (SSL_CTX_use_certificate_file(ctx,
		IRCD_CRT, SSL_FILETYPE_PEM) <= 0) {
	(void)disable_ssl(1);
	return 0;
    }
    if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG))
	    (void)fprintf(stderr, "ssl_init(): SSL_CTX_use_PrivateKey_file()\n");
    if (SSL_CTX_use_PrivateKey_file(ctx,
		IRCD_KEY, SSL_FILETYPE_PEM) <= 0) {
	(void)disable_ssl(1);
	return 0;
    }
    if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG))
	    (void)fprintf(stderr, "ssl_init(): SSL_CTX_check_private_key()\n");    
    if (!SSL_CTX_check_private_key(ctx)) {
	(void)disable_ssl(1);
	return 0;
    }
    return 1;
}
Пример #15
0
void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile)
{
    /* set the local certificate from CertFile */
    if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0 )
    {
        //ERR_print_errors_fp(stderr);
	printf("The certificate is tampered ! Aborting now.\n");
	exit(0);        
	//abort();
    }
    /* set the private key from KeyFile (may be the same as CertFile) */
    if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 )
    {
        //ERR_print_errors_fp(stderr);
	printf("The key is tampered ! Aborting now.\n");
        exit(0);
    }
    /* verify private key */
    if ( !SSL_CTX_check_private_key(ctx) )
    {
        fprintf(stderr, "Private key does not match the public certificate\n");
        exit(0);
    }

	

	if (!SSL_CTX_load_verify_locations(ctx,"/home/shagun/ca/certs/cacert.pem",NULL)) { 
                    //ERR_print_errors(bio_err);  
                  ERR_print_errors_fp(stderr); 
                     exit(1);
            }

	/* Set to require peer (client) certificate verification */
                SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
          /* Set the verification depth to 1 */
               SSL_CTX_set_verify_depth(ctx,1);
 


}
Пример #16
0
/* cr_load_certs : loads private key and certificates from files 
 * if cert_file and key_file are NULL , the function will generate
 * a dynamic certificate and private key
 */
void cr_load_certs(SSL_CTX *ssl,u_char *cert_file,u_char *key_file)
{
	X509 *cert = NULL;
	EVP_PKEY *pkey = NULL;
	
	if(cert_file == NULL || key_file == NULL) {
		/* generate a public certificate and a private key */
		
		cr_make_cert(&cert,&pkey,2048,0,365);

		SSL_CTX_use_certificate(ssl, cert);
		SSL_CTX_use_PrivateKey(ssl, pkey);

#ifdef CR_MK_CERT	
		RSA_print_fp(stdout,pkey->pkey.rsa,0);
		X509_print_fp(stdout,cert);
		
		PEM_write_PrivateKey(stdout,pkey,NULL,NULL,0,NULL, NULL);
		PEM_write_X509(stdout,cert);
#endif

	} else {
		if (SSL_CTX_use_certificate_file(ssl, (const char*)cert_file,
						 SSL_FILETYPE_PEM) <= 0) {
			ERR_print_errors_fp(stderr);
			exit(3);
		}
		if (SSL_CTX_use_RSAPrivateKey_file(ssl, (const char*)key_file,
						SSL_FILETYPE_PEM) <= 0) {
			ERR_print_errors_fp(stderr);
			exit(4);
		}
	}
	
	if (!SSL_CTX_check_private_key(ssl)) {
		perrx("Private key does not match the certificate public key\n");
		exit(5);
	}
	
}
Пример #17
0
void ssl_setup(SSL_CTX* ctx, char *ca_file, char* cert_file, char* key_file)
{
	if (SSL_CTX_load_verify_locations(ctx, ca_file, NULL) != 1) {
		ERR_print_errors_fp(stderr);
	}
	/* set the local certificate from CertFile */
	if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) != 1) {
		ERR_print_errors_fp(stderr);
		assert(0);
	}
	/* set the private key from KeyFile (may be the same as CertFile) */
	if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) != 1) {
		ERR_print_errors_fp(stderr);
		assert(0);
	}
	/* verify private key */
	if (SSL_CTX_check_private_key(ctx) != 1) {
		ERR_print_errors_fp(stderr);
		assert(0);
	}

	//SSL_VERIFY_PEER
	SSL_CTX_set_verify(ctx, 0, NULL);
	SSL_CTX_set_verify_depth(ctx, 4);
	if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1) {
		ERR_print_errors_fp(stderr);
		assert(0);
	}

	EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
	if (!ecdh) {
		ERR_print_errors_fp(stderr);
		assert(0);
	}
	if (SSL_CTX_set_tmp_ecdh (ctx, ecdh) != 1) {
		ERR_print_errors_fp(stderr);
		assert(0);
	}
	EC_KEY_free(ecdh);
}
Пример #18
0
static int ns_use_cert(SSL_CTX *ctx, const char *pem_file) {
  if (ctx == NULL) {
    return -1;
  } else if (pem_file == NULL || pem_file[0] == '\0') {
    return 0;
  } else if (SSL_CTX_use_certificate_file(ctx, pem_file, 1) == 0 ||
             SSL_CTX_use_PrivateKey_file(ctx, pem_file, 1) == 0) {
    return -2;
#ifndef NS_DISABLE_PFS
  } else {
    BIO *bio = NULL;
    DH *dh = NULL;

    /* Try to read DH parameters from the cert/key file. */
    bio = BIO_new_file(pem_file, "r");
    if (bio != NULL) {
      dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
      BIO_free(bio);
    }
    /*
     * If there are no DH params in the file, fall back to hard-coded ones.
     * Not ideal, but better than nothing.
     */
    if (dh == NULL) {
      bio = BIO_new_mem_buf((void *) ns_s_default_dh_params, -1);
      dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
      BIO_free(bio);
    }
    if (dh != NULL) {
      SSL_CTX_set_tmp_dh(ctx, dh);
      SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
      DH_free(dh);
    }

    SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
    SSL_CTX_use_certificate_chain_file(ctx, pem_file);
    return 0;
#endif
  }
}
Пример #19
0
static bool
load_certificates( const char *cert_file, const char *key_file ) {
    assert( ctx != NULL );
    assert( cert_file != NULL );
    assert( key_file != NULL );

    debug( "Loading certificate ( ctx = %p, cert_file = %s, key_file = %s ).", ctx, cert_file, key_file );

    unsigned long error_no = 0;
    char error_str[ 256 ];
    memset( error_str, '\0', sizeof( error_str ) );

    int ret = SSL_CTX_use_certificate_file( ctx, cert_file, SSL_FILETYPE_PEM );
    if ( ret != 1 ) {
        error_no = ERR_get_error();
        ERR_error_string_n( error_no, error_str, sizeof( error_str ) );
        error( "Failed to load a certificate file ( file = %s, error = %s [%ul] ).",
               cert_file, error_str, error_no );
        return false;
    }

    ret = SSL_CTX_use_PrivateKey_file( ctx, key_file, SSL_FILETYPE_PEM );
    if ( ret != 1 ) {
        error_no = ERR_get_error();
        ERR_error_string_n( error_no, error_str, sizeof( error_str ) );
        error( "Failed to load a private key file ( file = %s, error = %s [%ul] ).",
               key_file, error_str, error_no );
        return false;
    }

    ret = SSL_CTX_check_private_key( ctx );
    if ( ret != 1 ) {
        error_no = ERR_get_error();
        ERR_error_string_n( error_no, error_str, sizeof( error_str ) );
        error( "Failed to check private key ( error = %s [%ul] ).", error_str, error_no );
        return false;
    }

    return true;
}
Пример #20
0
static int init_ssl_ctx(POOL_CONNECTION *cp, enum ssl_conn_type conntype) {
	int error = 0;
	char *cacert = NULL, *cacert_dir = NULL;

	/* initialize SSL members */
	cp->ssl_ctx = SSL_CTX_new(TLSv1_method());
	SSL_RETURN_ERROR_IF( (! cp->ssl_ctx), "SSL_CTX_new" );

	if ( conntype == ssl_conn_serverclient) {
		error = SSL_CTX_use_certificate_file(cp->ssl_ctx,
		                                     pool_config->ssl_cert,
		                                     SSL_FILETYPE_PEM);
		SSL_RETURN_ERROR_IF( (error <= 0), "Loading SSL certificate");

		error = SSL_CTX_use_PrivateKey_file(cp->ssl_ctx,
		                                    pool_config->ssl_key,
		                                    SSL_FILETYPE_PEM);
		SSL_RETURN_ERROR_IF( (error <= 0), "Loading SSL private key");
	} else {
		/* set extra verification if ssl_ca_cert or ssl_ca_cert_dir are set */
		if (strlen(pool_config->ssl_ca_cert))
			cacert = pool_config->ssl_ca_cert;
		if (strlen(pool_config->ssl_ca_cert_dir))
			cacert_dir = pool_config->ssl_ca_cert_dir;
    
		if ( cacert || cacert_dir ) {
			error = (!SSL_CTX_load_verify_locations(cp->ssl_ctx,
			                                        cacert,
			                                        cacert_dir));
			SSL_RETURN_ERROR_IF(error, "SSL verification setup");
			SSL_CTX_set_verify(cp->ssl_ctx, SSL_VERIFY_PEER, NULL);
		}
	}

	cp->ssl = SSL_new(cp->ssl_ctx);
	SSL_RETURN_ERROR_IF( (! cp->ssl), "SSL_new");

	return 0;
}
Пример #21
0
//PASS SSL_CTX* , CERTFILE, AND KEYFILE
void load_Certs(SSL_CTX* ctx, char* Cert, char* Key)
{
    // Set Certificate
    if ( SSL_CTX_use_certificate_file(ctx, Cert, SSL_FILETYPE_PEM) <= 0 )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
   
    //Set Private key from keyfile -NOTE Possible same as certfile
    if ( SSL_CTX_use_PrivateKey_file(ctx, Key, SSL_FILETYPE_PEM) <= 0 )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    //Verifiy private key ?? needed?
    if ( !SSL_CTX_check_private_key(ctx) )
    {
        fprintf(stderr, "Private key does not match the public certificate\n");
        abort();
    }
}
Пример #22
0
int swSSL_init(char *cert_file, char *key_file)
{
	SSL_library_init();
	SSL_load_error_strings();
	OpenSSL_add_all_algorithms();

	ssl_context = SSL_CTX_new(SSLv23_method());

	if (ssl_context == NULL)
	{
		ERR_print_errors_fp(stderr);
		return SW_ERR;
	}
	/*
	 * set the local certificate from CertFile
	 */
	if (SSL_CTX_use_certificate_file(ssl_context, cert_file, SSL_FILETYPE_PEM) <= 0)
	{
		ERR_print_errors_fp(stderr);
		return SW_ERR;
	}
	/*
	 * set the private key from KeyFile (may be the same as CertFile)
	 */
	if (SSL_CTX_use_PrivateKey_file(ssl_context, key_file, SSL_FILETYPE_PEM) <= 0)
	{
		ERR_print_errors_fp(stderr);
		return SW_ERR;
	}
	/*
	 * verify private key
	 */
	if (!SSL_CTX_check_private_key(ssl_context))
	{
		swWarn("Private key does not match the public certificate");
		return SW_ERR;
	}
	return SW_OK;
}
Пример #23
0
int TPC_Logging_Acceptor::open
    (const ACE_SOCK_Acceptor::PEER_ADDR &local_addr,
           ACE_Reactor *reactor,
           int flags, int use_select, int reuse_addr) {
  if (PARENT::open (local_addr, reactor, flags,
                    use_select, reuse_addr) != 0)
    return -1;
  OpenSSL_add_ssl_algorithms ();
  ssl_ctx_ = SSL_CTX_new (SSLv3_server_method ());
  if (ssl_ctx_ == 0) return -1;

  if (SSL_CTX_use_certificate_file (ssl_ctx_,
                                    TPC_CERTIFICATE_FILENAME,
                                    SSL_FILETYPE_PEM) <= 0
      || SSL_CTX_use_PrivateKey_file (ssl_ctx_,
                                      TPC_KEY_FILENAME,
                                      SSL_FILETYPE_PEM) <= 0
      || !SSL_CTX_check_private_key (ssl_ctx_))
    return -1;
  ssl_ = SSL_new (ssl_ctx_);
  return ssl_ == 0 ? -1 : 0;
}
Пример #24
0
static SSL_CTX *get_ssl_ctx(char *ca_dir, char *cert, char *key) {
  SSL_CTX *ssl_ctx;
  const SSL_METHOD *method;

  lagopus_msg_info("ca_dir:[%s], cert:[%s], key:[%s]\n", ca_dir, cert, key);
  method = TLSv1_method();
  ssl_ctx = SSL_CTX_new(method);
  if (ssl_ctx == NULL) {
    lagopus_msg_warning("no memory.\n");
    return NULL;
  }

  /* add client cert. */
  if (SSL_CTX_use_certificate_file(ssl_ctx, cert, SSL_FILETYPE_PEM) != 1) {
    lagopus_msg_warning("SSL_CTX_use_certificate_file(%s) fail.\n", cert);
    SSL_CTX_free(ssl_ctx);
    return NULL;
  }

  /* add client private key. */
  if (SSL_CTX_use_PrivateKey_file(ssl_ctx, key, SSL_FILETYPE_PEM) != 1) {
    lagopus_msg_warning("SSL_CTX_use_PrivateKey_file(%s) fail.\n", key);
    SSL_CTX_free(ssl_ctx);
    return NULL;
  }

  /* loading ca cert */
  if (SSL_CTX_load_verify_locations(ssl_ctx, NULL, ca_dir) != 1) {
    lagopus_msg_warning("SSL_CTX_load_verify_locations(%s) fail.\n", ca_dir);
    SSL_CTX_free(ssl_ctx);
    return NULL;
  }

  SSL_CTX_set_verify_depth(ssl_ctx, 1);/* XXX depth is configurable? */
  SSL_CTX_set_verify(ssl_ctx,
                     SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);

  return ssl_ctx;
}
Пример #25
0
/** setup SSL context */
static SSL_CTX*
setup_ctx(struct config_file* cfg)
{
	char* s_cert=NULL, *c_key=NULL, *c_cert=NULL;
	SSL_CTX* ctx;

	if(cfg->remote_control_use_cert) {
		s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1);
		c_key = fname_after_chroot(cfg->control_key_file, cfg, 1);
		c_cert = fname_after_chroot(cfg->control_cert_file, cfg, 1);
		if(!s_cert || !c_key || !c_cert)
			fatal_exit("out of memory");
	}
        ctx = SSL_CTX_new(SSLv23_client_method());
	if(!ctx)
		ssl_err("could not allocate SSL_CTX pointer");
        if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
		ssl_err("could not set SSL_OP_NO_SSLv2");
        if(cfg->remote_control_use_cert) {
		if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
			ssl_err("could not set SSL_OP_NO_SSLv3");
		if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
		    !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
		    || !SSL_CTX_check_private_key(ctx))
			ssl_err("Error setting up SSL_CTX client key and cert");
		if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1)
			ssl_err("Error setting up SSL_CTX verify, server cert");
		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);

		free(s_cert);
		free(c_key);
		free(c_cert);
	} else {
		/* Use ciphers that don't require authentication  */
		if(!SSL_CTX_set_cipher_list(ctx, "aNULL"))
			ssl_err("Error setting NULL cipher!");
	}
	return ctx;
}
Пример #26
0
void init_ssl() {
    /* SSL preliminaries. We keep the certificate and key with the context. */

  SSL_load_error_strings();
  SSLeay_add_ssl_algorithms();
  meth = SSLv23_server_method();
  ctx = SSL_CTX_new (meth);

       if (!ctx)
         {
               irclog(L_ERROR, "Error creating SSL CTX");                        
#if 0         
               ERR_print_errors_fp (stderr);
#endif               
               exit (2);               
         }

       if (SSL_CTX_use_certificate_file (ctx, CERTF, SSL_FILETYPE_PEM) <= 0)
         {
            irclog(L_ERROR, "Failed to load SSL certificate %s, SSL disabled", CERTF);
            no_ssl = -1;
            return;
         }
       if (SSL_CTX_use_PrivateKey_file (ctx, KEYF, SSL_FILETYPE_PEM) <= 0)
         {
            irclog(L_ERROR, "Failed to load SSL private key %s, SSL disabled", KEYF);
            no_ssl = -1;            
            return;
         }

#if 0
       if (!SSL_CTX_check_private_key (ctx))
         {
               fprintf (stderr, "Private key does not match the certificate public key\n");
               exit (5);
         }
#endif
}
Пример #27
0
int      kn_sock_ssllisten(handle_t h,
		             kn_sockaddr *addr,
		             const char *certificate,
		             const char *privatekey
		             ){
	   if(h->type != KN_SOCKET && ((kn_socket*)h)->type != SOCK_STREAM)
		return 0;	
	   kn_stream_socket *ss = (kn_stream_socket*)h;
	   if(h->status != SOCKET_NONE) return -1;
	    /* 以 SSL V2 和 V3 标准兼容方式产生一个 SSL_CTX ,即 SSL Content Text */
	    SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
	    /* 也可以用 SSLv2_server_method() 或 SSLv3_server_method() 单独表示 V2 或 V3标准 */
	    if (ctx == NULL) {
	        ERR_print_errors_fp(stdout);
	        return -1;
	    }
	    /* 载入用户的数字证书, 此证书用来发送给客户端。 证书里包含有公钥 */
	    if (SSL_CTX_use_certificate_file(ctx,certificate, SSL_FILETYPE_PEM) <= 0) {
	        ERR_print_errors_fp(stdout);
	        SSL_CTX_free(ctx);
	        return -1;
	    }
	    /* 载入用户私钥 */
	    if (SSL_CTX_use_PrivateKey_file(ctx, privatekey, SSL_FILETYPE_PEM) <= 0) {
	        ERR_print_errors_fp(stdout);
	        SSL_CTX_free(ctx);
	        return -1;
	    }
	    /* 检查用户私钥是否正确 */
	    if (!SSL_CTX_check_private_key(ctx)) {
	        ERR_print_errors_fp(stdout);
	        SSL_CTX_free(ctx);
	        return -1;
	    }
	    kn_set_noblock(((handle_t)ss)->fd,0);    
	    ss->ctx = ctx;
	    return stream_socket_listen(ss,addr);    
}
Пример #28
0
int ssl_init_server(char *certfile, char *privkeyfile, int type){
	const SSL_METHOD *meth;

	/* Create an SSL_METHOD structure
	 * (choose an SSL/TLS protocol version) */
	meth = SSLv3_method();
	/* Create an SSL_CTX structure */
	ctx = SSL_CTX_new(meth);
	if (ctx == NULL){
		ERR_print_errors_fp( stderr);
		return -1;
	}

	/* Load the server certificate into the SSL_CTX structure */
	TRACE(L_VERBOSE, "server-ssl: load the server certificate");
	if (SSL_CTX_use_certificate_file(ctx, certfile, type) <= 0) {
		ERR_print_errors_fp( stderr);
		return -1;
	}

	/* Load the private-key corresponding to the server certificate */
	TRACE(L_VERBOSE, "server-ssl: load the private-key");
	if (SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, type) <= 0) {
		ERR_print_errors_fp( stderr);
		return -1;
	}

	TRACE(L_VERBOSE, "server-ssl: check if the server certificate "\
			"and private-key matches");
	/* Check if the server certificate and private-key matches */
	if (!SSL_CTX_check_private_key(ctx)) {
		ERROR(L_VERBOSE,"Private key does not match the "\
				"certificate public key");
		return -1;
	}

	return 0;
}
Пример #29
0
int evt_ctx_set_crt_key(evt_ctx_t *tls, char *crtf, char *key)
{
    //SSL_CTX_set_verify(tls->ctx, SSL_VERIFY_NONE, uv__tls_verify_peer);
    SSL_CTX_set_verify(tls->ctx, SSL_VERIFY_NONE, NULL);

    int r = SSL_CTX_use_certificate_file(tls->ctx, crtf, SSL_FILETYPE_PEM);
    if(r != 1) {
        return -1;
    }
    tls->cert_set = 1;

    r = SSL_CTX_use_PrivateKey_file(tls->ctx, key, SSL_FILETYPE_PEM);
    if(r != 1) {
        return -1;
    }

    r = SSL_CTX_check_private_key(tls->ctx);
    if(r != 1) {
        return -1;
    }
    tls->key_set = 1;
    return 0;
}
Пример #30
0
MSC_SOCKET_ERR msc_secure_socket_ctx_load_cert(const char *cert_file, const char *key_file)
{
	if (SSL_CTX_use_certificate_file(g_ssl_ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
	{
		fprintf(stderr, "Unable to load server certificate from file\n");
		ERR_print_errors_fp(stderr);
		return MSC_FALSE;
	}
	if (SSL_CTX_use_PrivateKey_file(g_ssl_ctx, key_file, SSL_FILETYPE_PEM) <= 0)
	{
		fprintf(stderr, "Unable to load server key from file\n");
		ERR_print_errors_fp(stderr);
		return MSC_FALSE;
	}
	if (!SSL_CTX_check_private_key(g_ssl_ctx))
	{
		fprintf(stderr, "Server private key does not match server certificate\n");
		ERR_print_errors_fp(stderr);
		return MSC_FALSE;
	}

	return MSC_TRUE;
}