const SSL_METHOD * hb_ssl_method_id_to_ptr( int n )
{
const SSL_METHOD * p;
switch( n )
{
#if OPENSSL_VERSION_NUMBER < 0x10000000L
case HB_SSL_CTX_NEW_METHOD_SSLV2: p = SSLv2_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV2_SERVER: p = SSLv2_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV2_CLIENT: p = SSLv2_client_method(); break;
#endif
case HB_SSL_CTX_NEW_METHOD_SSLV3: p = SSLv3_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV3_SERVER: p = SSLv3_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV3_CLIENT: p = SSLv3_client_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1: p = TLSv1_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1_SERVER: p = TLSv1_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1_CLIENT: p = TLSv1_client_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV23: p = SSLv23_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV23_SERVER: p = SSLv23_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV23_CLIENT: p = SSLv23_client_method(); break;
default: p = SSLv23_method();
}
return p;
}
int
openhost(char *host, int port)
{
struct hostent *hp;
register int s;
struct sockaddr_in sin;
int err;
X509 *server_cert;
char *str;
if ((hp = gethostbyname(host)) == NULL) {
printf("ERR: gethostbyname\n");
return (-1);
}
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return (-1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
bcopy(hp->h_addr, &sin.sin_addr, hp->h_length);
alarm(30);
if (connect(s, (struct sockaddr *) &sin, sizeof(sin)) < 0)
return (-1);
alarm(0);
SSLeay_add_ssl_algorithms();
SSL_load_error_strings();
/* ctx = SSL_CTX_new (SSLv23_method()); CHK_NULL(ctx);
*/
ctx = SSL_CTX_new(SSLv2_method());
CHK_NULL(ctx);
ssl = SSL_new(ctx);
CHK_NULL(ssl);
SSL_set_fd(ssl, s);
err = SSL_connect(ssl);
CHK_SSL(err);
printf("SSL connection using %s\n", SSL_get_cipher(ssl));
server_cert = SSL_get_peer_certificate(ssl);
CHK_NULL(server_cert);
printf("Server certificate:\n");
str = X509_NAME_oneline(X509_get_subject_name(server_cert), NULL, 0);
CHK_NULL(str);
printf("\t subject: %s\n", str);
Free(str);
str = X509_NAME_oneline(X509_get_issuer_name(server_cert), NULL, 0);
CHK_NULL(str);
printf("\t issuer: %s\n", str);
Free(str);
X509_free(server_cert);
return (s);
}
/*
* initialize ssl methods
*/
static void
init_ssl_methods(void)
{
LM_DBG("entered\n");
#ifndef OPENSSL_NO_SSL2
ssl_methods[TLS_USE_SSLv2_cli - 1] = (SSL_METHOD*)SSLv2_client_method();
ssl_methods[TLS_USE_SSLv2_srv - 1] = (SSL_METHOD*)SSLv2_server_method();
ssl_methods[TLS_USE_SSLv2 - 1] = (SSL_METHOD*)SSLv2_method();
#endif
ssl_methods[TLS_USE_SSLv3_cli - 1] = (SSL_METHOD*)SSLv3_client_method();
ssl_methods[TLS_USE_SSLv3_srv - 1] = (SSL_METHOD*)SSLv3_server_method();
ssl_methods[TLS_USE_SSLv3 - 1] = (SSL_METHOD*)SSLv3_method();
ssl_methods[TLS_USE_TLSv1_cli - 1] = (SSL_METHOD*)TLSv1_client_method();
ssl_methods[TLS_USE_TLSv1_srv - 1] = (SSL_METHOD*)TLSv1_server_method();
ssl_methods[TLS_USE_TLSv1 - 1] = (SSL_METHOD*)TLSv1_method();
ssl_methods[TLS_USE_SSLv23_cli - 1] = (SSL_METHOD*)SSLv23_client_method();
ssl_methods[TLS_USE_SSLv23_srv - 1] = (SSL_METHOD*)SSLv23_server_method();
ssl_methods[TLS_USE_SSLv23 - 1] = (SSL_METHOD*)SSLv23_method();
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
ssl_methods[TLS_USE_TLSv1_2_cli - 1] = (SSL_METHOD*)TLSv1_2_client_method();
ssl_methods[TLS_USE_TLSv1_2_srv - 1] = (SSL_METHOD*)TLSv1_2_server_method();
ssl_methods[TLS_USE_TLSv1_2 - 1] = (SSL_METHOD*)TLSv1_2_method();
#endif
}
static SSL_METHOD *ssl2_get_method(int ver)
{
if (ver == SSL2_VERSION)
return(SSLv2_method());
else
return(NULL);
}
SSLContext::SSLContext(int _method){
#ifdef USE_EMBEDDED_CLASSNAMES
setClassName(__xvr2_Net_SSLContext);
#endif
__init_ssl_library(this);
pem = 0;
method = _method;
ctx = 0;
mydata = 0;
switch(method){
case SSL_V2:
ctx = SSL_CTX_new(SSLv2_method());
break;
case SSL_V2_CLIENT:
ctx = SSL_CTX_new(SSLv2_client_method());
break;
case SSL_V2_SERVER:
ctx = SSL_CTX_new(SSLv2_server_method());
break;
case SSL_V3:
ctx = SSL_CTX_new(SSLv3_method());
break;
case SSL_V3_CLIENT:
ctx = SSL_CTX_new(SSLv3_client_method());
break;
case SSL_V3_SERVER:
ctx = SSL_CTX_new(SSLv3_server_method());
break;
case SSL_V23_CLIENT:
ctx = SSL_CTX_new(SSLv23_client_method());
break;
case SSL_V23_SERVER:
ctx = SSL_CTX_new(SSLv23_server_method());
break;
case SSL_V23:
default:
ctx = SSL_CTX_new(SSLv23_method());
}
if(ctx == 0){
throw SSLContextCreation();
}
//Initialize password callback
__ssl_ctx_cb_args *x;
x = new __ssl_ctx_cb_args(this, 0, 0);
mydata = x;
#ifdef USE_DEBUG
debugmsgln(this, "Initializing password callback...");
#endif
SSL_CTX_set_default_passwd_cb((SSL_CTX *)ctx, passwdCB);
#ifdef USE_DEBUG
debugmsgln(this, "Initializing default password callback userdata...");
#endif
SSL_CTX_set_default_passwd_cb_userdata((SSL_CTX *)ctx, mydata);
}
static SSL_METHOD *ssl23_get_method(int ver)
{
if (ver == SSL2_VERSION)
return(SSLv2_method());
else if (ver == SSL3_VERSION)
return(SSLv3_method());
else if (ver == TLS1_VERSION)
return(TLSv1_method());
else
return(NULL);
}
// nassl.SSL_CTX.new()
static PyObject* nassl_SSL_CTX_new(PyTypeObject *type, PyObject *args, PyObject *kwds) {
nassl_SSL_CTX_Object *self;
int sslVersion;
SSL_CTX *sslCtx;
self = (nassl_SSL_CTX_Object *)type->tp_alloc(type, 0);
if (self == NULL)
return NULL;
self->sslCtx = NULL;
self->pkeyPasswordBuf = NULL;
if (!PyArg_ParseTuple(args, "I", &sslVersion)) {
Py_DECREF(self);
return NULL;
}
switch (sslVersion) {
case sslv23:
sslCtx = SSL_CTX_new(SSLv23_method());
break;
case sslv2:
sslCtx = SSL_CTX_new(SSLv2_method());
break;
case sslv3:
sslCtx = SSL_CTX_new(SSLv3_method());
break;
case tlsv1:
sslCtx = SSL_CTX_new(TLSv1_method());
break;
case tlsv1_1:
sslCtx = SSL_CTX_new(TLSv1_1_method());
break;
case tlsv1_2:
sslCtx = SSL_CTX_new(TLSv1_2_method());
break;
default:
PyErr_SetString(PyExc_ValueError, "Invalid value for ssl version");
Py_DECREF(self);
return NULL;
}
if (sslCtx == NULL) {
raise_OpenSSL_error();
Py_DECREF(self);
return NULL;
}
// Add the client certificate callback
SSL_CTX_set_client_cert_cb(sslCtx, client_cert_cb);
self->sslCtx = sslCtx;
return (PyObject *)self;
}
static SSL_METHOD *ssl23_get_method(int ver)
{
#ifndef OPENSSL_NO_SSL2
if (ver == SSL2_VERSION)
return(SSLv2_method());
else
#endif
#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return(SSLv3_method());
else
#endif
#ifndef OPENSSL_NO_TLS1
if (ver == TLS1_VERSION)
return(TLSv1_method());
else
#endif
return(NULL);
}
/*
* initialize ssl methods
*/
static void
init_ssl_methods(void)
{
DBG("init_methods: Entered\n");
ssl_methods[TLS_USE_SSLv2_cli - 1] = SSLv2_client_method();
ssl_methods[TLS_USE_SSLv2_srv - 1] = SSLv2_server_method();
ssl_methods[TLS_USE_SSLv2 - 1] = SSLv2_method();
ssl_methods[TLS_USE_SSLv3_cli - 1] = SSLv3_client_method();
ssl_methods[TLS_USE_SSLv3_srv - 1] = SSLv3_server_method();
ssl_methods[TLS_USE_SSLv3 - 1] = SSLv3_method();
ssl_methods[TLS_USE_TLSv1_cli - 1] = TLSv1_client_method();
ssl_methods[TLS_USE_TLSv1_srv - 1] = TLSv1_server_method();
ssl_methods[TLS_USE_TLSv1 - 1] = TLSv1_method();
ssl_methods[TLS_USE_SSLv23_cli - 1] = SSLv23_client_method();
ssl_methods[TLS_USE_SSLv23_srv - 1] = SSLv23_server_method();
ssl_methods[TLS_USE_SSLv23 - 1] = SSLv23_method();
}
int
zc_socket_ssl(zcSocket *s, char *key_file, char *cert_file, zcSSLCertRequire certreq,
zcSSLVer ver, char *cacerts_file, bool isclient)
{
char *errstr = NULL;
int ret;
//int err;
//int sockstate;
if (!isclient && (key_file == NULL || cert_file == NULL)) {
ZCERROR("both key and cert files must be specified for server");
goto zc_socket_ssl_fail;
}
memset(s->server, '\0', sizeof(char) * X509_NAME_MAXLEN);
memset(s->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN);
s->peer_cert = NULL;
s->ssl = NULL;
s->ctx = NULL;
//s->Socket = NULL;
/* Init OpenSSL */
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
(void) ERR_get_state();
ERR_clear_error();
if ((key_file && !cert_file) || (!key_file && cert_file)) {
errstr = "Both the key & certificate files must be specified";
goto zc_socket_ssl_fail;
}
//SSL_load_error_strings();
//SSLeay_add_ssl_algorithms();
if (s->sslver == ZC_SSL_VER_TLS1)
s->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
else if (ver == ZC_SSL_VER_SSL3)
s->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
else if (ver == ZC_SSL_VER_SSL2)
s->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
else if (ver == ZC_SSL_VER_SSL23)
s->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
//s->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
if (s->ctx == NULL) {
errstr = "SSL_CTX_new error";
goto zc_socket_ssl_fail;
}
if (certreq != ZC_SSL_CERT_NONE) {
if (cacerts_file == NULL) {
errstr = "No root certificates specified for verification of other-side certificates.";
goto zc_socket_ssl_fail;
} else {
ret = SSL_CTX_load_verify_locations(s->ctx, cacerts_file, NULL);
if (ret != 1) {
//_setSSLError(NULL, 0, __FILE__, __LINE__);
ZCERROR("load verify locations error: %d", ret);
goto zc_socket_ssl_fail;
}
}
}
if (key_file) {
ret = SSL_CTX_use_PrivateKey_file(s->ctx, key_file,
SSL_FILETYPE_PEM);
if (ret != 1) {
//_setSSLError(NULL, ret, __FILE__, __LINE__);
ZCERROR("use privatekey file error:%d", ret);
goto zc_socket_ssl_fail;
}
ret = SSL_CTX_use_certificate_chain_file(s->ctx, cert_file);
if (ret != 1) {
/*
fprintf(stderr, "ret is %d, errcode is %lu, %lu, with file \"%s\"\n",
ret, ERR_peek_error(), ERR_peek_last_error(), cert_file);
*/
if (ERR_peek_last_error() != 0) {
//_setSSLError(NULL, ret, __FILE__, __LINE__);
ZCERROR("peek last error failed:%d", ret);
goto zc_socket_ssl_fail;
}
}
}
/* ssl compatibility */
SSL_CTX_set_options(s->ctx, SSL_OP_ALL);
int verification_mode = SSL_VERIFY_NONE;
if (certreq == ZC_SSL_CERT_OPTIONAL)
verification_mode = SSL_VERIFY_PEER;
else if (certreq == ZC_SSL_CERT_REQUIRED)
verification_mode = (SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
SSL_CTX_set_verify(s->ctx, verification_mode, NULL); /* set verify lvl */
s->ssl = SSL_new(s->ctx); /* New ssl struct */
SSL_set_fd(s->ssl, s->fd); /* Set the socket for SSL */
#ifdef SSL_MODE_AUTO_RETRY
SSL_set_mode(s->ssl, SSL_MODE_AUTO_RETRY);
#endif
/* If the socket is in non-blocking mode or timeout mode, set the BIO
* to non-blocking mode (blocking is the default)
*/
if (!s->blocked) {
/* Set both the read and write BIO's to non-blocking mode */
BIO_set_nbio(SSL_get_rbio(s->ssl), 1);
BIO_set_nbio(SSL_get_wbio(s->ssl), 1);
}
if (isclient) {
SSL_set_connect_state(s->ssl);
}else{
SSL_set_accept_state(s->ssl);
}
if (isclient) {
ret = zc_socket_ssl_handshake(s);
if (ret != ZC_OK) {
ZCERROR("ssl handshake error: %d", ret);
goto zc_socket_ssl_fail;
}
}
return ZC_OK;
zc_socket_ssl_fail:
if (errstr) {
ZCERROR("ssl error: %s\n", errstr);
}
return -1;
}
static int openssl_ssl_ctx_new(lua_State*L)
{
const char* meth = luaL_optstring(L, 1, "TLSv1");
#if OPENSSL_VERSION_NUMBER >= 0x01000000L
const
#endif
SSL_METHOD* method = NULL;
const char* ciphers;
SSL_CTX* ctx;
if (strcmp(meth, "SSLv3") == 0)
method = SSLv3_method(); /* SSLv3 */
else if (strcmp(meth, "SSLv3_server") == 0)
method = SSLv3_server_method(); /* SSLv3 */
else if (strcmp(meth, "SSLv3_client") == 0)
method = SSLv3_client_method(); /* SSLv3 */
else if (strcmp(meth, "SSLv23") == 0)
method = SSLv23_method(); /* SSLv3 but can rollback to v2 */
else if (strcmp(meth, "SSLv23_server") == 0)
method = SSLv23_server_method(); /* SSLv3 but can rollback to v2 */
else if (strcmp(meth, "SSLv23_client") == 0)
method = SSLv23_client_method(); /* SSLv3 but can rollback to v2 */
else if (strcmp(meth, "TLSv1_1") == 0)
method = TLSv1_1_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_1_server") == 0)
method = TLSv1_1_server_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_1_client") == 0)
method = TLSv1_1_client_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_2") == 0)
method = TLSv1_2_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_2_server") == 0)
method = TLSv1_2_server_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_2_client") == 0)
method = TLSv1_2_client_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1") == 0)
method = TLSv1_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_server") == 0)
method = TLSv1_server_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_client") == 0)
method = TLSv1_client_method(); /* TLSv1.0 */
else if (strcmp(meth, "DTLSv1") == 0)
method = DTLSv1_method(); /* DTLSv1.0 */
else if (strcmp(meth, "DTLSv1_server") == 0)
method = DTLSv1_server_method(); /* DTLSv1.0 */
else if (strcmp(meth, "DTLSv1_client") == 0)
method = DTLSv1_client_method(); /* DTLSv1.0 */
#ifndef OPENSSL_NO_SSL2
#if OPENSSL_VERSION_NUMBER < 0x10100000L
else if (strcmp(meth, "SSLv2") == 0)
method = SSLv2_method(); /* SSLv2 */
else if (strcmp(meth, "SSLv2_server") == 0)
method = SSLv2_server_method(); /* SSLv2 */
else if (strcmp(meth, "SSLv2_client") == 0)
method = SSLv2_client_method();
#endif
#ifdef LOAD_SSL_CUSTOM
LOAD_SSL_CUSTOM
#endif
#endif
else
luaL_error(L, "#1:%s not supported\n"
"Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n",
"default is SSLv3",
meth);
ciphers = luaL_optstring(L, 2, SSL_DEFAULT_CIPHER_LIST);
ctx = SSL_CTX_new(method);
if (!ctx)
luaL_error(L, "#1:%s not supported\n"
"Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n",
"default is SSLv3",
meth);
openssl_newvalue(L, ctx);
SSL_CTX_set_cipher_list(ctx, ciphers);
PUSH_OBJECT(ctx, "openssl.ssl_ctx");
SSL_CTX_set_app_data(ctx, L);
return 1;
}
/* デフォルトの証明書は 自分:/usr/local/ct/cert/tn.pem 認証局:/usr/local/ct/cert/root.pem */
int kTLSInitialize(int sessionMode,int initialmode,int timeout,char *passwd,char *rootPEM,char *myPEM,
char *dhPEM,int version,int nagle,int clientveri,int tmprsa,char *enc)
{
BIO *bio;
SSL_METHOD *meth;
RSA *rsa;
DH *dh=0;
struct stat tmp;
/* Nagleアルゴリズムの無効化フラグの保存 */
NagleFlag=nagle;
if(TLSctx){
/* 強制初期化モードがある場合 */
if(initialmode){
TLSClose(NULL,0);
kLogWrite(L_TLS, "%s: TLS ReInitialize", __FUNCTION__);
}
else
return RETURN_OK;
}
/* パラメータの取得 */
timeout = timeout<=0 ? SESSION_TIMEOUT : timeout;
TLSSessionMode = sessionMode;
kLogWrite(L_TLS,"%s: Session cache mode : %s Session timeout : %d(s)",__FUNCTION__,sessionMode?"Enable":"Disable",timeout);
rootPEM = (rootPEM && rootPEM[0]) ? rootPEM : ROOT_PEM;
myPEM = (myPEM && myPEM[0]) ? myPEM : MY_PEM;
dhPEM = (dhPEM && dhPEM[0]) ? dhPEM : DHFILE1024;
strcpy(TLSPasswd,(passwd && passwd[0]) ? passwd : PASSWORD);
if(lstat(rootPEM,&tmp)<0){
kLogWrite(L_ERROR, "%s: TLS Initialize file[%s] not exist", __FUNCTION__,rootPEM);
return(RETURN_NG);
}
if(lstat(myPEM,&tmp)<0){
kLogWrite(L_ERROR, "%s: TLS Initialize file[%s] not exist", __FUNCTION__,myPEM);
return(RETURN_NG);
}
if(lstat(dhPEM,&tmp)<0){
kLogWrite(L_ERROR, "%s: TLS Initialize file[%s] not exist", __FUNCTION__,dhPEM);
return(RETURN_NG);
}
/* SSLライブラリの初期化 */
if(!SSL_library_init()){
kLogWrite(L_ERROR, "%s: OpenSSL initialization failed!",__FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: SSL_library_init OK",__FUNCTION__);
/* エラーメッセージの視覚化 */
SSL_load_error_strings();
RAND_load_file("/dev/urandom", 1024);
kLogWrite(L_TLS,"%s: RAND_load_file OK",__FUNCTION__);
/* SSL_METHODオブジェクトの取得 */
if(version == 2)
meth=SSLv2_method();
else if(version == 3)
meth=SSLv3_method();
else if(version == 1)
meth=TLSv1_method();
else if(version == 23)
meth=SSLv23_method();
else
meth=TLSv1_method();
kLogWrite(L_TLS,"%s: SSL verion [%d] 2:SSLv2 23:SSLv23 3:SSLv3 1:TLSv1",__FUNCTION__,version);
/* SSL_CTXオブジェクトの取得 */
TLSctx=SSL_CTX_new(meth);
kLogWrite(L_TLS,"%s: SSL_CTX_new OK",__FUNCTION__);
/* SSL_CTXオブジェクトに証明書と秘密鍵を同時にロードする */
if(!(SSL_CTX_use_certificate_file(TLSctx,myPEM,SSL_FILETYPE_PEM))){
TLSClose(NULL,0);
kLogWrite(L_ERROR, "%s: Couldn't read certificate file",__FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: SSL_CTX_use_certificate_file[%s] OK",__FUNCTION__,myPEM);
/* パスフレーズのコールバック関数を登録する */
SSL_CTX_set_default_passwd_cb(TLSctx,password_cb);
if(!(SSL_CTX_use_PrivateKey_file(TLSctx,myPEM,SSL_FILETYPE_PEM))){
TLSClose(NULL,0);
kLogWrite(L_ERROR, "%s: Couldn't read key file",__FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: SSL_CTX_use_PrivateKey_file[%s] OK",__FUNCTION__,myPEM);
/* SSL_CTXオブジェクトに信頼できるCA証明書をロードする */
if(!(SSL_CTX_load_verify_locations(TLSctx,rootPEM,0))){
TLSClose(NULL,0);
kLogWrite(L_ERROR, "%s: Couldn't read CA list",__FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: SSL_CTX_load_verify_locations[%s] OK",__FUNCTION__,rootPEM);
/* 認証コールバック関数の登録 */
/* Server Key Exchange オプションを付与する (クライアント認証を行う) */
kLogWrite(L_TLS,"%s: Server Key Exchange option : %s",__FUNCTION__,clientveri?"Enable":"Disable");
SSL_CTX_set_verify(TLSctx, clientveri?SSL_VERIFY_PEER:SSL_VERIFY_NONE,VerifyCallback);
kLogWrite(L_TLS,"%s: SSL_CTX_set_verify[%s] OK",__FUNCTION__,clientveri?"PEER":"NONE");
/* 信頼できる証明書に到達するまでのチェーンの回数を指定する */
/* SSL_CTX_set_verify_depth(TLSctx,1); */
/* SSLv2を選択不可にする */
if(version != 2 && version != 23){
SSL_CTX_set_options(TLSctx,SSL_OP_NO_SSLv2);
kLogWrite(L_TLS,"%s: SSL_CTX_set_options NO_SSLv2",__FUNCTION__);
}
/* Certificate Request オプションを付与する (一時的RSAを使う ) */
kLogWrite(L_TLS,"%s: Certificate Request option : %s",__FUNCTION__,tmprsa?"Enable":"Disable");
if(tmprsa){
/* BIOオブジェクトを使ってファイルをオープンする */
if ((bio=BIO_new_file(dhPEM,"r")) == NULL){
TLSClose(NULL,0);
kLogWrite(L_ERROR, "%s: Couldn't open DH file",__FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: BIO_new_file[%s] OK",__FUNCTION__,dhPEM);
/* DHパラメータを読み込む */
dh=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
kLogWrite(L_TLS,"%s: PEM_read_bio_DHparams[%s] OK",__FUNCTION__,dhPEM);
/* ファイルをクローズする */
BIO_free(bio);
/* DHパラメータをCTXオブジェクトにロードする */
if(SSL_CTX_set_tmp_dh(TLSctx,dh)<0){
TLSClose(NULL,0);
kLogWrite(L_ERROR, "%s: Couldn't set DH parameters",__FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: SSL_CTX_set_tmp_dh OK",__FUNCTION__);
}
/* 暗号スイートの選択 */
if(enc && enc[0]){
kLogWrite(L_TLS,"%s: Encrypt suit specified",__FUNCTION__);
if(SSL_CTX_set_cipher_list(TLSctx,enc))
kLogWrite(L_TLS,"%s: SSL_CTX_set_cipher_list[%s] OK",__FUNCTION__,enc);
else
kLogWrite(L_TLS,"%s: SSL_CTX_set_cipher_list[%s] invalid",__FUNCTION__,enc);
}
/* RSA鍵のペアを生成する */
rsa=RSA_generate_key(512,RSA_F4,NULL,NULL);
kLogWrite(L_TLS,"%s: RSA_generate_key OK",__FUNCTION__);
/* RSA鍵をCTXオブジェクトにロードする */
if (!SSL_CTX_set_tmp_rsa(TLSctx,rsa)){
TLSClose(NULL,0);
kLogWrite(L_ERROR, "%s: Couldn't set RSA key", __FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: SSL_CTX_set_tmp_rsa OK",__FUNCTION__);
RSA_free(rsa);
/* セッションキャッシュを有効モードに設定する */
SSL_CTX_set_session_id_context(TLSctx,(void*)&TLSServerSessionIdContext, sizeof(TLSServerSessionIdContext));
kLogWrite(L_TLS,"%s: SSL_CTX_set_session_id_context OK", __FUNCTION__);
/* セッション削除時のコールバック設定 */
SSL_CTX_sess_set_remove_cb(TLSctx,remove_session_cb);
SSL_CTX_set_timeout(TLSctx,timeout);
kLogWrite(L_TLS,"%s: Nagle algorithm : %s",__FUNCTION__,NagleFlag?"Enable":"Disable");
return(RETURN_OK);
}
static PySSLObject *
newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
enum py_ssl_server_or_client socket_type,
enum py_ssl_cert_requirements certreq,
enum py_ssl_version proto_version,
char *cacerts_file)
{
PySSLObject *self;
char *errstr = NULL;
int ret;
int verification_mode;
self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
if (self == NULL)
return NULL;
self->peer_cert = NULL;
self->ssl = NULL;
self->ctx = NULL;
self->Socket = NULL;
/* Make sure the SSL error state is initialized */
(void) ERR_get_state();
ERR_clear_error();
if ((key_file && !cert_file) || (!key_file && cert_file)) {
errstr = ERRSTR("Both the key & certificate files "
"must be specified");
goto fail;
}
if ((socket_type == PY_SSL_SERVER) &&
((key_file == NULL) || (cert_file == NULL))) {
errstr = ERRSTR("Both the key & certificate files "
"must be specified for server-side operation");
goto fail;
}
PySSL_BEGIN_ALLOW_THREADS
if (proto_version == PY_SSL_VERSION_TLS1)
self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
else if (proto_version == PY_SSL_VERSION_SSL3)
self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
else if (proto_version == PY_SSL_VERSION_SSL2)
self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
else if (proto_version == PY_SSL_VERSION_SSL23)
self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
PySSL_END_ALLOW_THREADS
if (self->ctx == NULL) {
errstr = ERRSTR("Invalid SSL protocol variant specified.");
goto fail;
}
if (certreq != PY_SSL_CERT_NONE) {
if (cacerts_file == NULL) {
errstr = ERRSTR("No root certificates specified for "
"verification of other-side certificates.");
goto fail;
} else {
PySSL_BEGIN_ALLOW_THREADS
ret = SSL_CTX_load_verify_locations(self->ctx,
cacerts_file,
NULL);
PySSL_END_ALLOW_THREADS
if (ret != 1) {
_setSSLError(NULL, 0, __FILE__, __LINE__);
goto fail;
}
}
}
if (key_file) {
PySSL_BEGIN_ALLOW_THREADS
ret = SSL_CTX_use_PrivateKey_file(self->ctx, key_file,
SSL_FILETYPE_PEM);
PySSL_END_ALLOW_THREADS
if (ret != 1) {
_setSSLError(NULL, ret, __FILE__, __LINE__);
goto fail;
}
PySSL_BEGIN_ALLOW_THREADS
ret = SSL_CTX_use_certificate_chain_file(self->ctx,
cert_file);
PySSL_END_ALLOW_THREADS
if (ret != 1) {
/*
fprintf(stderr, "ret is %d, errcode is %lu, %lu, with file \"%s\"\n",
ret, ERR_peek_error(), ERR_peek_last_error(), cert_file);
*/
if (ERR_peek_last_error() != 0) {
_setSSLError(NULL, ret, __FILE__, __LINE__);
goto fail;
}
}
}
/* ssl compatibility */
SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
verification_mode = SSL_VERIFY_NONE;
if (certreq == PY_SSL_CERT_OPTIONAL)
verification_mode = SSL_VERIFY_PEER;
else if (certreq == PY_SSL_CERT_REQUIRED)
verification_mode = (SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
SSL_CTX_set_verify(self->ctx, verification_mode,
NULL); /* set verify lvl */
PySSL_BEGIN_ALLOW_THREADS
self->ssl = SSL_new(self->ctx); /* New ssl struct */
PySSL_END_ALLOW_THREADS
SSL_set_fd(self->ssl, Sock->sock_fd); /* Set the socket for SSL */
/* If the socket is in non-blocking mode or timeout mode, set the BIO
* to non-blocking mode (blocking is the default)
*/
if (Sock->sock_timeout >= 0.0) {
/* Set both the read and write BIO's to non-blocking mode */
BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
}
PySSL_BEGIN_ALLOW_THREADS
if (socket_type == PY_SSL_CLIENT)
SSL_set_connect_state(self->ssl);
else
SSL_set_accept_state(self->ssl);
PySSL_END_ALLOW_THREADS
self->Socket = PyWeakref_NewRef((PyObject *) Sock, Py_None);
return self;
fail:
if (errstr)
PyErr_SetString(PySSLErrorObject, errstr);
Py_DECREF(self);
return NULL;
}
int main(int argc, char *argv[])
{
char *CApath=NULL,*CAfile=NULL;
int badop=0;
int bio_pair=0;
int force=0;
int tls1=0,ssl2=0,ssl3=0,ret=1;
int client_auth=0;
int server_auth=0,i;
int app_verify=0;
char *server_cert=TEST_SERVER_CERT;
char *server_key=NULL;
char *client_cert=TEST_CLIENT_CERT;
char *client_key=NULL;
SSL_CTX *s_ctx=NULL;
SSL_CTX *c_ctx=NULL;
SSL_METHOD *meth=NULL;
SSL *c_ssl,*s_ssl;
int number=1,reuse=0;
long bytes=1L;
#ifndef OPENSSL_NO_DH
DH *dh;
int dhe1024 = 0, dhe1024dsa = 0;
#endif
int no_dhe = 0;
int print_time = 0;
clock_t s_time = 0, c_time = 0;
int comp = 0;
COMP_METHOD *cm = NULL;
verbose = 0;
debug = 0;
cipher = 0;
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
CRYPTO_set_locking_callback(lock_dbg_cb);
/* enable memory leak checking unless explicitly disabled */
if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
{
CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
}
else
{
/* OPENSSL_DEBUG_MEMORY=off */
CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
}
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
RAND_seed(rnd_seed, sizeof rnd_seed);
bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
argc--;
argv++;
while (argc >= 1)
{
if (strcmp(*argv,"-server_auth") == 0)
server_auth=1;
else if (strcmp(*argv,"-client_auth") == 0)
client_auth=1;
else if (strcmp(*argv,"-v") == 0)
verbose=1;
else if (strcmp(*argv,"-d") == 0)
debug=1;
else if (strcmp(*argv,"-reuse") == 0)
reuse=1;
else if (strcmp(*argv,"-dhe1024") == 0)
{
#ifndef OPENSSL_NO_DH
dhe1024=1;
#else
fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
#endif
}
else if (strcmp(*argv,"-dhe1024dsa") == 0)
{
#ifndef OPENSSL_NO_DH
dhe1024dsa=1;
#else
fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
#endif
}
else if (strcmp(*argv,"-no_dhe") == 0)
no_dhe=1;
else if (strcmp(*argv,"-ssl2") == 0)
ssl2=1;
else if (strcmp(*argv,"-tls1") == 0)
tls1=1;
else if (strcmp(*argv,"-ssl3") == 0)
ssl3=1;
else if (strncmp(*argv,"-num",4) == 0)
{
if (--argc < 1) goto bad;
number= atoi(*(++argv));
if (number == 0) number=1;
}
else if (strcmp(*argv,"-bytes") == 0)
{
if (--argc < 1) goto bad;
bytes= atol(*(++argv));
if (bytes == 0L) bytes=1L;
i=strlen(argv[0]);
if (argv[0][i-1] == 'k') bytes*=1024L;
if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
}
else if (strcmp(*argv,"-cert") == 0)
{
if (--argc < 1) goto bad;
server_cert= *(++argv);
}
else if (strcmp(*argv,"-s_cert") == 0)
{
if (--argc < 1) goto bad;
server_cert= *(++argv);
}
else if (strcmp(*argv,"-key") == 0)
{
if (--argc < 1) goto bad;
server_key= *(++argv);
}
else if (strcmp(*argv,"-s_key") == 0)
{
if (--argc < 1) goto bad;
server_key= *(++argv);
}
else if (strcmp(*argv,"-c_cert") == 0)
{
if (--argc < 1) goto bad;
client_cert= *(++argv);
}
else if (strcmp(*argv,"-c_key") == 0)
{
if (--argc < 1) goto bad;
client_key= *(++argv);
}
else if (strcmp(*argv,"-cipher") == 0)
{
if (--argc < 1) goto bad;
cipher= *(++argv);
}
else if (strcmp(*argv,"-CApath") == 0)
{
if (--argc < 1) goto bad;
CApath= *(++argv);
}
else if (strcmp(*argv,"-CAfile") == 0)
{
if (--argc < 1) goto bad;
CAfile= *(++argv);
}
else if (strcmp(*argv,"-bio_pair") == 0)
{
bio_pair = 1;
}
else if (strcmp(*argv,"-f") == 0)
{
force = 1;
}
else if (strcmp(*argv,"-time") == 0)
{
print_time = 1;
}
else if (strcmp(*argv,"-zlib") == 0)
{
comp = COMP_ZLIB;
}
else if (strcmp(*argv,"-rle") == 0)
{
comp = COMP_RLE;
}
else if (strcmp(*argv,"-app_verify") == 0)
{
app_verify = 1;
}
else
{
fprintf(stderr,"unknown option %s\n",*argv);
badop=1;
break;
}
argc--;
argv++;
}
if (badop)
{
bad:
sv_usage();
goto end;
}
if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
{
fprintf(stderr, "This case cannot work. Use -f to perform "
"the test anyway (and\n-d to see what happens), "
"or add one of -ssl2, -ssl3, -tls1, -reuse\n"
"to avoid protocol mismatch.\n");
EXIT(1);
}
if (print_time)
{
if (!bio_pair)
{
fprintf(stderr, "Using BIO pair (-bio_pair)\n");
bio_pair = 1;
}
if (number < 50 && !force)
fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
}
/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
SSL_library_init();
SSL_load_error_strings();
if (comp == COMP_ZLIB) cm = COMP_zlib();
if (comp == COMP_RLE) cm = COMP_rle();
if (cm != NULL)
{
if (cm->type != NID_undef)
SSL_COMP_add_compression_method(comp, cm);
else
{
fprintf(stderr,
"Warning: %s compression not supported\n",
(comp == COMP_RLE ? "rle" :
(comp == COMP_ZLIB ? "zlib" :
"unknown")));
ERR_print_errors_fp(stderr);
}
}
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
if (ssl2)
meth=SSLv2_method();
else
if (tls1)
meth=TLSv1_method();
else
if (ssl3)
meth=SSLv3_method();
else
meth=SSLv23_method();
#else
#ifdef OPENSSL_NO_SSL2
meth=SSLv3_method();
#else
meth=SSLv2_method();
#endif
#endif
c_ctx=SSL_CTX_new(meth);
s_ctx=SSL_CTX_new(meth);
if ((c_ctx == NULL) || (s_ctx == NULL))
{
ERR_print_errors(bio_err);
goto end;
}
if (cipher != NULL)
{
SSL_CTX_set_cipher_list(c_ctx,cipher);
SSL_CTX_set_cipher_list(s_ctx,cipher);
}
#ifndef OPENSSL_NO_DH
if (!no_dhe)
{
if (dhe1024dsa)
{
/* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
dh=get_dh1024dsa();
}
else if (dhe1024)
dh=get_dh1024();
else
dh=get_dh512();
SSL_CTX_set_tmp_dh(s_ctx,dh);
DH_free(dh);
}
#else
(void)no_dhe;
#endif
#ifndef OPENSSL_NO_RSA
SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
#endif
if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
{
ERR_print_errors(bio_err);
}
else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
(server_key?server_key:server_cert), SSL_FILETYPE_PEM))
{
ERR_print_errors(bio_err);
goto end;
}
if (client_auth)
{
SSL_CTX_use_certificate_file(c_ctx,client_cert,
SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(c_ctx,
(client_key?client_key:client_cert),
SSL_FILETYPE_PEM);
}
if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
(!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
(!SSL_CTX_set_default_verify_paths(c_ctx)))
{
/* fprintf(stderr,"SSL_load_verify_locations\n"); */
ERR_print_errors(bio_err);
/* goto end; */
}
if (client_auth)
{
BIO_printf(bio_err,"client authentication\n");
SSL_CTX_set_verify(s_ctx,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
if (app_verify)
{
SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
}
}
if (server_auth)
{
BIO_printf(bio_err,"server authentication\n");
SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
verify_callback);
if (app_verify)
{
SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
}
}
{
int session_id_context = 0;
SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
}
c_ssl=SSL_new(c_ctx);
s_ssl=SSL_new(s_ctx);
#ifndef OPENSSL_NO_KRB5
if (c_ssl && c_ssl->kssl_ctx)
{
char localhost[MAXHOSTNAMELEN+2];
if (gethostname(localhost, sizeof localhost-1) == 0)
{
localhost[sizeof localhost-1]='\0';
if(strlen(localhost) == sizeof localhost-1)
{
BIO_printf(bio_err,"localhost name too long\n");
goto end;
}
kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
localhost);
}
}
#endif /* OPENSSL_NO_KRB5 */
for (i=0; i<number; i++)
{
if (!reuse) SSL_set_session(c_ssl,NULL);
if (bio_pair)
ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
else
ret=doit(s_ssl,c_ssl,bytes);
}
if (!verbose)
{
print_details(c_ssl, "");
}
if ((number > 1) || (bytes > 1L))
BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
if (print_time)
{
#ifdef CLOCKS_PER_SEC
/* "To determine the time in seconds, the value returned
* by the clock function should be divided by the value
* of the macro CLOCKS_PER_SEC."
* -- ISO/IEC 9899 */
BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
"Approximate total client time: %6.2f s\n",
(double)s_time/CLOCKS_PER_SEC,
(double)c_time/CLOCKS_PER_SEC);
#else
/* "`CLOCKS_PER_SEC' undeclared (first use this function)"
* -- cc on NeXTstep/OpenStep */
BIO_printf(bio_stdout,
"Approximate total server time: %6.2f units\n"
"Approximate total client time: %6.2f units\n",
(double)s_time,
(double)c_time);
#endif
}
SSL_free(s_ssl);
SSL_free(c_ssl);
end:
if (s_ctx != NULL) SSL_CTX_free(s_ctx);
if (c_ctx != NULL) SSL_CTX_free(c_ctx);
if (bio_stdout != NULL) BIO_free(bio_stdout);
#ifndef OPENSSL_NO_RSA
free_tmp_rsa();
#endif
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
ERR_remove_state(0);
EVP_cleanup();
CRYPTO_mem_leaks(bio_err);
if (bio_err != NULL) BIO_free(bio_err);
EXIT(ret);
}
SSL_CTX * ssl_init()
{
int err;
int verify_client = OFF; /* To verify a client certificate, set ON */
size_t client_len;
char *str;
char buf[4096];
SSL_CTX *ctx;
SSL *ssl;
SSL_METHOD *meth;
X509 *client_cert = NULL;
/*----------------------------------------------------------------*/
/* Load encryption & hashing algorithms for the SSL program */
SSL_library_init();
/* Load the error strings for SSL & CRYPTO APIs */
SSL_load_error_strings();
/* Create a SSL_METHOD structure (choose a SSL/TLS protocol version) */
meth = SSLv2_method();
/* Create a SSL_CTX structure */
ctx = SSL_CTX_new(meth);
if (!ctx) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Load the server certificate into the SSL_CTX structure */
if (SSL_CTX_use_certificate_file(ctx, RSA_SERVER_CERT, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Load the private-key corresponding to the server certificate */
if (SSL_CTX_use_PrivateKey_file(ctx, RSA_SERVER_KEY, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Check if the server certificate and private-key matches */
if (!SSL_CTX_check_private_key(ctx)) {
fprintf(stderr,"Private key does not match the certificate public key\n");
exit(1);
}
if(verify_client == ON) {
/* Load the RSA CA certificate into the SSL_CTX structure */
if (!SSL_CTX_load_verify_locations(ctx, RSA_SERVER_CA_CERT, NULL)) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Set to require peer (client) certificate verification */
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);
/* Set the verification depth to 1 */
SSL_CTX_set_verify_depth(ctx, 1);
}
return ctx;
}
int main(int argc, char *argv[])
{
char *CApath = NULL, *CAfile = NULL;
int badop = 0;
int ret = 1;
int client_auth = 0;
int server_auth = 0;
SSL_CTX *s_ctx = NULL;
SSL_CTX *c_ctx = NULL;
char *scert = TEST_SERVER_CERT;
char *ccert = TEST_CLIENT_CERT;
SSL_METHOD *ssl_method = SSLv23_method();
RAND_seed(rnd_seed, sizeof rnd_seed);
if (bio_err == NULL)
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
if (bio_stdout == NULL)
bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE);
argc--;
argv++;
while (argc >= 1) {
if (sgx_strcmp(*argv, "-server_auth") == 0)
server_auth = 1;
else if (sgx_strcmp(*argv, "-client_auth") == 0)
client_auth = 1;
else if (sgx_strcmp(*argv, "-reconnect") == 0)
reconnect = 1;
else if (sgx_strcmp(*argv, "-stats") == 0)
cache_stats = 1;
else if (sgx_strcmp(*argv, "-ssl3") == 0)
ssl_method = SSLv3_method();
else if (sgx_strcmp(*argv, "-ssl2") == 0)
ssl_method = SSLv2_method();
else if (sgx_strcmp(*argv, "-CApath") == 0) {
if (--argc < 1)
goto bad;
CApath = *(++argv);
} else if (sgx_strcmp(*argv, "-CAfile") == 0) {
if (--argc < 1)
goto bad;
CAfile = *(++argv);
} else if (sgx_strcmp(*argv, "-cert") == 0) {
if (--argc < 1)
goto bad;
scert = *(++argv);
} else if (sgx_strcmp(*argv, "-ccert") == 0) {
if (--argc < 1)
goto bad;
ccert = *(++argv);
} else if (sgx_strcmp(*argv, "-threads") == 0) {
if (--argc < 1)
goto bad;
thread_number = atoi(*(++argv));
if (thread_number == 0)
thread_number = 1;
if (thread_number > MAX_THREAD_NUMBER)
thread_number = MAX_THREAD_NUMBER;
} else if (sgx_strcmp(*argv, "-loops") == 0) {
if (--argc < 1)
goto bad;
number_of_loops = atoi(*(++argv));
if (number_of_loops == 0)
number_of_loops = 1;
} else {
fprintf(stderr, "unknown option %s\n", *argv);
badop = 1;
break;
}
argc--;
argv++;
}
if (badop) {
bad:
sv_usage();
goto end;
}
if (cipher == NULL && OPENSSL_issetugid() == 0)
cipher = getenv("SSL_CIPHER");
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
c_ctx = SSL_CTX_new(ssl_method);
s_ctx = SSL_CTX_new(ssl_method);
if ((c_ctx == NULL) || (s_ctx == NULL)) {
ERR_print_errors(bio_err);
goto end;
}
SSL_CTX_set_session_cache_mode(s_ctx,
SSL_SESS_CACHE_NO_AUTO_CLEAR |
SSL_SESS_CACHE_SERVER);
SSL_CTX_set_session_cache_mode(c_ctx,
SSL_SESS_CACHE_NO_AUTO_CLEAR |
SSL_SESS_CACHE_SERVER);
if (!SSL_CTX_use_certificate_file(s_ctx, scert, SSL_FILETYPE_PEM)) {
ERR_print_errors(bio_err);
} else
if (!SSL_CTX_use_RSAPrivateKey_file(s_ctx, scert, SSL_FILETYPE_PEM)) {
ERR_print_errors(bio_err);
goto end;
}
if (client_auth) {
SSL_CTX_use_certificate_file(c_ctx, ccert, SSL_FILETYPE_PEM);
SSL_CTX_use_RSAPrivateKey_file(c_ctx, ccert, SSL_FILETYPE_PEM);
}
if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
(!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(c_ctx))) {
fprintf(stderr, "SSL_load_verify_locations\n");
ERR_print_errors(bio_err);
goto end;
}
if (client_auth) {
fprintf(stderr, "client authentication\n");
SSL_CTX_set_verify(s_ctx,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
}
if (server_auth) {
fprintf(stderr, "server authentication\n");
SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback);
}
thread_setup();
do_threads(s_ctx, c_ctx);
thread_cleanup();
end:
if (c_ctx != NULL) {
fprintf(stderr, "Client SSL_CTX stats then free it\n");
print_stats(stderr, c_ctx);
SSL_CTX_free(c_ctx);
}
if (s_ctx != NULL) {
fprintf(stderr, "Server SSL_CTX stats then free it\n");
print_stats(stderr, s_ctx);
if (cache_stats) {
fprintf(stderr, "-----\n");
lh_stats(SSL_CTX_sessions(s_ctx), stderr);
fprintf(stderr, "-----\n");
/*- lh_node_stats(SSL_CTX_sessions(s_ctx),stderr);
fprintf(stderr,"-----\n"); */
lh_node_usage_stats(SSL_CTX_sessions(s_ctx), stderr);
fprintf(stderr, "-----\n");
}
SSL_CTX_free(s_ctx);
fprintf(stderr, "done free\n");
}
exit(ret);
return (0);
}
struct host_ret
openhost(char *host, int port, int dossl)
{
struct hostent *hp;
struct sockaddr_in sin;
struct host_ret ret;
#ifdef USE_SSLEAY
int err;
X509 *server_cert;
char *str;
#endif
ret.s = -1;
if ((hp = gethostbyname(host)) == NULL) {
fprintf(stderr, "ERR: gethostbyname: %s\n", host);
return (ret);
}
if ((ret.s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return (ret);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
bcopy(hp->h_addr, &sin.sin_addr, hp->h_length);
alarm(30);
if (connect(ret.s, (struct sockaddr *) &sin, sizeof(sin)) < 0) {
close(ret.s);
ret.s = -1;
return (ret);
}
alarm(0);
#ifdef USE_SSLEAY
if (dossl) {
SSLeay_add_ssl_algorithms();
SSL_load_error_strings();
ret.ctx = SSL_CTX_new(SSLv2_method());
CHK_NULL(ret.ctx);
ret.ssl = SSL_new(ret.ctx);
CHK_NULL(ret.ssl);
SSL_set_fd(ret.ssl, ret.s);
err = SSL_connect(ret.ssl);
CHK_SSL(err);
server_cert = SSL_get_peer_certificate(ret.ssl);
CHK_NULL(server_cert);
str = X509_NAME_oneline(X509_get_subject_name(server_cert), NULL, 0);
CHK_NULL(str);
Free(str);
str = X509_NAME_oneline(X509_get_issuer_name(server_cert), NULL, 0);
CHK_NULL(str);
Free(str);
if (server_cert)
X509_free(server_cert);
}
#endif /* USE_SSLEAY */
return (ret);
}