SSL_CTX* EdSSLContext::buildCtx(int ver) { SSL_CTX *pctx; const SSL_METHOD *method; switch (ver) { case SSL_VER_TLSV1: method = TLSv1_method(); break; case SSL_VER_TLSV11: method = TLSv1_1_method(); break; case SSL_VER_V23: method = SSLv23_method(); break; case SSL_VER_V3: method = SSLv3_method(); break; case SSL_VER_DTLSV1: method = DTLSv1_method(); break; default: method = NULL; break; } if (method == NULL) return NULL; pctx = SSL_CTX_new(method); return pctx; }
// memory is only valid for duration of callback; must be copied if queueing // is required DtlsSocketContext::DtlsSocketContext() { started = false; mSocket = NULL; receiver = NULL; DtlsSocketContext::Init(); ELOG_DEBUG("Creating Dtls factory, Openssl v %s", OPENSSL_VERSION_TEXT); mContext = SSL_CTX_new(DTLSv1_method()); assert(mContext); int r = SSL_CTX_use_certificate(mContext, mCert); assert(r == 1); r = SSL_CTX_use_PrivateKey(mContext, privkey); assert(r == 1); SSL_CTX_set_cipher_list(mContext, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); SSL_CTX_set_info_callback(mContext, SSLInfoCallback); SSL_CTX_set_verify(mContext, SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSLVerifyCallback); // SSL_CTX_set_session_cache_mode(mContext, SSL_SESS_CACHE_OFF); // SSL_CTX_set_options(mContext, SSL_OP_NO_TICKET); // Set SRTP profiles r = SSL_CTX_set_tlsext_use_srtp(mContext, DefaultSrtpProfile); assert(r == 0); SSL_CTX_set_verify_depth(mContext, 2); SSL_CTX_set_read_ahead(mContext, 1); ELOG_DEBUG("DtlsSocketContext %p created", this); }
static SSL_METHOD *dtls1_get_method(int ver) { if (ver == DTLS1_VERSION) return(DTLSv1_method()); else return(NULL); }
static int _tnet_transport_ssl_init(tnet_transport_t* transport) { if(!transport){ TSK_DEBUG_ERROR("Invalid parameter"); return -1; } #if HAVE_OPENSSL { tnet_socket_type_t type = tnet_transport_get_type(transport); tsk_bool_t is_tls = (TNET_SOCKET_TYPE_IS_TLS(type) || TNET_SOCKET_TYPE_IS_WSS(type)); tsk_bool_t is_dtls = TNET_SOCKET_TYPE_IS_DTLS(type); if(is_dtls && !tnet_dtls_is_supported()){ TSK_DEBUG_ERROR("Requesting to create DTLS transport but source code not built with support for this feature"); return -1; } if(is_tls && !tnet_tls_is_supported()){ TSK_DEBUG_ERROR("Requesting to create TLS transport but source code not built with support for this feature"); return -1; } if((transport->tls.enabled = is_tls)){ if(!transport->tls.ctx_client && !(transport->tls.ctx_client = SSL_CTX_new(SSLv23_client_method()))){ TSK_DEBUG_ERROR("Failed to create SSL client context"); return -2; } if(!transport->tls.ctx_server && !(transport->tls.ctx_server = SSL_CTX_new(SSLv23_server_method()))){ TSK_DEBUG_ERROR("Failed to create SSL server context"); return -3; } SSL_CTX_set_mode(transport->tls.ctx_client, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(transport->tls.ctx_server, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(transport->tls.ctx_server, SSL_VERIFY_NONE, tsk_null); // to be updated by tnet_transport_tls_set_certs() SSL_CTX_set_verify(transport->tls.ctx_client, SSL_VERIFY_NONE, tsk_null); // to be updated by tnet_transport_tls_set_certs() if(SSL_CTX_set_cipher_list(transport->tls.ctx_client, TNET_CIPHER_LIST) <= 0 || SSL_CTX_set_cipher_list(transport->tls.ctx_server, TNET_CIPHER_LIST) <= 0){ TSK_DEBUG_ERROR("SSL_CTX_set_cipher_list failed [%s]", ERR_error_string(ERR_get_error(), tsk_null)); return -4; } } #if HAVE_OPENSSL_DTLS if((transport->dtls.enabled = is_dtls)){ if(!transport->dtls.ctx && !(transport->dtls.ctx = SSL_CTX_new(DTLSv1_method()))){ TSK_DEBUG_ERROR("Failed to create DTLSv1 context"); TSK_OBJECT_SAFE_FREE(transport); return -5; } SSL_CTX_set_read_ahead(transport->dtls.ctx, 1); // SSL_CTX_set_options(transport->dtls.ctx, SSL_OP_ALL); // SSL_CTX_set_mode(transport->dtls.ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(transport->dtls.ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, tsk_null); // to be updated by tnet_transport_tls_set_certs() if(SSL_CTX_set_cipher_list(transport->dtls.ctx, TNET_CIPHER_LIST) <= 0){ TSK_DEBUG_ERROR("SSL_CTX_set_cipher_list failed [%s]", ERR_error_string(ERR_get_error(), tsk_null)); return -6; } transport->dtls.activated = tsk_true; } #endif /* HAVE_OPENSSL_DTLS */ } #endif /* HAVE_OPENSSL */ return 0; }
struct dtls_context * create_dtls_context(const char *common) { if (common == NULL) return NULL; struct dtls_context *context = (struct dtls_context *)calloc(1, sizeof *context); if (context == NULL) return NULL; SSL_library_init(); OpenSSL_add_all_algorithms(); SSL_CTX *ctx = SSL_CTX_new(DTLSv1_method()); if (ctx == NULL) goto ctx_err; context->ctx = ctx; // ALL:NULL:eNULL:aNULL if (SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1) goto ctx_err; SSL_CTX_set_read_ahead(ctx, 1); // for DTLS SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_peer_certificate_cb); EVP_PKEY *key = gen_key(); if (key == NULL) goto ctx_err; SSL_CTX_use_PrivateKey(ctx, key); X509 *cert = gen_cert(key, common, 365); if (cert == NULL) goto ctx_err; SSL_CTX_use_certificate(ctx, cert); if (SSL_CTX_check_private_key(ctx) != 1) goto ctx_err; unsigned int len; unsigned char buf[BUFFER_SIZE]; X509_digest(cert, EVP_sha256(), buf, &len); char *p = context->fingerprint; for (int i = 0; i < len; ++i) { snprintf(p, 4, "%02X:", buf[i]); p += 3; } *(p - 1) = 0; if (0) { ctx_err: SSL_CTX_free(ctx); free(context); context = NULL; } return context; }
__declspec(dllexport) void ILibWrapper_InitializeDTLS() { ctx = SSL_CTX_new(DTLSv1_method()); SSL_CTX_use_certificate(ctx, selftlscert.x509); SSL_CTX_use_PrivateKey(ctx,selftlscert.pkey); int l = 32; X509_digest(selftlscert.x509, EVP_get_digestbyname("sha256"), (unsigned char*)tlsServerCertThumbprint, (unsigned int*)&l); }
/* * DTLS methods */ static const SSL_METHOD *dtls1_get_method(int ver) { if (ver == DTLS_ANY_VERSION) return DTLS_method(); else if (ver == DTLS1_VERSION) return DTLSv1_method(); else if (ver == DTLS1_2_VERSION) return DTLSv1_2_method(); else return NULL; }
VALUE engine_init_client(VALUE klass) { VALUE obj; ms_conn* conn = engine_alloc(klass, &obj); conn->ctx = SSL_CTX_new(DTLSv1_method()); conn->ssl = SSL_new(conn->ctx); SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); SSL_set_bio(conn->ssl, conn->read, conn->write); SSL_set_connect_state(conn->ssl); return obj; }
static const SSL_METHOD *swSSL_get_method(int method) { switch (method) { #ifndef OPENSSL_NO_SSL3_METHOD case SW_SSLv3_METHOD: return SSLv3_method(); case SW_SSLv3_SERVER_METHOD: return SSLv3_server_method(); case SW_SSLv3_CLIENT_METHOD: return SSLv3_client_method(); #endif case SW_SSLv23_SERVER_METHOD: return SSLv23_server_method(); case SW_SSLv23_CLIENT_METHOD: return SSLv23_client_method(); case SW_TLSv1_METHOD: return TLSv1_method(); case SW_TLSv1_SERVER_METHOD: return TLSv1_server_method(); case SW_TLSv1_CLIENT_METHOD: return TLSv1_client_method(); #ifdef TLS1_1_VERSION case SW_TLSv1_1_METHOD: return TLSv1_1_method(); case SW_TLSv1_1_SERVER_METHOD: return TLSv1_1_server_method(); case SW_TLSv1_1_CLIENT_METHOD: return TLSv1_1_client_method(); #endif #ifdef TLS1_2_VERSION case SW_TLSv1_2_METHOD: return TLSv1_2_method(); case SW_TLSv1_2_SERVER_METHOD: return TLSv1_2_server_method(); case SW_TLSv1_2_CLIENT_METHOD: return TLSv1_2_client_method(); #endif case SW_DTLSv1_METHOD: return DTLSv1_method(); case SW_DTLSv1_SERVER_METHOD: return DTLSv1_server_method(); case SW_DTLSv1_CLIENT_METHOD: return DTLSv1_client_method(); case SW_SSLv23_METHOD: default: return SSLv23_method(); } return SSLv23_method(); }
static const SSL_METHOD *swSSL_get_method(int method) { switch (method) { case SW_SSLv3_METHOD: return SSLv3_method(); case SW_SSLv3_SERVER_METHOD: return SSLv3_server_method(); case SW_SSLv3_CLIENT_METHOD: return SSLv3_client_method(); case SW_SSLv23_SERVER_METHOD: return SSLv23_server_method(); case SW_SSLv23_CLIENT_METHOD: return SSLv23_client_method(); case SW_TLSv1_METHOD: return TLSv1_method(); case SW_TLSv1_SERVER_METHOD: return TLSv1_server_method(); case SW_TLSv1_CLIENT_METHOD: return TLSv1_client_method(); case SW_TLSv1_1_METHOD: return TLSv1_1_method(); case SW_TLSv1_1_SERVER_METHOD: return TLSv1_1_server_method(); case SW_TLSv1_1_CLIENT_METHOD: return TLSv1_1_client_method(); case SW_TLSv1_2_METHOD: return TLSv1_2_method(); case SW_TLSv1_2_SERVER_METHOD: return TLSv1_2_server_method(); case SW_TLSv1_2_CLIENT_METHOD: return TLSv1_2_client_method(); case SW_DTLSv1_METHOD: return DTLSv1_method(); case SW_DTLSv1_SERVER_METHOD: return DTLSv1_server_method(); case SW_DTLSv1_CLIENT_METHOD: return DTLSv1_client_method(); case SW_SSLv23_METHOD: default: return SSLv23_method(); } return SSLv23_method(); }
static int openssl_ssl_ctx_new(lua_State*L) { const char* meth = luaL_optstring(L, 1, "TLSv1"); #if OPENSSL_VERSION_NUMBER >= 0x01000000L const #endif SSL_METHOD* method = NULL; const char* ciphers; SSL_CTX* ctx; if (strcmp(meth, "SSLv3") == 0) method = SSLv3_method(); /* SSLv3 */ else if (strcmp(meth, "SSLv3_server") == 0) method = SSLv3_server_method(); /* SSLv3 */ else if (strcmp(meth, "SSLv3_client") == 0) method = SSLv3_client_method(); /* SSLv3 */ else if (strcmp(meth, "SSLv23") == 0) method = SSLv23_method(); /* SSLv3 but can rollback to v2 */ else if (strcmp(meth, "SSLv23_server") == 0) method = SSLv23_server_method(); /* SSLv3 but can rollback to v2 */ else if (strcmp(meth, "SSLv23_client") == 0) method = SSLv23_client_method(); /* SSLv3 but can rollback to v2 */ else if (strcmp(meth, "TLSv1_1") == 0) method = TLSv1_1_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_1_server") == 0) method = TLSv1_1_server_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_1_client") == 0) method = TLSv1_1_client_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_2") == 0) method = TLSv1_2_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_2_server") == 0) method = TLSv1_2_server_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_2_client") == 0) method = TLSv1_2_client_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1") == 0) method = TLSv1_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_server") == 0) method = TLSv1_server_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_client") == 0) method = TLSv1_client_method(); /* TLSv1.0 */ else if (strcmp(meth, "DTLSv1") == 0) method = DTLSv1_method(); /* DTLSv1.0 */ else if (strcmp(meth, "DTLSv1_server") == 0) method = DTLSv1_server_method(); /* DTLSv1.0 */ else if (strcmp(meth, "DTLSv1_client") == 0) method = DTLSv1_client_method(); /* DTLSv1.0 */ #ifndef OPENSSL_NO_SSL2 #if OPENSSL_VERSION_NUMBER < 0x10100000L else if (strcmp(meth, "SSLv2") == 0) method = SSLv2_method(); /* SSLv2 */ else if (strcmp(meth, "SSLv2_server") == 0) method = SSLv2_server_method(); /* SSLv2 */ else if (strcmp(meth, "SSLv2_client") == 0) method = SSLv2_client_method(); #endif #ifdef LOAD_SSL_CUSTOM LOAD_SSL_CUSTOM #endif #endif else luaL_error(L, "#1:%s not supported\n" "Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n", "default is SSLv3", meth); ciphers = luaL_optstring(L, 2, SSL_DEFAULT_CIPHER_LIST); ctx = SSL_CTX_new(method); if (!ctx) luaL_error(L, "#1:%s not supported\n" "Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n", "default is SSLv3", meth); openssl_newvalue(L, ctx); SSL_CTX_set_cipher_list(ctx, ciphers); PUSH_OBJECT(ctx, "openssl.ssl_ctx"); SSL_CTX_set_app_data(ctx, L); return 1; }
int krx_ssl_init(krx_ssl* k) { int r = 0; SSL_library_init(); SSL_load_error_strings(); ERR_load_BIO_strings(); OpenSSL_add_all_algorithms(); /* create a new context using DTLS */ k->ctx = SSL_CTX_new(DTLSv1_method()); if(!k->ctx) { printf("Error: cannot create SSL_CTX.\n"); ERR_print_errors_fp(stderr); return -1; } /* set our supported ciphers */ //r = SSL_CTX_set_cipher_list(k->ctx, "DHE-RSA-AES128-GCM-SHA:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"); //r = SSL_CTX_set_cipher_list(k->ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); //r = SSL_CTX_set_cipher_list(k->ctx, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"); r = SSL_CTX_set_cipher_list(k->ctx, "RSA:kDHE"); if(r <= 0) { printf("Error: cannot set the cipher list.\n"); ERR_print_errors_fp(stderr); return -2; } /* the client doesn't have to send it's certificate */ SSL_CTX_set_verify(k->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, krx_ssl_verify); //SSL_CTX_set_session_cache_mode(k->ctx, SSL_SESS_CACHE_OFF); //SSL_CTX_set_verify_depth(k->ctx, 4); SSL_CTX_set_mode(k->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_AUTO_RETRY); /* enable srtp */ r = SSL_CTX_set_tlsext_use_srtp(k->ctx, "SRTP_AES128_CM_SHA1_80"); if(r != 0) { printf("Error: cannot setup srtp.\n"); ERR_print_errors_fp(stderr); return -3; } /* load certificate and key */ r = SSL_CTX_use_certificate_file(k->ctx, "./server-cert.pem", SSL_FILETYPE_PEM); if(r <= 0) { printf("Error: cannot load certificate file.\n"); ERR_print_errors_fp(stderr); return -4; } r = SSL_CTX_use_PrivateKey_file(k->ctx, "./server-key.pem", SSL_FILETYPE_PEM); if(r <= 0) { printf("Error: cannot load private key file.\n"); ERR_print_errors_fp(stderr); return -5; } r = SSL_CTX_check_private_key(k->ctx); if(r == 0) { printf("Error: checking the private key failed.\n"); return -6; } k->conn_initialized = false; k->in_pos = 0; k->in_len = 0; k->in_buf = NULL; k->out_pos = 0; k->out_len = 0; k->out_buf = NULL; return 0; }
void DtlsTransport::CreateSSL_CTX() { MS_TRACE(); std::string ssl_srtp_profiles; EC_KEY* ecdh = nullptr; int ret; /* Set the global DTLS context. */ // - Both DTLS 1.0 and 1.2 (requires OpenSSL >= 1.1.0). #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) DtlsTransport::sslCtx = SSL_CTX_new(DTLS_method()); // - Just DTLS 1.0 (requires OpenSSL >= 1.0.1). #elif (OPENSSL_VERSION_NUMBER >= 0x10001000L) DtlsTransport::sslCtx = SSL_CTX_new(DTLSv1_method()); #else #error "too old OpenSSL version" #endif if (!DtlsTransport::sslCtx) { LOG_OPENSSL_ERROR("SSL_CTX_new() failed"); goto error; } ret = SSL_CTX_use_certificate(DtlsTransport::sslCtx, DtlsTransport::certificate); if (ret == 0) { LOG_OPENSSL_ERROR("SSL_CTX_use_certificate() failed"); goto error; } ret = SSL_CTX_use_PrivateKey(DtlsTransport::sslCtx, DtlsTransport::privateKey); if (ret == 0) { LOG_OPENSSL_ERROR("SSL_CTX_use_PrivateKey() failed"); goto error; } ret = SSL_CTX_check_private_key(DtlsTransport::sslCtx); if (ret == 0) { LOG_OPENSSL_ERROR("SSL_CTX_check_private_key() failed"); goto error; } // Set options. SSL_CTX_set_options(DtlsTransport::sslCtx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_TICKET | SSL_OP_SINGLE_ECDH_USE); // Don't use sessions cache. SSL_CTX_set_session_cache_mode(DtlsTransport::sslCtx, SSL_SESS_CACHE_OFF); // Read always as much into the buffer as possible. // NOTE: This is the default for DTLS, but a bug in non latest OpenSSL // versions makes this call required. SSL_CTX_set_read_ahead(DtlsTransport::sslCtx, 1); SSL_CTX_set_verify_depth(DtlsTransport::sslCtx, 4); // Require certificate from peer. SSL_CTX_set_verify(DtlsTransport::sslCtx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, on_ssl_certificate_verify); // Set SSL info callback. SSL_CTX_set_info_callback(DtlsTransport::sslCtx, on_ssl_info); // Set ciphers. ret = SSL_CTX_set_cipher_list(DtlsTransport::sslCtx, "ALL:!ADH:!LOW:!EXP:!MD5:!aNULL:!eNULL:@STRENGTH"); if (ret == 0) { LOG_OPENSSL_ERROR("SSL_CTX_set_cipher_list() failed"); goto error; } // Enable ECDH ciphers. // DOC: http://en.wikibooks.org/wiki/OpenSSL/Diffie-Hellman_parameters // NOTE: https://code.google.com/p/chromium/issues/detail?id=406458 // For OpenSSL >= 1.0.2: #if (OPENSSL_VERSION_NUMBER >= 0x10002000L) SSL_CTX_set_ecdh_auto(DtlsTransport::sslCtx, 1); #else ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (!ecdh) { LOG_OPENSSL_ERROR("EC_KEY_new_by_curve_name() failed"); goto error; } if (SSL_CTX_set_tmp_ecdh(DtlsTransport::sslCtx, ecdh) != 1) { LOG_OPENSSL_ERROR("SSL_CTX_set_tmp_ecdh() failed"); goto error; } EC_KEY_free(ecdh); ecdh = nullptr; #endif // Set the "use_srtp" DTLS extension. for (auto it = DtlsTransport::srtpProfiles.begin(); it != DtlsTransport::srtpProfiles.end(); ++it) { if (it != DtlsTransport::srtpProfiles.begin()) ssl_srtp_profiles += ":"; SrtpProfileMapEntry* profile_entry = &(*it); ssl_srtp_profiles += profile_entry->name; } MS_DEBUG("setting SRTP profiles for DTLS: %s", ssl_srtp_profiles.c_str()); // NOTE: This function returns 0 on success. ret = SSL_CTX_set_tlsext_use_srtp(DtlsTransport::sslCtx, ssl_srtp_profiles.c_str()); if (ret != 0) { MS_ERROR("SSL_CTX_set_tlsext_use_srtp() failed when entering '%s'", ssl_srtp_profiles.c_str()); LOG_OPENSSL_ERROR("SSL_CTX_set_tlsext_use_srtp() failed"); goto error; } return; error: if (DtlsTransport::sslCtx) { SSL_CTX_free(DtlsTransport::sslCtx); DtlsTransport::sslCtx = nullptr; } if (ecdh) EC_KEY_free(ecdh); MS_THROW_ERROR("SSL context creation failed"); }
int krx_ssl_ctx_init(krx* k, const char* keyname) { int r = 0; /* create a new context using DTLS */ k->ctx = SSL_CTX_new(DTLSv1_method()); if(!k->ctx) { printf("Error: cannot create SSL_CTX.\n"); ERR_print_errors_fp(stderr); return -1; } /* set our supported ciphers */ r = SSL_CTX_set_cipher_list(k->ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); if(r != 1) { printf("Error: cannot set the cipher list.\n"); ERR_print_errors_fp(stderr); return -2; } /* the client doesn't have to send it's certificate */ SSL_CTX_set_verify(k->ctx, SSL_VERIFY_PEER, krx_ssl_verify_peer); /* enable srtp */ r = SSL_CTX_set_tlsext_use_srtp(k->ctx, "SRTP_AES128_CM_SHA1_80"); if(r != 0) { printf("Error: cannot setup srtp.\n"); ERR_print_errors_fp(stderr); return -3; } /* load key and certificate */ char certfile[1024]; char keyfile[1024]; sprintf(certfile, "./%s-cert.pem", keyname); sprintf(keyfile, "./%s-key.pem", keyname); /* certificate file; contains also the public key */ r = SSL_CTX_use_certificate_file(k->ctx, certfile, SSL_FILETYPE_PEM); if(r != 1) { printf("Error: cannot load certificate file.\n"); ERR_print_errors_fp(stderr); return -4; } /* load private key */ r = SSL_CTX_use_PrivateKey_file(k->ctx, keyfile, SSL_FILETYPE_PEM); if(r != 1) { printf("Error: cannot load private key file.\n"); ERR_print_errors_fp(stderr); return -5; } /* check if the private key is valid */ r = SSL_CTX_check_private_key(k->ctx); if(r != 1) { printf("Error: checking the private key failed. \n"); ERR_print_errors_fp(stderr); return -6; } sprintf(k->name, "+ %s", keyname); return 0; }
/* DTLS-SRTP initialization */ gint janus_dtls_srtp_init(gchar *server_pem, gchar *server_key) { ssl_ctx = SSL_CTX_new(DTLSv1_method()); if(!ssl_ctx) { JANUS_LOG(LOG_FATAL, "Ops, error creating DTLS context?\n"); return -1; } SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, janus_dtls_verify_callback); SSL_CTX_set_tlsext_use_srtp(ssl_ctx, "SRTP_AES128_CM_SHA1_80"); /* FIXME Should we support something else as well? */ if(!server_pem || !SSL_CTX_use_certificate_file(ssl_ctx, server_pem, SSL_FILETYPE_PEM)) { JANUS_LOG(LOG_FATAL, "Certificate error, does it exist?\n"); JANUS_LOG(LOG_FATAL, " %s\n", server_pem); return -2; } if(!server_key || !SSL_CTX_use_PrivateKey_file(ssl_ctx, server_key, SSL_FILETYPE_PEM)) { JANUS_LOG(LOG_FATAL, "Certificate key error, does it exist?\n"); JANUS_LOG(LOG_FATAL, " %s\n", server_key); return -3; } if(!SSL_CTX_check_private_key(ssl_ctx)) { JANUS_LOG(LOG_FATAL, "Certificate check error...\n"); return -4; } SSL_CTX_set_read_ahead(ssl_ctx,1); BIO *certbio = BIO_new(BIO_s_file()); if(certbio == NULL) { JANUS_LOG(LOG_FATAL, "Certificate BIO error...\n"); return -5; } if(BIO_read_filename(certbio, server_pem) == 0) { JANUS_LOG(LOG_FATAL, "Error reading certificate...\n"); BIO_free_all(certbio); return -6; } X509 *cert = PEM_read_bio_X509(certbio, NULL, 0, NULL); if(cert == NULL) { JANUS_LOG(LOG_FATAL, "Error reading certificate...\n"); BIO_free_all(certbio); return -7; } unsigned int size; unsigned char fingerprint[EVP_MAX_MD_SIZE]; if(X509_digest(cert, EVP_sha256(), (unsigned char *)fingerprint, &size) == 0) { JANUS_LOG(LOG_FATAL, "Error converting X509 structure...\n"); X509_free(cert); BIO_free_all(certbio); return -7; } char *lfp = (char *)&local_fingerprint; unsigned int i = 0; for(i = 0; i < size; i++) { g_snprintf(lfp, 4, "%.2X:", fingerprint[i]); lfp += 3; } *(lfp-1) = 0; JANUS_LOG(LOG_INFO, "Fingerprint of our certificate: %s\n", local_fingerprint); X509_free(cert); BIO_free_all(certbio); SSL_CTX_set_cipher_list(ssl_ctx, DTLS_CIPHERS); /* Initialize libsrtp */ if(srtp_init() != err_status_ok) { JANUS_LOG(LOG_FATAL, "Ops, error setting up libsrtp?\n"); return 5; } return 0; }
/** * Allocate a new TLS context * * @param tlsp Pointer to allocated TLS context * @param method TLS method * @param keyfile Optional private key file * @param pwd Optional password * * @return 0 if success, otherwise errorcode */ int tls_alloc(struct tls **tlsp, enum tls_method method, const char *keyfile, const char *pwd) { struct tls *tls; int r, err; if (!tlsp) return EINVAL; tls = mem_zalloc(sizeof(*tls), destructor); if (!tls) return ENOMEM; if (!tlsg.up) { #ifdef SIGPIPE /* Set up a SIGPIPE handler */ (void)signal(SIGPIPE, sigpipe_handle); #endif SSL_library_init(); tlsg.up = true; } if (tlsg.tlsc++ == 0) { DEBUG_INFO("error strings loaded\n"); SSL_load_error_strings(); } switch (method) { case TLS_METHOD_SSLV23: tls->ctx = SSL_CTX_new(SSLv23_method()); break; #ifdef USE_OPENSSL_DTLS case TLS_METHOD_DTLSV1: tls->ctx = SSL_CTX_new(DTLSv1_method()); break; #endif default: DEBUG_WARNING("tls method %d not supported\n", method); err = ENOSYS; goto out; } if (!tls->ctx) { err = ENOMEM; goto out; } #if (OPENSSL_VERSION_NUMBER < 0x00905100L) SSL_CTX_set_verify_depth(tls->ctx, 1); #endif if (method == TLS_METHOD_DTLSV1) { SSL_CTX_set_read_ahead(tls->ctx, 1); } /* Load our keys and certificates */ if (keyfile) { if (pwd) { err = str_dup(&tls->pass, pwd); if (err) goto out; SSL_CTX_set_default_passwd_cb(tls->ctx, password_cb); SSL_CTX_set_default_passwd_cb_userdata(tls->ctx, tls); } r = SSL_CTX_use_certificate_chain_file(tls->ctx, keyfile); if (r <= 0) { DEBUG_WARNING("Can't read certificate file: %s (%d)\n", keyfile, r); err = EINVAL; goto out; } r = SSL_CTX_use_PrivateKey_file(tls->ctx, keyfile, SSL_FILETYPE_PEM); if (r <= 0) { DEBUG_WARNING("Can't read key file: %s (%d)\n", keyfile, r); err = EINVAL; goto out; } } err = 0; out: if (err) mem_deref(tls); else *tlsp = tls; return err; }
const SSL_METHOD *DTLSv1_server_method(void) { return DTLSv1_method(); }
int dtls_ctx_init(STREAM_DTLS_CTXT_T *pCtxt, const DTLS_CFG_T *pDtlsCfg, int dtls_srtp) { int rc = 0; const SSL_METHOD *method = NULL; const char *srtpProfiles = NULL; //const char *cipherList = NULL; if(!pCtxt || !pDtlsCfg) { return -1; } else if(!pDtlsCfg->certpath) { LOG(X_ERROR("DTLS certificate path not set")); return -1; } else if(!pDtlsCfg->privkeypath) { LOG(X_ERROR("DTLS private key path not set")); return -1; } //pthread_mutex_lock(&g_dtls_ctx_mtx); pthread_mutex_lock(&g_ssl_mtx); if((rc = sslutil_init()) >= 0) { method = DTLSv1_method(); //method = DTLSv1_client_method(); //method = DTLSv1_servert_method(); } if(rc >= 0 && (!method || !(pCtxt->pctx = SSL_CTX_new(method)))) { LOG(X_ERROR("DTLS SSL_CTX_new failed")); rc = -1; } //pthread_mutex_unlock(&g_dtls_ctx_mtx); pthread_mutex_unlock(&g_ssl_mtx); if(rc >= 0) { SSL_CTX_set_mode(pCtxt->pctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(pCtxt->pctx, SSL_VERIFY_NONE, NULL); //cipherList = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"; //cipherList = "ALL"; if(SSL_CTX_set_cipher_list(pCtxt->pctx, DTLS_CIPHER_LIST) <= 0) { LOG(X_ERROR("DTLS SSL_CTX_set_cipher_list '%s' failed"), ERR_reason_error_string(ERR_get_error())); rc = -1; } } pCtxt->dtls_srtp = dtls_srtp; if(rc >= 0 && dtls_srtp) { srtpProfiles = DTLS_SRTP_PROFILE; if(SSL_CTX_set_tlsext_use_srtp(pCtxt->pctx, srtpProfiles) != 0) { LOG(X_ERROR("DTLS SSL_CTX_set_tlsext_use_srtp failed: %s"), ERR_reason_error_string(ERR_get_error())); rc = -1; } } if(rc >= 0) { SSL_CTX_set_verify_depth(pCtxt->pctx, 4); } if(rc >= 0 && SSL_CTX_use_certificate_file(pCtxt->pctx, pDtlsCfg->certpath, SSL_FILETYPE_PEM) != 1) { LOG(X_ERROR("DTLS SSL_CTX_use_certificate_file '%s' failed: %s"), pDtlsCfg->certpath, ERR_reason_error_string(ERR_get_error())); rc = -1; } if(rc >= 0 && SSL_CTX_use_PrivateKey_file(pCtxt->pctx, pDtlsCfg->privkeypath, SSL_FILETYPE_PEM) != 1) { LOG(X_ERROR("DTLS SSL_CTX_use_PrivateKey_file '%s' failed: %s"), pDtlsCfg->privkeypath, ERR_reason_error_string(ERR_get_error())); rc = -1; } if(rc >= 0 && SSL_CTX_check_private_key(pCtxt->pctx) != 1) { LOG(X_ERROR("DTLS SSL_CTX_check_private_key failed: %s"), ERR_reason_error_string(ERR_get_error())); rc = -1; } if(rc < 0) { dtls_ctx_close(pCtxt); } else { pthread_mutex_init(&pCtxt->mtx, NULL); pCtxt->pCfg = pDtlsCfg; pCtxt->pDtlsShared = NULL; pCtxt->haveRcvdData = 0; pCtxt->active = 1; LOG(X_DEBUG("Initialized DTLS%s %scontext cert-file: %s, key-file: %s"), (pCtxt->dtls_srtp ? "-SRTP" : ""), (pCtxt->dtls_srtp ? (pDtlsCfg->dtls_handshake_server ? "server key " : "client key ") : ""), pDtlsCfg->certpath ? pDtlsCfg->certpath : "", pDtlsCfg->privkeypath ? pDtlsCfg->privkeypath : ""); } return rc; }
/* DTLS-SRTP initialization */ gint janus_dtls_srtp_init(const char* server_pem, const char* server_key) { /* FIXME First of all make OpenSSL thread safe (see note above on issue #316) */ janus_dtls_locks = g_malloc0(sizeof(*janus_dtls_locks) * CRYPTO_num_locks()); int l=0; for(l = 0; l < CRYPTO_num_locks(); l++) { janus_mutex_init(&janus_dtls_locks[l]); } CRYPTO_THREADID_set_callback(janus_dtls_cb_openssl_threadid); CRYPTO_set_locking_callback(janus_dtls_cb_openssl_lock); /* Go on and create the DTLS context */ ssl_ctx = SSL_CTX_new(DTLSv1_method()); if(!ssl_ctx) { JANUS_LOG(LOG_FATAL, "Ops, error creating DTLS context?\n"); return -1; } SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, janus_dtls_verify_callback); SSL_CTX_set_tlsext_use_srtp(ssl_ctx, "SRTP_AES128_CM_SHA1_80"); /* FIXME Should we support something else as well? */ if (!server_pem && !server_key) { JANUS_LOG(LOG_WARN, "No cert/key specified, autogenerating some...\n"); if (janus_dtls_generate_keys(&ssl_cert, &ssl_key) != 0) { JANUS_LOG(LOG_FATAL, "Error generating DTLS key/certificate\n"); return -2; } } else if (!server_pem || !server_key) { JANUS_LOG(LOG_FATAL, "DTLS certificate and key must be specified\n"); return -2; } else if (janus_dtls_load_keys(server_pem, server_key, &ssl_cert, &ssl_key) != 0) { return -3; } if(!SSL_CTX_use_certificate(ssl_ctx, ssl_cert)) { JANUS_LOG(LOG_FATAL, "Certificate error (%s)\n", ERR_reason_error_string(ERR_get_error())); return -4; } if(!SSL_CTX_use_PrivateKey(ssl_ctx, ssl_key)) { JANUS_LOG(LOG_FATAL, "Certificate key error (%s)\n", ERR_reason_error_string(ERR_get_error())); return -5; } if(!SSL_CTX_check_private_key(ssl_ctx)) { JANUS_LOG(LOG_FATAL, "Certificate check error (%s)\n", ERR_reason_error_string(ERR_get_error())); return -6; } SSL_CTX_set_read_ahead(ssl_ctx,1); unsigned int size; unsigned char fingerprint[EVP_MAX_MD_SIZE]; if(X509_digest(ssl_cert, EVP_sha256(), (unsigned char *)fingerprint, &size) == 0) { JANUS_LOG(LOG_FATAL, "Error converting X509 structure (%s)\n", ERR_reason_error_string(ERR_get_error())); return -7; } char *lfp = (char *)&local_fingerprint; unsigned int i = 0; for(i = 0; i < size; i++) { g_snprintf(lfp, 4, "%.2X:", fingerprint[i]); lfp += 3; } *(lfp-1) = 0; JANUS_LOG(LOG_INFO, "Fingerprint of our certificate: %s\n", local_fingerprint); SSL_CTX_set_cipher_list(ssl_ctx, DTLS_CIPHERS); /* Initialize libsrtp */ if(srtp_init() != err_status_ok) { JANUS_LOG(LOG_FATAL, "Ops, error setting up libsrtp?\n"); return 5; } return 0; }
static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { SSL_CTX *ctx = NULL; unsigned long error; switch (type) { #ifdef RADPROT_TLS case RAD_TLS: ctx = SSL_CTX_new(TLSv1_method()); break; #endif #ifdef RADPROT_DTLS case RAD_DTLS: ctx = SSL_CTX_new(DTLSv1_method()); SSL_CTX_set_read_ahead(ctx, 1); break; #endif } if (!ctx) { debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name); while ((error = ERR_get_error())) debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); return NULL; } #ifdef DEBUG SSL_CTX_set_info_callback(ctx, ssl_info_callback); #endif if (conf->certkeypwd) { SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd); SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb); } if (conf->certfile || conf->certkeyfile) { if (!SSL_CTX_use_certificate_chain_file(ctx, conf->certfile) || !SSL_CTX_use_PrivateKey_file(ctx, conf->certkeyfile, SSL_FILETYPE_PEM) || !SSL_CTX_check_private_key(ctx)) { while ((error = ERR_get_error())) debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS (certfile issues) in TLS context %s", conf->name); SSL_CTX_free(ctx); return NULL; } } if (conf->policyoids) { if (!conf->vpm) { conf->vpm = createverifyparams(conf->policyoids); if (!conf->vpm) { debug(DBG_ERR, "tlscreatectx: Failed to add policyOIDs in TLS context %s", conf->name); SSL_CTX_free(ctx); return NULL; } } } if (conf->cacertfile != NULL || conf->cacertpath != NULL) if (!tlsaddcacrl(ctx, conf)) { if (conf->vpm) { X509_VERIFY_PARAM_free(conf->vpm); conf->vpm = NULL; } SSL_CTX_free(ctx); return NULL; } debug(DBG_DBG, "tlscreatectx: created TLS context %s", conf->name); return ctx; }
const SSL_METHOD *DTLSv1_client_method(void) { return DTLSv1_method(); }
#ifndef OPENSSL_NO_DTLS if (dtls1) meth = DTLSv1_method(); else if (dtls12) meth = DTLSv1_2_method(); else #endif #ifndef OPENSSL_NO_TLS1 if (tls1) meth = TLSv1_method(); else #endif meth = SSLv23_method();
/* DTLS-SRTP initialization */ gint janus_dtls_srtp_init(const char *server_pem, const char *server_key, const char *password) { const char *crypto_lib = NULL; #if JANUS_USE_OPENSSL_PRE_1_1_API #if defined(LIBRESSL_VERSION_NUMBER) crypto_lib = "LibreSSL"; #else crypto_lib = "OpenSSL pre-1.1.0"; #endif /* First of all make OpenSSL thread safe (see note above on issue #316) */ janus_dtls_locks = g_malloc0(sizeof(*janus_dtls_locks) * CRYPTO_num_locks()); int l=0; for(l = 0; l < CRYPTO_num_locks(); l++) { janus_mutex_init(&janus_dtls_locks[l]); } CRYPTO_THREADID_set_callback(janus_dtls_cb_openssl_threadid); CRYPTO_set_locking_callback(janus_dtls_cb_openssl_lock); #else crypto_lib = "OpenSSL >= 1.1.0"; #endif #ifdef HAVE_BORINGSSL crypto_lib = "BoringSSL"; #endif JANUS_LOG(LOG_INFO, "Crypto: %s\n", crypto_lib); #ifndef HAVE_SRTP_AESGCM JANUS_LOG(LOG_WARN, "The libsrtp installation does not support AES-GCM profiles\n"); #endif /* Go on and create the DTLS context */ #if JANUS_USE_OPENSSL_PRE_1_1_API ssl_ctx = SSL_CTX_new(DTLSv1_method()); #else ssl_ctx = SSL_CTX_new(DTLS_method()); #endif if(!ssl_ctx) { JANUS_LOG(LOG_FATAL, "Ops, error creating DTLS context?\n"); return -1; } SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, janus_dtls_verify_callback); SSL_CTX_set_tlsext_use_srtp(ssl_ctx, #ifdef HAVE_SRTP_AESGCM "SRTP_AEAD_AES_256_GCM:SRTP_AEAD_AES_128_GCM:SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32"); #else "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32"); #endif if(!server_pem && !server_key) { JANUS_LOG(LOG_WARN, "No cert/key specified, autogenerating some...\n"); if(janus_dtls_generate_keys(&ssl_cert, &ssl_key) != 0) { JANUS_LOG(LOG_FATAL, "Error generating DTLS key/certificate\n"); return -2; } } else if(!server_pem || !server_key) { JANUS_LOG(LOG_FATAL, "DTLS certificate and key must be specified\n"); return -2; } else if(janus_dtls_load_keys(server_pem, server_key, password, &ssl_cert, &ssl_key) != 0) { return -3; } if(!SSL_CTX_use_certificate(ssl_ctx, ssl_cert)) { JANUS_LOG(LOG_FATAL, "Certificate error (%s)\n", ERR_reason_error_string(ERR_get_error())); return -4; } if(!SSL_CTX_use_PrivateKey(ssl_ctx, ssl_key)) { JANUS_LOG(LOG_FATAL, "Certificate key error (%s)\n", ERR_reason_error_string(ERR_get_error())); return -5; } if(!SSL_CTX_check_private_key(ssl_ctx)) { JANUS_LOG(LOG_FATAL, "Certificate check error (%s)\n", ERR_reason_error_string(ERR_get_error())); return -6; } SSL_CTX_set_read_ahead(ssl_ctx,1); unsigned int size; unsigned char fingerprint[EVP_MAX_MD_SIZE]; if(X509_digest(ssl_cert, EVP_sha256(), (unsigned char *)fingerprint, &size) == 0) { JANUS_LOG(LOG_FATAL, "Error converting X509 structure (%s)\n", ERR_reason_error_string(ERR_get_error())); return -7; } char *lfp = (char *)&local_fingerprint; unsigned int i = 0; for(i = 0; i < size; i++) { g_snprintf(lfp, 4, "%.2X:", fingerprint[i]); lfp += 3; } *(lfp-1) = 0; JANUS_LOG(LOG_INFO, "Fingerprint of our certificate: %s\n", local_fingerprint); SSL_CTX_set_cipher_list(ssl_ctx, DTLS_CIPHERS); if(janus_dtls_bio_filter_init() < 0) { JANUS_LOG(LOG_FATAL, "Error initializing BIO filter\n"); return -8; } /* Initialize libsrtp */ if(srtp_init() != srtp_err_status_ok) { JANUS_LOG(LOG_FATAL, "Ops, error setting up libsrtp?\n"); return 5; } return 0; }