int ssl_init(void) { /* init SSL before parsing configuration file */ SSL_load_error_strings(); SSL_library_init(); index_cli=SSL_get_ex_new_index(0, "cli index", NULL, NULL, NULL); index_opt=SSL_CTX_get_ex_new_index(0, "opt index", NULL, NULL, NULL); index_redirect=SSL_SESSION_get_ex_new_index(0, "redirect index", NULL, NULL, NULL); index_addr=SSL_SESSION_get_ex_new_index(0, "addr index", NULL, NULL, cb_free); if(index_cli<0 || index_opt<0 || index_redirect<0 || index_addr<0) { s_log(LOG_ERR, "Application specific data initialization failed"); return 1; } #ifndef OPENSSL_NO_ENGINE ENGINE_load_builtin_engines(); #endif #ifndef OPENSSL_NO_DH dh_params=get_dh2048(); if(!dh_params) { s_log(LOG_ERR, "Failed to get default DH parameters"); return 1; } #endif /* OPENSSL_NO_DH */ return 0; }
static int get_ssl_session_cache_index(void) { static int index = -1; static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; pthread_mutex_lock(&mutex); if (index == -1) { index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, on_dispose_ssl_ctx_ex_data); assert(index != -1); } pthread_mutex_unlock(&mutex); return index; }
int lws_context_init_ssl_library(struct lws_context_creation_info *info) { #ifdef USE_WOLFSSL #ifdef USE_OLD_CYASSL lwsl_notice(" Compiled with CyaSSL support\n"); #else lwsl_notice(" Compiled with wolfSSL support\n"); #endif #else #if defined(LWS_USE_POLARSSL) lwsl_notice(" Compiled with PolarSSL support\n"); #else #if defined(LWS_USE_MBEDTLS) lwsl_notice(" Compiled with mbedTLS support\n"); #else lwsl_notice(" Compiled with OpenSSL support\n"); #endif #endif #endif if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT)) { lwsl_notice(" SSL disabled: no LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT\n"); return 0; } /* basic openssl init */ #if defined(LWS_USE_POLARSSL) #else #if defined(LWS_USE_MBEDTLS) #else SSL_library_init(); OpenSSL_add_all_algorithms(); SSL_load_error_strings(); openssl_websocket_private_data_index = SSL_get_ex_new_index(0, "lws", NULL, NULL, NULL); openssl_SSL_CTX_private_data_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); #endif #endif return 0; }
void bb_socket_ssl(struct bb_acceptor *acceptor) { if (!blastbeat.ssl_initialized) { OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); blastbeat.ssl_initialized = 1; blastbeat.ssl_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); } acceptor->ctx = SSL_CTX_new(SSLv23_server_method()); if (!acceptor->ctx) { fprintf(stderr, "unable to initialize SSL context: SSL_CTX_new()"); exit(1); } long ssloptions = SSL_OP_NO_SSLv2 | SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; // disable compression (if possibile) #ifdef SSL_OP_NO_COMPRESSION ssloptions |= SSL_OP_NO_COMPRESSION; #endif SSL_CTX_set_options(acceptor->ctx, ssloptions); // release/reuse buffers as soon as possibile #ifdef SSL_MODE_RELEASE_BUFFERS SSL_CTX_set_mode(acceptor->ctx, SSL_MODE_RELEASE_BUFFERS); #endif if (SSL_CTX_set_cipher_list(acceptor->ctx, "HIGH") == 0) { fprintf(stderr,"unable to set SSL ciphers: SSL_CTX_set_cipher_list()"); exit(1); } SSL_CTX_set_options(acceptor->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); SSL_CTX_set_info_callback(acceptor->ctx, bb_ssl_info_cb); #ifdef OPENSSL_NPN_UNSUPPORTED SSL_CTX_set_next_protos_advertised_cb(acceptor->ctx, bb_ssl_npn, NULL); #endif SSL_CTX_set_session_cache_mode(acceptor->ctx, SSL_SESS_CACHE_SERVER); acceptor->read = bb_ssl_read; acceptor->write = bb_ssl_write; }
int lws_context_init_ssl_library(const struct lws_context_creation_info *info) { #ifdef USE_WOLFSSL #ifdef USE_OLD_CYASSL lwsl_info(" Compiled with CyaSSL support\n"); #else lwsl_info(" Compiled with wolfSSL support\n"); #endif #else #if defined(LWS_WITH_BORINGSSL) lwsl_info(" Compiled with BoringSSL support\n"); #else lwsl_info(" Compiled with OpenSSL support\n"); #endif #endif if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT)) { lwsl_info(" SSL disabled: no " "LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT\n"); return 0; } /* basic openssl init */ lwsl_info("Doing SSL library init\n"); #if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_library_init(); OpenSSL_add_all_algorithms(); SSL_load_error_strings(); #else OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); #endif #if defined(LWS_WITH_NETWORK) openssl_websocket_private_data_index = SSL_get_ex_new_index(0, "lws", NULL, NULL, NULL); openssl_SSL_CTX_private_data_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); #endif return 0; }
void bb_socket_ssl(struct bb_acceptor *acceptor) { if (!blastbeat.ssl_initialized) { OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); blastbeat.ssl_initialized = 1; blastbeat.ssl_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); } acceptor->ctx = bb_new_ssl_ctx(); if (!acceptor->ctx) { exit(1); } acceptor->read = bb_ssl_read; acceptor->write = bb_ssl_write; }
bud_error_t bud_config_init(bud_config_t* config) { bud_error_t err; int i; int r; /* Get addresses of frontend and backend */ r = bud_config_str_to_addr(config->frontend.host, config->frontend.port, &config->frontend.addr); if (r != 0) return bud_error_num(kBudErrPton, r); for (i = 0; i < config->frontend.interface.count; i++) { bud_config_addr_t* addr; addr = &config->frontend.interface.list[i]; r = bud_config_str_to_addr(addr->host, addr->port, &addr->addr); if (r != 0) return bud_error_num(kBudErrPton, r); } err = bud_config_format_proxyline(config); if (!bud_is_ok(err)) return err; i = 0; config->balance_e = bud_config_balance_to_enum(config->balance); /* At least one backend should be present for non-SNI balancing */ if (config->contexts[0].backend.count == 0 && config->balance_e != kBudBalanceSNI) { err = bud_error(kBudErrNoBackend); goto fatal; } /* Get indexes for SSL_set_ex_data()/SSL_get_ex_data() */ if (kBudSSLClientIndex == -1) { kBudSSLConfigIndex = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); kBudSSLClientIndex = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); kBudSSLSNIIndex = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); kBudSSLTicketKeyIndex = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); if (kBudSSLConfigIndex == -1 || kBudSSLClientIndex == -1 || kBudSSLSNIIndex == -1 || kBudSSLTicketKeyIndex == -1) { err = bud_error(kBudErrNoSSLIndex); goto fatal; } } #ifndef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB if (config->context_count != 0) { err = bud_error(kBudErrSNINotSupported); goto fatal; } #endif /* !SSL_CTRL_SET_TLSEXT_SERVERNAME_CB */ /* Allocate workers */ if (!config->is_worker && config->worker_count != 0) { config->workers = calloc(config->worker_count, sizeof(*config->workers)); if (config->workers == NULL) { err = bud_error_str(kBudErrNoMem, "workers"); goto fatal; } } /* Initialize logger */ config->logger = bud_logger_new(config, &err); if (!bud_is_ok(err)) goto fatal; err = bud_config_init_tracing(&config->trace); if (!bud_is_ok(err)) goto fatal; if (config->is_worker || config->worker_count == 0) { /* Connect to SNI server */ if (config->sni.enabled) { config->sni.pool = bud_http_pool_new(config, config->sni.host, config->sni.port, &err); if (config->sni.pool == NULL) goto fatal; } /* Connect to OCSP Stapling server */ if (config->stapling.enabled) { config->stapling.pool = bud_http_pool_new(config, config->stapling.host, config->stapling.port, &err); if (config->stapling.pool == NULL) goto fatal; } } /* Init all contexts */ for (i = 0; i < config->context_count + 1; i++) { err = bud_context_init(config, &config->contexts[i]); if (!bud_is_ok(err)) goto fatal; } return bud_ok(); fatal: /* Free all allocated contexts */ do bud_context_free(&config->contexts[i--]); while (i >= 0); return err; }
void uwsgi_opt_https2(char *opt, char *value, void *cr) { struct uwsgi_corerouter *ucr = (struct uwsgi_corerouter *) cr; char *s2_addr = NULL; char *s2_cert = NULL; char *s2_key = NULL; char *s2_ciphers = NULL; char *s2_clientca = NULL; char *s2_spdy = NULL; if (uwsgi_kvlist_parse(value, strlen(value), ',', '=', "addr", &s2_addr, "cert", &s2_cert, "crt", &s2_cert, "key", &s2_key, "ciphers", &s2_ciphers, "clientca", &s2_clientca, "client_ca", &s2_clientca, "spdy", &s2_spdy, NULL)) { uwsgi_log("error parsing --https2 option\n"); exit(1); } if (!s2_addr || !s2_cert || !s2_key) { uwsgi_log("--https2 option needs addr, cert and key items\n"); exit(1); } struct uwsgi_gateway_socket *ugs = uwsgi_new_gateway_socket(s2_addr, ucr->name); // ok we have the socket, initialize ssl if required if (!uwsgi.ssl_initialized) { uwsgi_ssl_init(); } // initialize ssl context char *name = uhttp.https_session_context; if (!name) { name = uwsgi_concat3(ucr->short_name, "-", ugs->name); } #ifdef UWSGI_SPDY if (s2_spdy) { uhttp.spdy_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); uhttp.spdy3_settings = uwsgi_buffer_new(uwsgi.page_size); if (uwsgi_buffer_append(uhttp.spdy3_settings, "\x80\x03\x00\x04\x01", 5)) goto spdyerror; if (uwsgi_buffer_u24be(uhttp.spdy3_settings, (8 * 2) + 4)) goto spdyerror; if (uwsgi_buffer_u32be(uhttp.spdy3_settings, 2)) goto spdyerror; // SETTINGS_ROUND_TRIP_TIME if (uwsgi_buffer_append(uhttp.spdy3_settings, "\x01\x00\x00\x03", 4)) goto spdyerror; if (uwsgi_buffer_u32be(uhttp.spdy3_settings, 30 * 1000)) goto spdyerror; // SETTINGS_INITIAL_WINDOW_SIZE if (uwsgi_buffer_append(uhttp.spdy3_settings, "\x01\x00\x00\x07", 4)) goto spdyerror; if (uwsgi_buffer_u32be(uhttp.spdy3_settings, 8192)) goto spdyerror; uhttp.spdy3_settings_size = uhttp.spdy3_settings->pos; } #endif ugs->ctx = uwsgi_ssl_new_server_context(name, s2_cert, s2_key, s2_ciphers, s2_clientca); if (!ugs->ctx) { exit(1); } #ifdef UWSGI_SPDY if (s2_spdy) { SSL_CTX_set_info_callback(ugs->ctx, uwsgi_spdy_info_cb); SSL_CTX_set_next_protos_advertised_cb(ugs->ctx, uwsgi_spdy_npn, NULL); } #endif // set the ssl mode ugs->mode = UWSGI_HTTP_SSL; ucr->has_sockets++; return; #ifdef UWSGI_SPDY spdyerror: uwsgi_log("unable to initialize SPDY settings buffers\n"); exit(1); #endif }
int ssl_init(void) { hlog(LOG_INFO, "Initializing OpenSSL, built against %s ...", OPENSSL_VERSION_TEXT); OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); ssl_thread_setup(); OpenSSL_add_all_algorithms(); load_tqsl_custom_objects(); #if OPENSSL_VERSION_NUMBER >= 0x0090800fL #ifndef SSL_OP_NO_COMPRESSION { /* * Disable gzip compression in OpenSSL prior to 1.0.0 version, * this saves about 522K per connection. */ int n; STACK_OF(SSL_COMP) *ssl_comp_methods; ssl_comp_methods = SSL_COMP_get_compression_methods(); n = sk_SSL_COMP_num(ssl_comp_methods); while (n--) { (void) sk_SSL_COMP_pop(ssl_comp_methods); } } #endif #endif ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); if (ssl_connection_index == -1) { ssl_error(LOG_ERR, "SSL_get_ex_new_index for connection"); return -1; } ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); if (ssl_server_conf_index == -1) { ssl_error(LOG_ERR, "SSL_CTX_get_ex_new_index for conf"); return -1; } ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); if (ssl_session_cache_index == -1) { ssl_error(LOG_ERR, "SSL_CTX_get_ex_new_index for session cache"); return -1; } ssl_available = 1; return 0; }
/* Init and free functions */ qvdclient *qvd_init(const char *hostname, const int port, const char *username, const char *password) { qvdclient *qvd; qvd_printf("Starting qvd_init. %s", qvd_get_version_text); if (strlen(username) + strlen(password) + 2 > MAX_USERPWD) { qvd_error(qvd, "Length of username and password + 2 is longer than %d\n", MAX_USERPWD); return NULL; } if (strlen(hostname) + 6 + strlen("https:///") + 2 > MAX_BASEURL) { qvd_error(qvd, "Length of hostname and port + scheme + 2 is longer than %d\n", MAX_BASEURL); return NULL; } if (! (qvd = (qvdclient *) malloc(sizeof(qvdclient)))) { qvd_error(qvd, "Error allocating memory: %s", strerror(errno)); return NULL; } if (snprintf(qvd->userpwd, MAX_USERPWD, "%s:%s", username, password) >= MAX_USERPWD) { qvd_error(qvd, "Error initializing userpwd (string too long)\n"); free(qvd); return NULL; } if (_qvd_set_base64_auth(qvd)) { qvd_error(qvd, "Error initializing authdigest\n"); free(qvd); return NULL; } if (snprintf(qvd->baseurl, MAX_BASEURL, "https://%s:%d", hostname, port) >= MAX_BASEURL) { qvd_error(qvd, "Error initializing baseurl(string too long)\n"); free(qvd); return NULL; } if (snprintf(qvd->useragent, MAX_USERAGENT, "%s %s", DEFAULT_USERAGENT_PRODUCT, curl_version()) >= MAX_USERAGENT) { qvd_error(qvd, "Error initializing useragent (string too long)\n"); free(qvd); return NULL; } qvd->curl = curl_easy_init(); if (!qvd->curl) { qvd_error(qvd, "Error initializing curl\n"); free(qvd); return NULL; } qvd_printf("Curl pointer is %p", qvd->curl); if (get_debug_level()) { curl_easy_setopt(qvd->curl, CURLOPT_VERBOSE, 1L); curl_easy_setopt(qvd->curl, CURLOPT_DEBUGFUNCTION, qvd_curl_debug_callback); } curl_easy_setopt(qvd->curl, CURLOPT_ERRORBUFFER, qvd->error_buffer); /* curl_easy_setopt(qvd->curl, CURLOPT_SSL_VERIFYPEER, 1L); */ /* curl_easy_setopt(qvd->curl, CURLOPT_SSL_VERIFYHOST, 2L); */ curl_easy_setopt(qvd->curl, CURLOPT_CERTINFO, 1L); curl_easy_setopt(qvd->curl, CURLOPT_CAPATH, qvd->certpath); curl_easy_setopt(qvd->curl, CURLOPT_SSL_CTX_FUNCTION, _qvd_sslctxfun); curl_easy_setopt(qvd->curl, CURLOPT_SSL_CTX_DATA, (void *)qvd); /* curl_easy_setopt(qvd->curl, CURLOPT_CAINFO, NULL);*/ _qvd_ssl_index = SSL_CTX_get_ex_new_index(0, (void *)qvd, NULL, NULL, NULL); curl_easy_setopt(qvd->curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(qvd->curl, CURLOPT_SSL_VERIFYHOST, 0L); curl_easy_setopt(qvd->curl, CURLOPT_TCP_NODELAY, 1L); /* curl_easy_setopt(qvd->curl, CURLOPT_FAILONERROR, 1L);*/ curl_easy_setopt(qvd->curl, CURLOPT_HTTPAUTH, (long)CURLAUTH_BASIC); curl_easy_setopt(qvd->curl, CURLOPT_USERPWD, qvd->userpwd); curl_easy_setopt(qvd->curl, CURLOPT_WRITEFUNCTION, _qvd_write_buffer_callback); curl_easy_setopt(qvd->curl, CURLOPT_WRITEDATA, &(qvd->buffer)); curl_easy_setopt(qvd->curl, CURLOPT_USERAGENT, qvd->useragent); /* If client certificate CURLOPT_SSLCERT , CURLOPT_SSLKEY, CURLOPT_SSLCERTTYPE "PEM" */ /* Copy parameters */ strncpy(qvd->hostname, hostname, MAX_BASEURL); qvd->hostname[MAX_BASEURL - 1] = '\0'; qvd->port = port; strncpy(qvd->username, username, MAX_USERPWD); qvd->username[MAX_USERPWD - 1] = '\0'; strncpy(qvd->password, password, MAX_USERPWD); qvd->password[MAX_USERPWD - 1] = '\0'; strncpy(qvd->client_cert, "", MAX_PATH_STRING); strncpy(qvd->client_key, "", MAX_PATH_STRING); qvd->use_client_cert = 0; qvd->numvms = 0; qvd_set_link(qvd, DEFAULT_LINK); qvd_set_geometry(qvd, DEFAULT_GEOMETRY); qvd_set_os(qvd, DEFAULT_OS); qvd->keyboard = "pc%2F105"; qvd->fullscreen = 0; qvd->print_enabled = 0; qvd->ssl_no_cert_check = 0; qvd->ssl_verify_callback = NULL; qvd->progress_callback = NULL; qvd->userdata = NULL; qvd->nx_options = NULL; *(qvd->display) = '\0'; *(qvd->home) = '\0'; strcpy(qvd->error_buffer, ""); QvdBufferInit(&(qvd->buffer)); if (!(qvd->vmlist = malloc(sizeof(vmlist)))) { free(qvd); return NULL; } QvdVmListInit(qvd->vmlist); return qvd; }