static int tls1_final_finish_mac(SSL *ssl, int from_server, uint8_t *out) { /* At this point, the handshake should have released the handshake buffer on * its own. */ assert(ssl->s3->handshake_buffer == NULL); const char *label = TLS_MD_CLIENT_FINISH_CONST; size_t label_len = TLS_MD_SERVER_FINISH_CONST_SIZE; if (from_server) { label = TLS_MD_SERVER_FINISH_CONST; label_len = TLS_MD_SERVER_FINISH_CONST_SIZE; } uint8_t buf[EVP_MAX_MD_SIZE]; int digests_len = tls1_handshake_digest(ssl, buf, sizeof(buf)); if (digests_len < 0) { return 0; } static const size_t kFinishedLen = 12; if (!ssl->s3->enc_method->prf(ssl, out, kFinishedLen, SSL_get_session(ssl)->master_key, SSL_get_session(ssl)->master_key_length, label, label_len, buf, digests_len, NULL, 0)) { return 0; } return (int)kFinishedLen; }
int SSL_generate_key_block(const SSL *ssl, uint8_t *out, size_t out_len) { return ssl->s3->enc_method->prf( ssl, out, out_len, SSL_get_session(ssl)->master_key, SSL_get_session(ssl)->master_key_length, TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, ssl->s3->server_random, SSL3_RANDOM_SIZE, ssl->s3->client_random, SSL3_RANDOM_SIZE); }
int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len, const char *label, size_t label_len, const uint8_t *context, size_t context_len, int use_context) { if (!ssl->s3->have_version || ssl->version == SSL3_VERSION) { return 0; } /* Exporters may not be used in the middle of a renegotiation. */ if (SSL_in_init(ssl) && !SSL_in_false_start(ssl)) { return 0; } if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { return tls13_export_keying_material(ssl, out, out_len, label, label_len, context, context_len, use_context); } size_t seed_len = 2 * SSL3_RANDOM_SIZE; if (use_context) { if (context_len >= 1u << 16) { OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); return 0; } seed_len += 2 + context_len; } uint8_t *seed = OPENSSL_malloc(seed_len); if (seed == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); return 0; } OPENSSL_memcpy(seed, ssl->s3->client_random, SSL3_RANDOM_SIZE); OPENSSL_memcpy(seed + SSL3_RANDOM_SIZE, ssl->s3->server_random, SSL3_RANDOM_SIZE); if (use_context) { seed[2 * SSL3_RANDOM_SIZE] = (uint8_t)(context_len >> 8); seed[2 * SSL3_RANDOM_SIZE + 1] = (uint8_t)context_len; OPENSSL_memcpy(seed + 2 * SSL3_RANDOM_SIZE + 2, context, context_len); } const EVP_MD *digest = ssl_get_handshake_digest( SSL_get_session(ssl)->cipher->algorithm_prf, ssl3_protocol_version(ssl)); if (digest == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return 0; } int ret = tls1_prf(digest, out, out_len, SSL_get_session(ssl)->master_key, SSL_get_session(ssl)->master_key_length, label, label_len, seed, seed_len, NULL, 0); OPENSSL_free(seed); return ret; }
void save_session(SSL *ssl, int privilege) { SSL_SESSION* session; const unsigned char *sess_id; int sess_id_len; GDBM_FILE database; datum key, data; session = SSL_get_session(ssl); sess_id = SSL_SESSION_get_id(session, &sess_id_len); /* write session to dbm */ key.dptr = (char *)sess_id; key.dsize = strlen(key.dptr); database = gdbm_open(https_d.sess_db_name, 0, GDBM_WRITER | GDBM_NOMMAP , S_IRWXU, NULL); switch (privilege) { case ADMIN_PRIV: data.dptr = "ADMIN"; data.dsize = strlen(data.dptr); gdbm_store(database, key, data, GDBM_REPLACE); break; case GUEST_PRIV: data.dptr = "GUEST"; data.dsize = strlen(data.dptr); gdbm_store(database, key, data, GDBM_REPLACE); break; } gdbm_close(database); printf("session id: %s", sess_id); }
void ssl_write_session(FILE * fp, SSL * ssl) { SSL_SESSION *s; s = SSL_get_session(ssl); PEM_write_SSL_SESSION(fp, s); }
void describeSession(SSL *ssl) { SSL_SESSION *session = SSL_get_session(ssl); CHECK(session != NULL); char *s; s = hex_to_string(session->session_id, session->session_id_length); fprintf(stderr, "Session ID: %s\n", s); OPENSSL_free(s); s = hex_to_string(session->sid_ctx, session->sid_ctx_length); fprintf(stderr, "Session ID CTX: %s\n", s); OPENSSL_free(s); #if 0 if (session->tlsext_ticklen > 0) { s = hex_to_string(session->tlsext_tick, session->tlsext_ticklen); fprintf(stderr, "Session Ticket: %s\n", s); OPENSSL_free(s); } #endif }
int check_privileges(SSL *ssl) { SSL_SESSION* session; const unsigned char *sess_id; int sess_id_len; GDBM_FILE database; datum key, data; int ret = 0; session = SSL_get_session(ssl); sess_id = SSL_SESSION_get_id(session, &sess_id_len); /* check session id in database */ key.dptr = (char *)sess_id; key.dsize = strlen(key.dptr); database = gdbm_open(https_d.sess_db_name, 0, GDBM_READER | GDBM_NOMMAP, S_IRWXU, NULL); data = gdbm_fetch(database, key); if (data.dptr != NULL) { if (!strcmp(data.dptr, "ADMIN")) { ret = ADMIN_PRIV; } else if (!strcmp(data.dptr, "GUEST")) { ret = GUEST_PRIV; } } gdbm_close(database); printf("session id: %s", sess_id); return ret; }
// print client random id and master key in NSS keylog format // as session ID is not enough. int SSL_SESSION_print_client_random(BIO *bp, const SSL *ssl) { const SSL_SESSION *x = SSL_get_session(ssl); size_t i; if (x == NULL) goto err; if (x->session_id_length == 0 || x->master_key_length == 0) goto err; if (BIO_puts(bp, "CLIENT_RANDOM ") <= 0) goto err; for (i = 0; i < sizeof(ssl->s3->client_random); i++) { if (BIO_printf(bp, "%02X", ssl->s3->client_random[i]) <= 0) goto err; } if (BIO_puts(bp, " ") <= 0) goto err; for (i = 0; i < (size_t)x->master_key_length; i++) { if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0) goto err; } if (BIO_puts(bp, "\n") <= 0) goto err; return (1); err: return (0); }
// // Constructor // SSLSession::SSLSession(SSLContext* context, const SSL* ssl, const char* peer_host, int peer_port) throw(IOException, SystemException) { _context = context; _ssl = ssl; #if (defined OPENSSL_VERSION_NUMBER >= 0x00908000L) _session = SSL_get_session(ssl); #else _session = SSL_get_session((SSL*)ssl); #endif _peer_host = strdup(peer_host); _peer_port = peer_port; }
static void print_ciphersuite_data(BIO *io, SSL *ssl, int js) { SSL_SESSION* session = SSL_get_session(ssl); long protocol = SSL_version(ssl); const char *protocol_name = get_protocol_name(protocol); const char *eol = js ? "\\n\\\n" : "\n"; if(BIO_printf(io, "Version: 0x%lx %s%s", protocol, protocol_name, eol) <= 0) err_exit("Write error"); if(BIO_printf(io, "Current cipher: %s%s", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)), eol) <= 0) err_exit("Write error"); STACK_OF(SSL_CIPHER) *ciphers = session->ciphers; SSL_CIPHER *c; int n = sk_SSL_CIPHER_num(ciphers); if(BIO_printf(io, "client sent %d ciphers%s", n, eol) <= 0) err_exit("Write error"); int i; for (i = 0; i < n; i++) { c = sk_SSL_CIPHER_value(ciphers, i); if(BIO_printf(io, "client [%2d of %2d]: %s%s", i, n, SSL_CIPHER_get_name(c), eol) <= 0) err_exit("Write error"); } }
SSL_SESSION *SSL_get1_session(SSL *ssl) { SSL_SESSION *ret = SSL_get_session(ssl); if (ret != NULL) { SSL_SESSION_up_ref(ret); } return ret; }
/* establish SSL connection between client and server SYNOPSIS my_ssl_connect ssl ssl object RETURN VALUES 0 success 1 error */ int my_ssl_connect(SSL *ssl) { my_bool blocking; MYSQL *mysql; DBUG_ENTER("my_ssl_connect"); DBUG_ASSERT(ssl != NULL); mysql= (MYSQL *)SSL_get_app_data(ssl); CLEAR_CLIENT_ERROR(mysql); /* Set socket to blocking if not already set */ if (!(blocking= vio_is_blocking(mysql->net.vio))) vio_blocking(mysql->net.vio, TRUE); SSL_clear(ssl); SSL_SESSION_set_timeout(SSL_get_session(ssl), mysql->options.connect_timeout); SSL_set_fd(ssl, mysql->net.vio->sd); if (SSL_connect(ssl) != 1) { my_SSL_error(mysql); /* restore blocking mode */ if (!blocking) vio_blocking(mysql->net.vio, FALSE); DBUG_RETURN(1); } vio_reset(mysql->net.vio, VIO_TYPE_SSL, mysql->net.vio->sd, 0, 0); mysql->net.vio->ssl= ssl; DBUG_RETURN(0); }
int bud_client_ssl_cert_cb(SSL* ssl, void* arg) { bud_client_t* client; bud_client_error_t err; SSL_SESSION* sess; client = (bud_client_t*) arg; DBG(&client->backend, "ssl_cert_cb {%d}", client->async_hello); /* Finished, or no need to perform anything async */ if (client->async_hello == kBudProgressDone) return 1; /* Already running, please wait */ if (client->async_hello == kBudProgressRunning) return -1; /* Set hello */ sess = SSL_get_session(ssl); if (sess == NULL || sess->tlsext_hostname == NULL) { client->hello.servername = NULL; client->hello.servername_len = 0; } else { client->hello.servername = sess->tlsext_hostname; client->hello.servername_len = strlen(sess->tlsext_hostname); } client->hello.ocsp_request = ssl->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp ? 1 : 0; err = bud_client_on_hello(client); if (!bud_is_ok(err.err)) return 0; return -1; }
/* establish SSL connection between client and server SYNOPSIS my_ssl_connect ssl ssl object RETURN VALUES 0 success 1 error */ int my_ssl_connect(SSL *ssl) { my_bool blocking; MYSQL *mysql; long rc; my_bool try_connect= 1; DBUG_ENTER("my_ssl_connect"); DBUG_ASSERT(ssl != NULL); mysql= (MYSQL *)SSL_get_app_data(ssl); CLEAR_CLIENT_ERROR(mysql); /* Set socket to non blocking */ if (!(blocking= vio_is_blocking(mysql->net.vio))) vio_blocking(mysql->net.vio, FALSE, 0); SSL_clear(ssl); SSL_SESSION_set_timeout(SSL_get_session(ssl), mysql->options.connect_timeout); SSL_set_fd(ssl, mysql->net.vio->sd); while (try_connect && (rc= SSL_connect(ssl)) == -1) { switch(SSL_get_error(ssl, rc)) { case SSL_ERROR_WANT_READ: if (vio_wait_or_timeout(mysql->net.vio, TRUE, mysql->options.connect_timeout) < 1) try_connect= 0; break; case SSL_ERROR_WANT_WRITE: if (vio_wait_or_timeout(mysql->net.vio, TRUE, mysql->options.connect_timeout) < 1) try_connect= 0; break; default: try_connect= 0; } } if (rc != 1) { my_SSL_error(mysql); DBUG_RETURN(1); } rc= SSL_get_verify_result(ssl); if (rc != X509_V_OK) { my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, ER(CR_SSL_CONNECTION_ERROR), X509_verify_cert_error_string(rc)); /* restore blocking mode */ if (!blocking) vio_blocking(mysql->net.vio, FALSE, 0); DBUG_RETURN(1); } vio_reset(mysql->net.vio, VIO_TYPE_SSL, mysql->net.vio->sd, 0, 0); mysql->net.vio->ssl= ssl; DBUG_RETURN(0); }
USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #define __STDC_WANT_LIB_EXT1__ 1 #include <string.h> #include <openssl/hmac.h> #include <freeradius-devel/util/sha1.h> #include <freeradius-devel/tls/base.h> #include <freeradius-devel/tls/missing.h> #include "tls.h" #include "base.h" #include "attrs.h" #define EAP_TLS_MPPE_KEY_LEN 32 /** Generate keys according to RFC 2716 and add to the reply * */ int eap_crypto_mppe_keys(REQUEST *request, SSL *ssl, char const *prf_label, size_t prf_label_len) { uint8_t out[4 * EAP_TLS_MPPE_KEY_LEN]; uint8_t *p; if (SSL_export_keying_material(ssl, out, sizeof(out), prf_label, prf_label_len, NULL, 0, 0) != 1) { tls_log_error(request, "Failed generating MPPE keys"); return -1; } if (RDEBUG_ENABLED3) { uint8_t random[SSL3_RANDOM_SIZE]; size_t random_len; uint8_t master_key[SSL_MAX_MASTER_KEY_LENGTH]; size_t master_key_len; RDEBUG3("Key Derivation Function input"); RINDENT(); RDEBUG3("prf label : %pV", fr_box_strvalue_len(prf_label, prf_label_len)); master_key_len = SSL_SESSION_get_master_key(SSL_get_session(ssl), master_key, sizeof(master_key)); RDEBUG3("master session key : %pH", fr_box_octets(master_key, master_key_len)); random_len = SSL_get_client_random(ssl, random, SSL3_RANDOM_SIZE); RDEBUG3("client random : %pH", fr_box_octets(random, random_len)); random_len = SSL_get_server_random(ssl, random, SSL3_RANDOM_SIZE); RDEBUG3("server random : %pH", fr_box_octets(random, random_len)); REXDENT(); } RDEBUG2("Adding session keys"); p = out; eap_add_reply(request, attr_ms_mppe_recv_key, p, EAP_TLS_MPPE_KEY_LEN); p += EAP_TLS_MPPE_KEY_LEN; eap_add_reply(request, attr_ms_mppe_send_key, p, EAP_TLS_MPPE_KEY_LEN); eap_add_reply(request, attr_eap_msk, out, 64); eap_add_reply(request, attr_eap_emsk, out + 64, 64); return 0; }
STACK_OF(CRYPTO_BUFFER) *SSL_get0_peer_certificates(const SSL *ssl) { SSL_SESSION *session = SSL_get_session(ssl); if (session == NULL) { return NULL; } return session->certs; }
long SSL_get_verify_result(const SSL *ssl) { check_ssl_x509_method(ssl); SSL_SESSION *session = SSL_get_session(ssl); if (session == NULL) { return X509_V_ERR_INVALID_CALL; } return session->verify_result; }
static void ssl_rdwr_handler(connections_head_t *head, connection_t *conn) { /* We have data on the fd waiting to be read. Read and * display it. We must read what ever data is availabe * completely, as we are running in edge-triggered mode * and won't get a notification again for the same data */ int done = 0; ssize_t count, wrlen; char buf[512]; SSL_SESSION *sess; sess = SSL_get_session(conn->ssl); printf("The session is %p\n", sess); while (1) { count = SSL_read(conn->ssl, buf, sizeof buf); if (-1 == count) { /* If errno == EAGAIN, that means we have read all * data. So go back to the main loop. */ if (errno != EAGAIN) { ERROR_MSG("SSL_read\n"); done = 1; } break; } else if (0 == count) { /* End of file. The remote has closed the * connection */ done = 1; printf("%s|%d|remote close socket\n", __FILE__, __LINE__); break; } wrlen = SSL_write(conn->ssl, buf, count); if (wrlen <= 0) { if (errno != EAGAIN) { ERROR_MSG("SSL_write"); done = 1; } } else { /* write ok, wait for the next read */ break; } } if (done) { printf("Closed connection on descriptor %d\n", conn->fd); /* Closing the descriptor wil make epoll remove it * from the set of descriptors which are monitored. */ free_connection(head, conn); } }
STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl) { check_ssl_x509_method(ssl); SSL_SESSION *session = SSL_get_session(ssl); if (session == NULL) { return NULL; } return session->x509_chain; }
/*********************************************************************** * doConnection - make a connection * Args: * scon = earlier ssl connection for session id, or NULL * Returns: * SSL * = the connection pointer. */ static SSL * doConnection(SSL * scon) { BIO *conn; SSL *serverCon; int width, i; fd_set readfds; if ((conn = BIO_new(BIO_s_connect())) == NULL) return (NULL); /* BIO_set_conn_port(conn,port);*/ BIO_set_conn_hostname(conn, host); if (scon == NULL) serverCon = SSL_new(tm_ctx); else { serverCon = scon; SSL_set_connect_state(serverCon); } SSL_set_bio(serverCon, conn, conn); #if 0 if (scon != NULL) SSL_set_session(serverCon, SSL_get_session(scon)); #endif /* ok, lets connect */ for (;;) { i = SSL_connect(serverCon); if (BIO_sock_should_retry(i)) { BIO_printf(bio_err, "DELAY\n"); i = SSL_get_fd(serverCon); width = i + 1; FD_ZERO(&readfds); FD_SET(i, &readfds); select(width, &readfds, NULL, NULL, NULL); continue; } break; } if (i <= 0) { BIO_printf(bio_err, "ERROR\n"); if (verify_error != X509_V_OK) BIO_printf(bio_err, "verify error:%s\n", X509_verify_cert_error_string(verify_error)); else ERR_print_errors(bio_err); if (scon == NULL) SSL_free(serverCon); return NULL; } return serverCon; }
int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len, const char *label, size_t label_len, const uint8_t *context, size_t context_len, int use_context) { if (!ssl->s3->have_version || ssl->version == SSL3_VERSION) { return 0; } if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { return tls13_export_keying_material(ssl, out, out_len, label, label_len, context, context_len, use_context); } size_t seed_len = 2 * SSL3_RANDOM_SIZE; if (use_context) { if (context_len >= 1u << 16) { OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); return 0; } seed_len += 2 + context_len; } uint8_t *seed = OPENSSL_malloc(seed_len); if (seed == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); return 0; } memcpy(seed, ssl->s3->client_random, SSL3_RANDOM_SIZE); memcpy(seed + SSL3_RANDOM_SIZE, ssl->s3->server_random, SSL3_RANDOM_SIZE); if (use_context) { seed[2 * SSL3_RANDOM_SIZE] = (uint8_t)(context_len >> 8); seed[2 * SSL3_RANDOM_SIZE + 1] = (uint8_t)context_len; memcpy(seed + 2 * SSL3_RANDOM_SIZE + 2, context, context_len); } int ret = ssl->s3->enc_method->prf(ssl, out, out_len, SSL_get_session(ssl)->master_key, SSL_get_session(ssl)->master_key_length, label, label_len, seed, seed_len, NULL, 0); OPENSSL_free(seed); return ret; }
void writeSession(SSL *ssl, const char *filename) { FILE *fd = fopen(filename,"w"); CHECK(fd != NULL); // We can faff with i2d_SSL_SESSION() but this is easier SSL_SESSION *session = SSL_get_session(ssl); CHECK(session != NULL); PEM_write_SSL_SESSION(fd,session); fclose(fd); }
void ssl_teardown(SSL_CTX *ctx, SSL * conn ){ SSL_SESSION *session = NULL; session = SSL_get_session (conn); if (session) SSL_CTX_remove_session (ctx, session); if (conn) SSL_free (conn); }
/* * Extract the session id and store it in the session cache. */ static int Store_SSL_Session(struct connectdata *conn) { SSL_SESSION *ssl_sessionid; int i; struct SessionHandle *data=conn->data; /* the mother of all structs */ struct curl_ssl_session *store = &data->state.session[0]; int oldest_age=data->state.session[0].age; /* zero if unused */ /* ask OpenSSL, say please */ #ifdef HAVE_SSL_GET1_SESSION ssl_sessionid = SSL_get1_session(conn->ssl.handle); /* SSL_get1_session() will increment the reference count and the session will stay in memory until explicitly freed with SSL_SESSION_free(3), regardless of its state. This function was introduced in openssl 0.9.5a. */ #else ssl_sessionid = SSL_get_session(conn->ssl.handle); /* if SSL_get1_session() is unavailable, use SSL_get_session(). This is an inferior option because the session can be flushed at any time by openssl. It is included only so curl compiles under versions of openssl < 0.9.5a. WARNING: How curl behaves if it's session is flushed is untested. */ #endif /* Now we should add the session ID and the host name to the cache, (remove the oldest if necessary) */ /* find an empty slot for us, or find the oldest */ for(i=1; (i<data->set.ssl.numsessions) && data->state.session[i].sessionid; i++) { if(data->state.session[i].age < oldest_age) { oldest_age = data->state.session[i].age; store = &data->state.session[i]; } } if(i == data->set.ssl.numsessions) /* cache is full, we must "kill" the oldest entry! */ Kill_Single_Session(store); else store = &data->state.session[i]; /* use this slot */ /* now init the session struct wisely */ store->sessionid = ssl_sessionid; store->age = data->state.sessionage; /* set current age */ store->name = strdup(conn->name); /* clone host name */ store->remote_port = conn->remote_port; /* port number */ return 0; }
X509 *SSL_get_peer_certificate(const SSL *ssl) { check_ssl_x509_method(ssl); if (ssl == NULL) { return NULL; } SSL_SESSION *session = SSL_get_session(ssl); if (session == NULL || session->x509_peer == NULL) { return NULL; } X509_up_ref(session->x509_peer); return session->x509_peer; }
int SSL_generate_key_block(const SSL *ssl, uint8_t *out, size_t out_len) { if (ssl3_protocol_version(ssl) == SSL3_VERSION) { return ssl3_prf(out, out_len, SSL_get_session(ssl)->master_key, SSL_get_session(ssl)->master_key_length, TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, ssl->s3->server_random, SSL3_RANDOM_SIZE, ssl->s3->client_random, SSL3_RANDOM_SIZE); } const EVP_MD *digest = ssl_get_handshake_digest( SSL_get_session(ssl)->cipher->algorithm_prf, ssl3_protocol_version(ssl)); if (digest == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return 0; } return tls1_prf(digest, out, out_len, SSL_get_session(ssl)->master_key, SSL_get_session(ssl)->master_key_length, TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, ssl->s3->server_random, SSL3_RANDOM_SIZE, ssl->s3->client_random, SSL3_RANDOM_SIZE); }
static void uncache_session(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext) { SSL_SESSION *session = SSL_get_session(TLScontext->con); SSL_CTX_remove_session(ctx, session); if (TLScontext->cache_type == 0 || TLScontext->serverid == 0) return; if (TLScontext->log_level >= 2) acl_msg_info("remove session %s from client cache", TLScontext->serverid); tls_mgr_delete(TLScontext->cache_type, TLScontext->serverid); }
static void uncache_session(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext) { SSL_SESSION *session = SSL_get_session(TLScontext->con); SSL_CTX_remove_session(ctx, session); if (TLScontext->cache_type == 0 || TLScontext->serverid == 0) return; if (TLScontext->log_mask & TLS_LOG_CACHE) /* serverid contains transport:addr:port information */ msg_info("remove session %s from client cache", TLScontext->serverid); tls_mgr_delete(TLScontext->cache_type, TLScontext->serverid); }
/** Return true iff the cipher list suggested by the client for <b>ssl</b> is * a list that indicates that the client knows how to do the v2 TLS connection * handshake. */ static int tor_tls_client_is_using_v2_ciphers(const SSL *ssl, const char *address) { int i; SSL_SESSION *session; /* If we reached this point, we just got a client hello. See if there is * a cipher list. */ if (!(session = SSL_get_session((SSL *)ssl))) { log_warn(LD_NET, "No session on TLS?"); return 0; } if (!session->ciphers) { log_warn(LD_NET, "No ciphers on session"); return 0; } /* Now we need to see if there are any ciphers whose presence means we're * dealing with an updated Tor. */ for (i = 0; i < sk_SSL_CIPHER_num(session->ciphers); ++i) { SSL_CIPHER *cipher = sk_SSL_CIPHER_value(session->ciphers, i); const char *ciphername = SSL_CIPHER_get_name(cipher); if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) && strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) && strcmp(ciphername, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) && strcmp(ciphername, "(NONE)")) { /* XXXX should be ld_debug */ log_info(LD_NET, "Got a non-version-1 cipher called '%s'", ciphername); // return 1; goto dump_list; } } return 0; dump_list: { smartlist_t *elts = smartlist_create(); char *s; for (i = 0; i < sk_SSL_CIPHER_num(session->ciphers); ++i) { SSL_CIPHER *cipher = sk_SSL_CIPHER_value(session->ciphers, i); const char *ciphername = SSL_CIPHER_get_name(cipher); smartlist_add(elts, (char*)ciphername); } s = smartlist_join_strings(elts, ":", 0, NULL); log_info(LD_NET, "Got a non-version-1 cipher list from %s. It is: '%s'", address, s); tor_free(s); smartlist_free(elts); } return 1; }
/* establish SSL connection between client and server SYNOPSIS my_ssl_connect ssl ssl object RETURN VALUES 0 success 1 error */ int my_ssl_connect(SSL *ssl) { my_bool blocking; MYSQL *mysql; long rc; DBUG_ENTER("my_ssl_connect"); DBUG_ASSERT(ssl != NULL); mysql= (MYSQL *)SSL_get_app_data(ssl); CLEAR_CLIENT_ERROR(mysql); /* Set socket to blocking if not already set */ if (!(blocking= vio_is_blocking(mysql->net.vio))) vio_blocking(mysql->net.vio, TRUE, 0); SSL_clear(ssl); SSL_SESSION_set_timeout(SSL_get_session(ssl), mysql->options.connect_timeout); SSL_set_fd(ssl, mysql->net.vio->sd); if (SSL_connect(ssl) != 1) { my_SSL_error(mysql); /* restore blocking mode */ if (!blocking) vio_blocking(mysql->net.vio, FALSE, 0); DBUG_RETURN(1); } rc= SSL_get_verify_result(ssl); if (rc != X509_V_OK) { my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, ER(CR_SSL_CONNECTION_ERROR), X509_verify_cert_error_string(rc)); /* restore blocking mode */ if (!blocking) vio_blocking(mysql->net.vio, FALSE, 0); DBUG_RETURN(1); } vio_reset(mysql->net.vio, VIO_TYPE_SSL, mysql->net.vio->sd, 0, 0); mysql->net.vio->ssl= ssl; DBUG_RETURN(0); }