int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
int verify_peer, const char *subject_match)
{
if (conn == NULL)
return -1;
free(conn->subject_match);
conn->subject_match = NULL;
if (subject_match) {
conn->subject_match = strdup(subject_match);
if (conn->subject_match == NULL)
return -1;
}
if (verify_peer) {
SSL_set_app_data(conn->ssl, conn);
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
SSL_VERIFY_CLIENT_ONCE, tls_verify_cb);
} else {
SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
}
SSL_set_accept_state(conn->ssl);
return 0;
}
int dtls_flow_start(struct dtls_flow *flow, const struct sa *peer, bool active)
{
int r, err = 0;
if (!flow || !peer)
return EINVAL;
flow->peer = *peer;
if (active) {
r = SSL_connect(flow->ssl);
if (r < 0) {
int ssl_err = SSL_get_error(flow->ssl, r);
ERR_clear_error();
if (ssl_err != SSL_ERROR_WANT_READ) {
warning("dtls: SSL_connect() failed"
" (err=%d)\n", ssl_err);
}
}
check_timer(flow);
}
else {
SSL_set_accept_state(flow->ssl);
SSL_set_verify_depth(flow->ssl, 0);
SSL_set_verify(flow->ssl,
SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
verify_callback);
}
return err;
}
static void er_dtls_connection_set_property(GObject *object, guint prop_id, const GValue *value, GParamSpec *pspec)
{
ErDtlsConnection *self = ER_DTLS_CONNECTION(object);
ErDtlsAgent *agent;
ErDtlsConnectionPrivate *priv = self->priv;
SSL_CTX *ssl_context;
switch (prop_id) {
case PROP_AGENT:
g_return_if_fail(!priv->ssl);
agent = ER_DTLS_AGENT(g_value_get_object(value));
g_return_if_fail(ER_IS_DTLS_AGENT(agent));
ssl_context = _er_dtls_agent_peek_context(agent);
priv->ssl = SSL_new(ssl_context);
g_return_if_fail(priv->ssl);
priv->bio = BIO_new(BIO_s_er_dtls_connection());
g_return_if_fail(priv->bio);
priv->bio->ptr = self;
SSL_set_bio(priv->ssl, priv->bio, priv->bio);
SSL_set_verify(priv->ssl,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, openssl_verify_callback);
SSL_set_ex_data(priv->ssl, connection_ex_index, self);
log_state(self, "connection created");
break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID(self, prop_id, pspec);
}
}
/*
allocates a new ssl object
SYNOPSIS
my_ssl_init
mysql connection object
RETURN VALUES
NULL on error
SSL new SSL object
*/
SSL *my_ssl_init(MYSQL *mysql)
{
int verify;
SSL *ssl= NULL;
DBUG_ENTER("my_ssl_init");
DBUG_ASSERT(mysql->net.vio->ssl == NULL);
if (!my_ssl_initialized)
my_ssl_start(mysql);
if (!(ssl= SSL_new(SSL_context)))
goto error;
if (!SSL_set_app_data(ssl, mysql))
goto error;
if (my_ssl_set_certs(ssl))
goto error;
verify= (!mysql->options.ssl_ca && !mysql->options.ssl_capath) ?
SSL_VERIFY_NONE : SSL_VERIFY_PEER;
SSL_set_verify(ssl, verify, my_verify_callback);
SSL_set_verify_depth(ssl, 1);
DBUG_RETURN(ssl);
error:
if (ssl)
SSL_free(ssl);
DBUG_RETURN(NULL);
}
VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
VALUE obj;
SSL_CTX* ctx;
SSL* ssl;
ms_conn* conn = engine_alloc(self, &obj);
ID sym_key = rb_intern("key");
VALUE key = rb_funcall(mini_ssl_ctx, sym_key, 0);
ID sym_cert = rb_intern("cert");
VALUE cert = rb_funcall(mini_ssl_ctx, sym_cert, 0);
ID sym_ca = rb_intern("ca");
VALUE ca = rb_funcall(mini_ssl_ctx, sym_ca, 0);
ID sym_verify_mode = rb_intern("verify_mode");
VALUE verify_mode = rb_funcall(mini_ssl_ctx, sym_verify_mode, 0);
ctx = SSL_CTX_new(SSLv23_server_method());
conn->ctx = ctx;
SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert));
SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM);
if (!NIL_P(ca)) {
SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL);
}
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_COMPRESSION);
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
DH *dh = get_dh1024();
SSL_CTX_set_tmp_dh(ctx, dh);
#ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_secp521r1);
if (ecdh) {
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
}
#endif
ssl = SSL_new(ctx);
conn->ssl = ssl;
SSL_set_app_data(ssl, NULL);
if (NIL_P(verify_mode)) {
/* SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); */
} else {
SSL_set_verify(ssl, NUM2INT(verify_mode), engine_verify_callback);
}
SSL_set_bio(ssl, conn->read, conn->write);
SSL_set_accept_state(ssl);
return obj;
}
/* set the paths for the certs to verify the server */
int upscli_sslcert(UPSCONN *ups, const char *file, const char *path, int verify)
{
int ret, ssl_mode = SSL_VERIFY_NONE;
if (!ups)
return -1;
if (!ups->ssl_ctx) {
ups->upserror = UPSCLI_ERR_INVALIDARG;
return -1;
}
switch(verify) {
case 0: ssl_mode = SSL_VERIFY_NONE; break;
case 1: ssl_mode = SSL_VERIFY_PEER; break;
default:
ups->upserror = UPSCLI_ERR_INVALIDARG;
return -1;
}
ret = SSL_CTX_load_verify_locations(ups->ssl_ctx, file, path);
if (ret != 1) {
ups->upserror = UPSCLI_ERR_SSLERR;
return -1;
}
SSL_set_verify(ups->ssl, ssl_mode, NULL);
return 1;
}
bool SSLSocket::waitAccepted(uint64_t millis) {
if(!ssl) {
if(!Socket::waitAccepted(millis)) {
return false;
}
ssl.reset(SSL_new(ctx));
if(!ssl)
checkSSL(-1);
if(!verifyData) {
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
} else SSL_set_ex_data(ssl, CryptoManager::idxVerifyData, verifyData.get());
checkSSL(SSL_set_fd(ssl, static_cast<int>(getSock())));
}
if(SSL_is_init_finished(ssl)) {
return true;
}
while(true) {
int ret = SSL_accept(ssl);
if(ret == 1) {
dcdebug("Connected to SSL client using %s\n", SSL_get_cipher(ssl));
return true;
}
if(!waitWant(ret, millis)) {
return false;
}
}
}
SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, const unsigned long binding):
bIsServer (is_server),
bHandshakeCompleted (false),
bVerifyPeer (verify_peer),
pSSL (NULL),
pbioRead (NULL),
pbioWrite (NULL)
{
/* TODO someday: make it possible to re-use SSL contexts so we don't have to create
* a new one every time we come here.
*/
Context = new SslContext_t (bIsServer, privkeyfile, certchainfile);
assert (Context);
pbioRead = BIO_new (BIO_s_mem());
assert (pbioRead);
pbioWrite = BIO_new (BIO_s_mem());
assert (pbioWrite);
pSSL = SSL_new (Context->pCtx);
assert (pSSL);
SSL_set_bio (pSSL, pbioRead, pbioWrite);
// Store a pointer to the binding signature in the SSL object so we can retrieve it later
SSL_set_ex_data(pSSL, 0, (void*) binding);
if (bVerifyPeer)
SSL_set_verify(pSSL, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, ssl_verify_wrapper);
if (!bIsServer)
SSL_connect (pSSL);
}
SSLClient::SSLClient(int sock, SSLClient::ERole role, const SSLConfig &ctx)
throw(SocketConnectionClosed, SSLError)
: SSLSocket(ctx), TCPSocket::TCPSocket(sock)
{
m_SSL = SSL_new(m_CTX);
SSL_set_mode(m_SSL, SSL_MODE_AUTO_RETRY);
m_BIO = BIO_new_socket(GetSocket(), BIO_NOCLOSE);
SSL_set_bio(m_SSL, m_BIO, m_BIO);
switch(role)
{
case SSLClient::CLIENT:
if(SSL_connect(m_SSL) < 0)
throw SSLError("Connect error");
break;
case SSLClient::SERVER_FORCE_CERT:
SSL_set_verify(m_SSL,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
0);
case SSLClient::SERVER:
{
if(SSL_accept(m_SSL) < 0)
throw SSLError("Accept error");
}
break;
}
}
int AC_CLD_Connector::connect_svc_handler
(AC_Output_Handler *&svc_handler,
const ACE_SOCK_Connector::PEER_ADDR &remote_addr,
ACE_Time_Value *timeout,
const ACE_SOCK_Connector::PEER_ADDR &local_addr,
int reuse_addr, int flags, int perms) {
if (PARENT::connect_svc_handler
(svc_handler, remote_addr, timeout,
local_addr, reuse_addr, flags, perms) == -1) return -1;
SSL_clear (ssl_);
#if defined (ACE_WIN32)
// ACE_WIN32 is the only platform where ACE_HANDLE is not an int.
// See ace/config-lite.h for the typedefs.
SSL_set_fd (ssl_,
reinterpret_cast<int> (svc_handler->get_handle ()));
#else
SSL_set_fd (ssl_, svc_handler->get_handle ());
#endif /* ACE_WIN32 */
SSL_set_verify (ssl_, SSL_VERIFY_PEER, 0);
if (SSL_connect (ssl_) == -1
|| SSL_shutdown (ssl_) == -1) return -1;
remote_addr_ = remote_addr;
return 0;
}
static int
openssl_iostream_set(struct ssl_iostream *ssl_io,
const struct ssl_iostream_settings *set,
const char **error_r)
{
const struct ssl_iostream_settings *ctx_set = ssl_io->ctx->set;
int verify_flags;
if (set->verbose)
SSL_set_info_callback(ssl_io->ssl, openssl_info_callback);
if (set->cipher_list != NULL &&
strcmp(ctx_set->cipher_list, set->cipher_list) != 0) {
if (!SSL_set_cipher_list(ssl_io->ssl, set->cipher_list)) {
*error_r = t_strdup_printf(
"Can't set cipher list to '%s': %s",
set->cipher_list, openssl_iostream_error());
return -1;
}
}
if (set->protocols != NULL) {
SSL_clear_options(ssl_io->ssl, OPENSSL_ALL_PROTOCOL_OPTIONS);
SSL_set_options(ssl_io->ssl,
openssl_get_protocol_options(set->protocols));
}
if (set->cert != NULL && strcmp(ctx_set->cert, set->cert) != 0) {
if (openssl_iostream_use_certificate(ssl_io, set->cert, error_r) < 0)
return -1;
}
if (set->key != NULL && strcmp(ctx_set->key, set->key) != 0) {
if (openssl_iostream_use_key(ssl_io, set, error_r) < 0)
return -1;
}
if (set->verify_remote_cert) {
if (ssl_io->ctx->client_ctx)
verify_flags = SSL_VERIFY_NONE;
else
verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
SSL_set_verify(ssl_io->ssl, verify_flags,
openssl_iostream_verify_client_cert);
}
if (set->cert_username_field != NULL) {
ssl_io->username_nid = OBJ_txt2nid(set->cert_username_field);
if (ssl_io->username_nid == NID_undef) {
*error_r = t_strdup_printf(
"Invalid cert_username_field: %s",
set->cert_username_field);
return -1;
}
} else {
ssl_io->username_nid = ssl_io->ctx->username_nid;
}
ssl_io->verbose = set->verbose;
ssl_io->verbose_invalid_cert = set->verbose_invalid_cert || set->verbose;
ssl_io->require_valid_cert = set->require_valid_cert;
return 0;
}
// XXX Clean up this function, we MUST handle all errors possible
int krypt_set_rsa(krypt_t *kconn)
{
if (kconn->security_level == KRYPT_RSA) {
jlog(L_NOTICE, "the security level is already set to RSA");
return 0;
}
SSL_set_cipher_list(kconn->ssl, "AES256-SHA");
// Load the trusted certificate store into our SSL_CTX
SSL_CTX_set_cert_store(kconn->ctx, kconn->passport->trusted_authority);
// Force the peer cert verifying + fail if no cert is sent by the peer
SSL_set_verify(kconn->ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
// Set the certificate and key
SSL_use_certificate(kconn->ssl, kconn->passport->certificate);
SSL_use_PrivateKey(kconn->ssl, kconn->passport->keyring);
if (kconn->conn_type == KRYPT_SERVER) {
jlog(L_NOTICE, "set verify");
// Change the session id to avoid resuming ADH session
SSL_set_session_id_context(kconn->ssl, (void*)&s_server_auth_session_id_context,
sizeof(s_server_auth_session_id_context));
}
kconn->security_level = KRYPT_RSA;
return 0;
}
SpiceOpenSSLVerify* spice_openssl_verify_new(SSL *ssl, SPICE_SSL_VERIFY_OP verifyop,
const char *hostname,
const char *pubkey, size_t pubkey_size,
const char *subject)
{
SpiceOpenSSLVerify *v;
if (!verifyop)
return NULL;
v = spice_new0(SpiceOpenSSLVerify, 1);
v->ssl = ssl;
v->verifyop = verifyop;
v->hostname = spice_strdup(hostname);
v->pubkey = (char*)spice_memdup(pubkey, pubkey_size);
v->pubkey_size = pubkey_size;
v->subject = spice_strdup(subject);
v->all_preverify_ok = 1;
SSL_set_app_data(ssl, v);
SSL_set_verify(ssl,
SSL_VERIFY_PEER, openssl_verify);
return v;
}
tnet_dtls_socket_handle_t* tnet_dtls_socket_create(struct tnet_socket_s* wrapped_sock, struct ssl_ctx_st* ssl_ctx)
{
#if !HAVE_OPENSSL || !HAVE_OPENSSL_DTLS
TSK_DEBUG_ERROR("OpenSSL or DTLS not enabled");
return tsk_null;
#else
tnet_dtls_socket_t* socket;
if (!wrapped_sock || !ssl_ctx){
TSK_DEBUG_ERROR("Invalid parameter");
return tsk_null;
}
if ((socket = tsk_object_new(tnet_dtls_socket_def_t))) {
const tsk_bool_t set_mtu = TNET_SOCKET_TYPE_IS_DGRAM(wrapped_sock->type) || 1; //!\ This is required even if the local transport is TCP/TLS because the relayed (TURN) transport could be UDP
socket->wrapped_sock = tsk_object_ref(wrapped_sock);
if (!(socket->ssl = SSL_new(ssl_ctx))) {
TSK_DEBUG_ERROR("SSL_new(CTX) failed [%s]", ERR_error_string(ERR_get_error(), tsk_null));
TSK_OBJECT_SAFE_FREE(socket);
return tsk_null;
}
if (set_mtu) {
SSL_set_options(socket->ssl, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu(socket->ssl, TNET_DTLS_MTU - 28);
socket->ssl->d1->mtu = TNET_DTLS_MTU - 28;
}
if (!(socket->rbio = BIO_new(BIO_s_mem())) || !(socket->wbio = BIO_new(BIO_s_mem()))){
TSK_DEBUG_ERROR("BIO_new_socket(%d) failed [%s]", socket->wrapped_sock->fd, ERR_error_string(ERR_get_error(), tsk_null));
if (socket->rbio){
BIO_free(socket->rbio);
}
if (socket->wbio){
BIO_free(socket->wbio);
}
TSK_OBJECT_SAFE_FREE(socket);
return tsk_null;
}
BIO_set_mem_eof_return(socket->rbio, -1);
BIO_set_mem_eof_return(socket->wbio, -1);
SSL_set_bio(socket->ssl, socket->rbio, socket->wbio);
SSL_set_mode(socket->ssl, SSL_MODE_AUTO_RETRY);
SSL_set_read_ahead(socket->ssl, 1);
if (set_mtu) {
BIO_ctrl(SSL_get_wbio(socket->ssl), BIO_CTRL_DGRAM_SET_MTU, TNET_DTLS_MTU - 28, NULL);
}
if ((socket->verify_peer = (SSL_CTX_get_verify_mode(ssl_ctx) != SSL_VERIFY_NONE))){
TSK_DEBUG_INFO("SSL cert verify: ON");
socket->verify_peer = tsk_true;
SSL_set_verify(socket->ssl, (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), _tnet_dtls_verify_cert);
}
else {
TSK_DEBUG_ERROR("Verity not enabled");
}
SSL_set_app_data(socket->ssl, socket);
}
return socket;
#endif
}
/* //////////////////////////////////////////////////////////////////////////////////////
* implementation
*/
tb_ssl_ref_t tb_ssl_init(tb_bool_t bserver)
{
// done
tb_bool_t ok = tb_false;
tb_ssl_t* ssl = tb_null;
do
{
// load openssl library
if (!tb_ssl_library_load()) break;
// make ssl
ssl = tb_malloc0_type(tb_ssl_t);
tb_assert_and_check_break(ssl);
// init timeout, 30s
ssl->timeout = 30000;
// init ctx
ssl->ctx = SSL_CTX_new(SSLv3_method());
tb_assert_and_check_break(ssl->ctx);
// make ssl
ssl->ssl = SSL_new(ssl->ctx);
tb_assert_and_check_break(ssl->ssl);
// init endpoint
if (bserver) SSL_set_accept_state(ssl->ssl);
else SSL_set_connect_state(ssl->ssl);
// init verify
SSL_set_verify(ssl->ssl, 0, tb_ssl_verify);
// init bio
ssl->bio = BIO_new(&g_ssl_bio_method);
tb_assert_and_check_break(ssl->bio);
// set bio to ssl
ssl->bio->ptr = ssl;
SSL_set_bio(ssl->ssl, ssl->bio, ssl->bio);
// init state
ssl->state = TB_STATE_OK;
// ok
ok = tb_true;
} while (0);
// failed? exit it
if (!ok)
{
if (ssl) tb_ssl_exit((tb_ssl_ref_t)ssl);
ssl = tb_null;
}
// ok?
return (tb_ssl_ref_t)ssl;
}
/** Create a new client TLS session
*
* Configures a new client TLS session, configuring options, setting callbacks etc...
*
* @param ctx to alloc session data in. Should usually be NULL unless the lifetime of the
* session is tied to another talloc'd object.
* @param conf values for this TLS session.
* @return
* - A new session on success.
* - NULL on error.
*/
tls_session_t *tls_session_init_client(TALLOC_CTX *ctx, fr_tls_conf_t *conf)
{
int ret;
int verify_mode;
tls_session_t *session = NULL;
REQUEST *request;
session = talloc_zero(ctx, tls_session_t);
if (!session) return NULL;
talloc_set_destructor(session, _tls_session_free);
session->ctx = conf->ctx[(conf->ctx_count == 1) ? 0 : conf->ctx_next++ % conf->ctx_count]; /* mutex not needed */
rad_assert(session->ctx);
session->ssl = SSL_new(session->ctx);
if (!session->ssl) {
talloc_free(session);
return NULL;
}
request = request_alloc(session);
SSL_set_ex_data(session->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request);
/*
* Add the message callback to identify what type of
* message/handshake is passed
*/
SSL_set_msg_callback(session->ssl, tls_session_msg_cb);
SSL_set_msg_callback_arg(session->ssl, session);
SSL_set_info_callback(session->ssl, tls_session_info_cb);
/*
* Always verify the peer certificate.
*/
DEBUG2("Requiring Server certificate");
verify_mode = SSL_VERIFY_PEER;
verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
SSL_set_verify(session->ssl, verify_mode, tls_validate_cert_cb);
SSL_set_ex_data(session->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
SSL_set_ex_data(session->ssl, FR_TLS_EX_INDEX_TLS_SESSION, (void *)session);
ret = SSL_connect(session->ssl);
if (ret <= 0) {
tls_log_io_error(NULL, session, ret, "Failed in SSL_connect");
talloc_free(session);
return NULL;
}
session->mtu = conf->fragment_size;
return session;
}
/// TLS callback function
void ldappeerchain_tls_cb(LDAP * ld, SSL * ssl, SSL_CTX * ctx, void * arg)
{
ld = NULL;
*((SSL **)arg) = ssl;
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
return;
}
void SecuredServerSession::verifyPeer(const std::string &caFile)
{
if (!caFile.empty()) {
auto certs = SSL_load_client_CA_file(caFile.c_str());
if (!certs)
throw std::runtime_error(ERR_error_string(ERR_get_error(), nullptr));
SSL_set_client_CA_list(m_SSL, certs);
}
SSL_set_verify(m_SSL, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE, &verify_callback);
SSL_set_verify_depth(m_SSL, 10);
m_renegotiate = true;
}
/*
* Negotiate SSL on the socket.
*/
static BOOL server_negotiate_ssl(Remote *remote)
{
BOOL success = TRUE;
SOCKET fd = 0;
DWORD ret = 0;
lock_acquire( remote->lock );
do
{
fd = remote_get_fd(remote);
remote->meth = SSLv3_client_method();
remote->ctx = SSL_CTX_new(remote->meth);
SSL_CTX_set_mode(remote->ctx, SSL_MODE_AUTO_RETRY);
remote->ssl = SSL_new(remote->ctx);
SSL_set_verify(remote->ssl, SSL_VERIFY_NONE, NULL);
if( SSL_set_fd(remote->ssl, remote->fd) == 0 )
{
dprintf("[SERVER] set fd failed");
success = FALSE;
break;
}
if( (ret = SSL_connect(remote->ssl)) != 1 )
{
dprintf("[SERVER] connect failed %d\n", SSL_get_error(remote->ssl, ret));
success = FALSE;
break;
}
dprintf("[SERVER] Sending a HTTP GET request to the remote side...");
if( (ret = SSL_write(remote->ssl, "GET /123456789 HTTP/1.0\r\n\r\n", 27)) <= 0 )
{
dprintf("[SERVER] SSL write failed during negotiation with return: %d (%d)", ret, SSL_get_error(remote->ssl, ret));
}
} while(0);
lock_release( remote->lock );
dprintf("[SERVER] Completed writing the HTTP GET request: %d", ret);
if( ret < 0 )
success = FALSE;
return success;
}
ret_t
cherokee_cryptor_libssl_find_vserver (SSL *ssl,
cherokee_server_t *srv,
cherokee_buffer_t *servername,
cherokee_connection_t *conn)
{
ret_t ret;
cherokee_virtual_server_t *vsrv = NULL;
SSL_CTX *ctx;
/* Try to match the connection to a server
*/
ret = cherokee_server_get_vserver(srv, servername, conn, &vsrv);
if ((ret != ret_ok) || (vsrv == NULL)) {
LOG_ERROR (CHEROKEE_ERROR_SSL_SRV_MATCH, servername->buf);
return ret_error;
}
TRACE (ENTRIES, "Setting new TLS context. Virtual host='%s'\n",
vsrv->name.buf);
/* Check whether the Virtual Server supports TLS
*/
if ((vsrv->cryptor == NULL) ||
(CRYPTOR_VSRV_SSL(vsrv->cryptor)->context == NULL))
{
TRACE (ENTRIES, "Virtual server '%s' does not support SSL\n", servername->buf);
return ret_error;
}
/* Set the new SSL context
*/
ctx = SSL_set_SSL_CTX (ssl, CRYPTOR_VSRV_SSL(vsrv->cryptor)->context);
if (ctx != CRYPTOR_VSRV_SSL(vsrv->cryptor)->context) {
LOG_ERROR (CHEROKEE_ERROR_SSL_CHANGE_CTX, servername->buf);
}
/* SSL_set_SSL_CTX() only change certificates. We need to
* changes more options by hand.
*/
SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
(SSL_num_renegotiations(ssl) == 0)) {
SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
SSL_CTX_get_verify_callback(ssl->ctx));
}
return ret_ok;
}
VALUE engine_init_client(VALUE klass) {
VALUE obj;
ms_conn* conn = engine_alloc(klass, &obj);
conn->ctx = SSL_CTX_new(DTLSv1_method());
conn->ssl = SSL_new(conn->ctx);
SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
SSL_set_bio(conn->ssl, conn->read, conn->write);
SSL_set_connect_state(conn->ssl);
return obj;
}
/*
* Send an initial eap-tls request to the peer.
*
* Frame eap reply packet.
* len = header + type + tls_typedata
* tls_typedata = flags(Start (S) bit set, and no data)
*
* Once having received the peer's Identity, the EAP server MUST
* respond with an EAP-TLS/Start packet, which is an
* EAP-Request packet with EAP-Type=EAP-TLS, the Start (S) bit
* set, and no data. The EAP-TLS conversation will then begin,
* with the peer sending an EAP-Response packet with
* EAP-Type = EAP-TLS. The data field of that packet will
* be the TLS data.
*
* Fragment length is Framed-MTU - 4.
*/
tls_session_t *eaptls_session(fr_tls_server_conf_t *tls_conf, EAP_HANDLER *handler, int client_cert)
{
tls_session_t *ssn;
int verify_mode = 0;
REQUEST *request = handler->request;
handler->tls = TRUE;
handler->finished = FALSE;
/*
* Every new session is started only from EAP-TLS-START.
* Before Sending EAP-TLS-START, open a new SSL session.
* Create all the required data structures & store them
* in Opaque. So that we can use these data structures
* when we get the response
*/
ssn = tls_new_session(tls_conf, request, client_cert);
if (!ssn) {
return NULL;
}
/*
* Verify the peer certificate, if asked.
*/
if (client_cert) {
RDEBUG2("Requiring client certificate");
verify_mode = SSL_VERIFY_PEER;
verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
verify_mode |= SSL_VERIFY_CLIENT_ONCE;
}
SSL_set_verify(ssn->ssl, verify_mode, cbtls_verify);
/*
* Create a structure for all the items required to be
* verified for each client and set that as opaque data
* structure.
*
* NOTE: If we want to set each item sepearately then
* this index should be global.
*/
SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_HANDLER, (void *)handler);
SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_CONF, (void *)tls_conf);
SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_CERTS, (void *)&(handler->certs));
SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_IDENTITY, (void *)&(handler->identity));
#ifdef HAVE_OPENSSL_OCSP_H
SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_STORE, (void *)tls_conf->ocsp_store);
#endif
return ssn;
}
/*!
* @brief Negotiate SSL on the socket.
* @param transport Pointer to the transport instance.
* @return Indication of success or failure.
*/
static BOOL server_negotiate_ssl(Transport* transport) {
TcpTransportContext* ctx = (TcpTransportContext*)transport->ctx;
BOOL success = TRUE;
DWORD ret = 0;
DWORD res = 0;
lock_acquire(transport->lock);
ctx->meth = (SSL_METHOD*)TLSv1_client_method();
ctx->ctx = SSL_CTX_new(ctx->meth);
SSL_CTX_set_mode(ctx->ctx, SSL_MODE_AUTO_RETRY);
ctx->ssl = SSL_new(ctx->ctx);
SSL_set_verify(ctx->ssl, SSL_VERIFY_NONE, NULL);
if (SSL_set_fd(ctx->ssl, ctx->fd) == 0) {
dprintf("[SERVER] set fd failed");
success = FALSE;
goto out;
}
do {
if ((ret = SSL_connect(ctx->ssl)) != 1) {
res = SSL_get_error(ctx->ssl, ret);
dprintf("[SERVER] connect failed %d\n", res);
if (res == SSL_ERROR_WANT_READ || res == SSL_ERROR_WANT_WRITE) {
// Catch non-blocking socket errors and retry
continue;
}
success = FALSE;
break;
}
} while (ret != 1);
if (success == FALSE)
goto out;
dprintf("[SERVER] Sending a HTTP GET request to the remote side...");
if ((ret = SSL_write(ctx->ssl, "GET /123456789 HTTP/1.0\r\n\r\n", 27)) <= 0) {
dprintf("[SERVER] SSL write failed during negotiation with return: %d (%d)", ret,
SSL_get_error(ctx->ssl, ret));
}
out:
lock_release(transport->lock);
dprintf("[SERVER] Completed writing the HTTP GET request: %d", ret);
if (ret < 0) {
success = FALSE;
}
return success;
}
int tls_connection_ca_cert(void *ssl_ctx, struct tls_connection *conn,
const char *ca_cert, const char *subject_match)
{
if (conn == NULL)
return -1;
free(conn->subject_match);
conn->subject_match = NULL;
if (subject_match) {
conn->subject_match = strdup(subject_match);
if (conn->subject_match == NULL)
return -1;
}
if (ca_cert) {
if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, NULL) != 1)
{
wpa_printf(MSG_WARNING, "TLS: Failed to load root "
"certificates: %s",
ERR_error_string(ERR_get_error(), NULL));
return -1;
} else {
wpa_printf(MSG_DEBUG, "TLS: Trusted root "
"certificate(s) loaded");
tls_get_errors(ssl_ctx);
}
SSL_set_app_data(conn->ssl, conn);
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
} else {
/* No ca_cert configured - do not try to verify server
* certificate */
SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
}
return 0;
}
static FILE *_ssl_fopen(int sd, int client)
{
int r;
mssl_cookie_t *kuki;
FILE *f;
_dprintf("%s()\n", __FUNCTION__);
if ((kuki = calloc(1, sizeof(*kuki))) == NULL) {
errno = ENOMEM;
return NULL;
}
kuki->sd = sd;
if ((kuki->ssl = SSL_new(ctx)) == NULL) {
_dprintf("%s: SSL_new failed\n", __FUNCTION__);
goto ERROR;
}
#ifdef USE_OPENSSL
SSL_set_verify(kuki->ssl, SSL_VERIFY_NONE, NULL);
SSL_set_mode(kuki->ssl, SSL_MODE_AUTO_RETRY);
#endif
SSL_set_fd(kuki->ssl, kuki->sd);
r = client ? SSL_connect(kuki->ssl) : SSL_accept(kuki->ssl);
if (r <= 0) {
_dprintf("%s: SSL handshake failed\n", __FUNCTION__);
mssl_print_err(kuki->ssl);
goto ERROR;
}
#ifdef USE_OPENSSL
_dprintf("SSL connection using %s cipher\n", SSL_get_cipher(kuki->ssl));
#endif
if ((f = fopencookie(kuki, "r+", mssl)) == NULL) {
_dprintf("%s: fopencookie failed\n", __FUNCTION__);
goto ERROR;
}
_dprintf("%s() success\n", __FUNCTION__);
return f;
ERROR:
mssl_close(kuki);
return NULL;
}
int DoSSLServerNegotiation(STREAM *S, int Flags)
{
int result=FALSE;
#ifdef HAVE_LIBSSL
SSL_METHOD *Method;
SSL_CTX *ctx;
SSL *ssl;
if (S)
{
INTERNAL_SSL_INIT();
Method=SSLv23_server_method();
if (! Method) Method=SSLv2_server_method();
if (Method)
{
ctx=SSL_CTX_new(Method);
if (ctx)
{
STREAM_INTERNAL_SSL_ADD_SECURE_KEYS(S,ctx);
ssl=SSL_new(ctx);
SSL_set_fd(ssl,S->in_fd);
STREAMSetItem(S,"LIBUSEFUL-SSL-CTX",ssl);
SSL_set_verify(ssl,SSL_VERIFY_NONE,NULL);
SSL_set_accept_state(ssl);
result=SSL_accept(ssl);
if (result != TRUE)
{
result=SSL_get_error(ssl,result);
result=ERR_get_error();
fprintf(stderr,"error: %s\n",ERR_error_string(result,NULL));
result=FALSE;
}
S->Flags|=SF_SSL;
}
}
}
#endif
return(result);
}
int TPC_Logging_Acceptor::accept_svc_handler
(TPC_Logging_Handler *sh) {
if (PARENT::accept_svc_handler (sh) == -1) return -1;
SSL_clear (ssl_); // Reset for new SSL connection.
#if defined (ACE_WIN32)
// ACE_WIN32 is the only platform where ACE_HANDLE is not an int.
// See ace/config-lite.h for the typedefs.
SSL_set_fd (ssl_, reinterpret_cast<int> (sh->get_handle ()));
#else
SSL_set_fd (ssl_, sh->get_handle ());
#endif /* ACE_WIN32 */
SSL_set_verify
(ssl_,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
0);
if (SSL_accept (ssl_) == -1
|| SSL_shutdown (ssl_) == -1) return -1;
return 0;
}
NOEXPORT int servername_cb(SSL *ssl, int *ad, void *arg) {
SERVICE_OPTIONS *section=(SERVICE_OPTIONS *)arg;
const char *servername=SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
SERVERNAME_LIST *list;
CLI *c;
#ifdef USE_LIBWRAP
char *accepted_address;
#endif /* USE_LIBWRAP */
/* leave the alert type at SSL_AD_UNRECOGNIZED_NAME */
(void)ad; /* squash the unused parameter warning */
if(!section->servername_list_head) {
s_log(LOG_DEBUG, "SNI: no virtual services defined");
return SSL_TLSEXT_ERR_OK;
}
if(!servername) {
s_log(LOG_NOTICE, "SNI: no servername received");
return SSL_TLSEXT_ERR_NOACK;
}
s_log(LOG_INFO, "SNI: requested servername: %s", servername);
for(list=section->servername_list_head; list; list=list->next)
if(matches_wildcard((char *)servername, list->servername)) {
s_log(LOG_DEBUG, "SNI: matched pattern: %s", list->servername);
c=SSL_get_ex_data(ssl, index_cli);
c->opt=list->opt;
SSL_set_SSL_CTX(ssl, c->opt->ctx);
SSL_set_verify(ssl, SSL_CTX_get_verify_mode(c->opt->ctx),
SSL_CTX_get_verify_callback(c->opt->ctx));
s_log(LOG_NOTICE, "SNI: switched to service [%s]",
c->opt->servname);
#ifdef USE_LIBWRAP
accepted_address=s_ntop(&c->peer_addr, c->peer_addr_len);
libwrap_auth(c, accepted_address); /* retry on a service switch */
str_free(accepted_address);
#endif /* USE_LIBWRAP */
return SSL_TLSEXT_ERR_OK;
}
s_log(LOG_ERR, "SNI: no pattern matched servername: %s", servername);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
/*
rfc5764: 4.1. The use_srtp Extension
*/
int tnet_dtls_socket_use_srtp(tnet_dtls_socket_handle_t*handle)
{
#if !HAVE_OPENSSL || !HAVE_OPENSSL_DTLS || !HAVE_OPENSSL_DTLS_SRTP
TSK_DEBUG_ERROR("OpenSSL or DTLS not enabled");
return -200;
#else
tnet_dtls_socket_t* socket = handle;
if (!socket){
TSK_DEBUG_ERROR("Invalid parameter");
return -1;
}
if ((socket->use_srtp = tsk_true)){
if (!socket->verify_peer){
socket->verify_peer = tsk_true; // DTLS-SRTP requires certtificates
SSL_set_verify(socket->ssl, (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), _tnet_dtls_verify_cert);
}
}
return 0;
#endif
}
/*
* Negotiate SSL on the socket
*/
static DWORD negotiate_ssl(Remote *remote)
{
DWORD hres = ERROR_SUCCESS;
SOCKET fd = remote_get_fd(remote);
DWORD ret;
SSL_load_error_strings();
SSL_library_init();
remote->meth = TLSv1_client_method();
remote->ctx = SSL_CTX_new(remote->meth);
SSL_CTX_set_mode(remote->ctx, SSL_MODE_AUTO_RETRY);
remote->ssl = SSL_new(remote->ctx);
SSL_set_verify(remote->ssl, SSL_VERIFY_NONE, NULL);
if (SSL_set_fd(remote->ssl, remote->fd) == 0) {
perror("set fd failed");
exit(1);
}
if ((ret = SSL_connect(remote->ssl)) != 1) {
printf("connect failed %d\n", SSL_get_error(remote->ssl, ret));
exit(1);
}
dprintf("Sending a HTTP GET request to the remote side...");
if((ret = SSL_write(remote->ssl, "GET / HTTP/1.0\r\n\r\n", 18)) <= 0) {
dprintf("SSL write failed during negotiation with return: %d (%d)", ret,
SSL_get_error(remote->ssl, ret));
}
dprintf("Completed writing the HTTP GET request: %d", ret);
if(ret < 0)
ExitThread(0);
return(0);
}
