int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, int verify_peer, const char *subject_match) { if (conn == NULL) return -1; free(conn->subject_match); conn->subject_match = NULL; if (subject_match) { conn->subject_match = strdup(subject_match); if (conn->subject_match == NULL) return -1; } if (verify_peer) { SSL_set_app_data(conn->ssl, conn); SSL_set_verify(conn->ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE, tls_verify_cb); } else { SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); } SSL_set_accept_state(conn->ssl); return 0; }
int dtls_flow_start(struct dtls_flow *flow, const struct sa *peer, bool active) { int r, err = 0; if (!flow || !peer) return EINVAL; flow->peer = *peer; if (active) { r = SSL_connect(flow->ssl); if (r < 0) { int ssl_err = SSL_get_error(flow->ssl, r); ERR_clear_error(); if (ssl_err != SSL_ERROR_WANT_READ) { warning("dtls: SSL_connect() failed" " (err=%d)\n", ssl_err); } } check_timer(flow); } else { SSL_set_accept_state(flow->ssl); SSL_set_verify_depth(flow->ssl, 0); SSL_set_verify(flow->ssl, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, verify_callback); } return err; }
static void er_dtls_connection_set_property(GObject *object, guint prop_id, const GValue *value, GParamSpec *pspec) { ErDtlsConnection *self = ER_DTLS_CONNECTION(object); ErDtlsAgent *agent; ErDtlsConnectionPrivate *priv = self->priv; SSL_CTX *ssl_context; switch (prop_id) { case PROP_AGENT: g_return_if_fail(!priv->ssl); agent = ER_DTLS_AGENT(g_value_get_object(value)); g_return_if_fail(ER_IS_DTLS_AGENT(agent)); ssl_context = _er_dtls_agent_peek_context(agent); priv->ssl = SSL_new(ssl_context); g_return_if_fail(priv->ssl); priv->bio = BIO_new(BIO_s_er_dtls_connection()); g_return_if_fail(priv->bio); priv->bio->ptr = self; SSL_set_bio(priv->ssl, priv->bio, priv->bio); SSL_set_verify(priv->ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, openssl_verify_callback); SSL_set_ex_data(priv->ssl, connection_ex_index, self); log_state(self, "connection created"); break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID(self, prop_id, pspec); } }
/* allocates a new ssl object SYNOPSIS my_ssl_init mysql connection object RETURN VALUES NULL on error SSL new SSL object */ SSL *my_ssl_init(MYSQL *mysql) { int verify; SSL *ssl= NULL; DBUG_ENTER("my_ssl_init"); DBUG_ASSERT(mysql->net.vio->ssl == NULL); if (!my_ssl_initialized) my_ssl_start(mysql); if (!(ssl= SSL_new(SSL_context))) goto error; if (!SSL_set_app_data(ssl, mysql)) goto error; if (my_ssl_set_certs(ssl)) goto error; verify= (!mysql->options.ssl_ca && !mysql->options.ssl_capath) ? SSL_VERIFY_NONE : SSL_VERIFY_PEER; SSL_set_verify(ssl, verify, my_verify_callback); SSL_set_verify_depth(ssl, 1); DBUG_RETURN(ssl); error: if (ssl) SSL_free(ssl); DBUG_RETURN(NULL); }
VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) { VALUE obj; SSL_CTX* ctx; SSL* ssl; ms_conn* conn = engine_alloc(self, &obj); ID sym_key = rb_intern("key"); VALUE key = rb_funcall(mini_ssl_ctx, sym_key, 0); ID sym_cert = rb_intern("cert"); VALUE cert = rb_funcall(mini_ssl_ctx, sym_cert, 0); ID sym_ca = rb_intern("ca"); VALUE ca = rb_funcall(mini_ssl_ctx, sym_ca, 0); ID sym_verify_mode = rb_intern("verify_mode"); VALUE verify_mode = rb_funcall(mini_ssl_ctx, sym_verify_mode, 0); ctx = SSL_CTX_new(SSLv23_server_method()); conn->ctx = ctx; SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert)); SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM); if (!NIL_P(ca)) { SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL); } SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_COMPRESSION); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH"); DH *dh = get_dh1024(); SSL_CTX_set_tmp_dh(ctx, dh); #ifndef OPENSSL_NO_ECDH EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_secp521r1); if (ecdh) { SSL_CTX_set_tmp_ecdh(ctx, ecdh); EC_KEY_free(ecdh); } #endif ssl = SSL_new(ctx); conn->ssl = ssl; SSL_set_app_data(ssl, NULL); if (NIL_P(verify_mode)) { /* SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); */ } else { SSL_set_verify(ssl, NUM2INT(verify_mode), engine_verify_callback); } SSL_set_bio(ssl, conn->read, conn->write); SSL_set_accept_state(ssl); return obj; }
/* set the paths for the certs to verify the server */ int upscli_sslcert(UPSCONN *ups, const char *file, const char *path, int verify) { int ret, ssl_mode = SSL_VERIFY_NONE; if (!ups) return -1; if (!ups->ssl_ctx) { ups->upserror = UPSCLI_ERR_INVALIDARG; return -1; } switch(verify) { case 0: ssl_mode = SSL_VERIFY_NONE; break; case 1: ssl_mode = SSL_VERIFY_PEER; break; default: ups->upserror = UPSCLI_ERR_INVALIDARG; return -1; } ret = SSL_CTX_load_verify_locations(ups->ssl_ctx, file, path); if (ret != 1) { ups->upserror = UPSCLI_ERR_SSLERR; return -1; } SSL_set_verify(ups->ssl, ssl_mode, NULL); return 1; }
bool SSLSocket::waitAccepted(uint64_t millis) { if(!ssl) { if(!Socket::waitAccepted(millis)) { return false; } ssl.reset(SSL_new(ctx)); if(!ssl) checkSSL(-1); if(!verifyData) { SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); } else SSL_set_ex_data(ssl, CryptoManager::idxVerifyData, verifyData.get()); checkSSL(SSL_set_fd(ssl, static_cast<int>(getSock()))); } if(SSL_is_init_finished(ssl)) { return true; } while(true) { int ret = SSL_accept(ssl); if(ret == 1) { dcdebug("Connected to SSL client using %s\n", SSL_get_cipher(ssl)); return true; } if(!waitWant(ret, millis)) { return false; } } }
SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, const unsigned long binding): bIsServer (is_server), bHandshakeCompleted (false), bVerifyPeer (verify_peer), pSSL (NULL), pbioRead (NULL), pbioWrite (NULL) { /* TODO someday: make it possible to re-use SSL contexts so we don't have to create * a new one every time we come here. */ Context = new SslContext_t (bIsServer, privkeyfile, certchainfile); assert (Context); pbioRead = BIO_new (BIO_s_mem()); assert (pbioRead); pbioWrite = BIO_new (BIO_s_mem()); assert (pbioWrite); pSSL = SSL_new (Context->pCtx); assert (pSSL); SSL_set_bio (pSSL, pbioRead, pbioWrite); // Store a pointer to the binding signature in the SSL object so we can retrieve it later SSL_set_ex_data(pSSL, 0, (void*) binding); if (bVerifyPeer) SSL_set_verify(pSSL, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, ssl_verify_wrapper); if (!bIsServer) SSL_connect (pSSL); }
SSLClient::SSLClient(int sock, SSLClient::ERole role, const SSLConfig &ctx) throw(SocketConnectionClosed, SSLError) : SSLSocket(ctx), TCPSocket::TCPSocket(sock) { m_SSL = SSL_new(m_CTX); SSL_set_mode(m_SSL, SSL_MODE_AUTO_RETRY); m_BIO = BIO_new_socket(GetSocket(), BIO_NOCLOSE); SSL_set_bio(m_SSL, m_BIO, m_BIO); switch(role) { case SSLClient::CLIENT: if(SSL_connect(m_SSL) < 0) throw SSLError("Connect error"); break; case SSLClient::SERVER_FORCE_CERT: SSL_set_verify(m_SSL, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); case SSLClient::SERVER: { if(SSL_accept(m_SSL) < 0) throw SSLError("Accept error"); } break; } }
int AC_CLD_Connector::connect_svc_handler (AC_Output_Handler *&svc_handler, const ACE_SOCK_Connector::PEER_ADDR &remote_addr, ACE_Time_Value *timeout, const ACE_SOCK_Connector::PEER_ADDR &local_addr, int reuse_addr, int flags, int perms) { if (PARENT::connect_svc_handler (svc_handler, remote_addr, timeout, local_addr, reuse_addr, flags, perms) == -1) return -1; SSL_clear (ssl_); #if defined (ACE_WIN32) // ACE_WIN32 is the only platform where ACE_HANDLE is not an int. // See ace/config-lite.h for the typedefs. SSL_set_fd (ssl_, reinterpret_cast<int> (svc_handler->get_handle ())); #else SSL_set_fd (ssl_, svc_handler->get_handle ()); #endif /* ACE_WIN32 */ SSL_set_verify (ssl_, SSL_VERIFY_PEER, 0); if (SSL_connect (ssl_) == -1 || SSL_shutdown (ssl_) == -1) return -1; remote_addr_ = remote_addr; return 0; }
static int openssl_iostream_set(struct ssl_iostream *ssl_io, const struct ssl_iostream_settings *set, const char **error_r) { const struct ssl_iostream_settings *ctx_set = ssl_io->ctx->set; int verify_flags; if (set->verbose) SSL_set_info_callback(ssl_io->ssl, openssl_info_callback); if (set->cipher_list != NULL && strcmp(ctx_set->cipher_list, set->cipher_list) != 0) { if (!SSL_set_cipher_list(ssl_io->ssl, set->cipher_list)) { *error_r = t_strdup_printf( "Can't set cipher list to '%s': %s", set->cipher_list, openssl_iostream_error()); return -1; } } if (set->protocols != NULL) { SSL_clear_options(ssl_io->ssl, OPENSSL_ALL_PROTOCOL_OPTIONS); SSL_set_options(ssl_io->ssl, openssl_get_protocol_options(set->protocols)); } if (set->cert != NULL && strcmp(ctx_set->cert, set->cert) != 0) { if (openssl_iostream_use_certificate(ssl_io, set->cert, error_r) < 0) return -1; } if (set->key != NULL && strcmp(ctx_set->key, set->key) != 0) { if (openssl_iostream_use_key(ssl_io, set, error_r) < 0) return -1; } if (set->verify_remote_cert) { if (ssl_io->ctx->client_ctx) verify_flags = SSL_VERIFY_NONE; else verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; SSL_set_verify(ssl_io->ssl, verify_flags, openssl_iostream_verify_client_cert); } if (set->cert_username_field != NULL) { ssl_io->username_nid = OBJ_txt2nid(set->cert_username_field); if (ssl_io->username_nid == NID_undef) { *error_r = t_strdup_printf( "Invalid cert_username_field: %s", set->cert_username_field); return -1; } } else { ssl_io->username_nid = ssl_io->ctx->username_nid; } ssl_io->verbose = set->verbose; ssl_io->verbose_invalid_cert = set->verbose_invalid_cert || set->verbose; ssl_io->require_valid_cert = set->require_valid_cert; return 0; }
// XXX Clean up this function, we MUST handle all errors possible int krypt_set_rsa(krypt_t *kconn) { if (kconn->security_level == KRYPT_RSA) { jlog(L_NOTICE, "the security level is already set to RSA"); return 0; } SSL_set_cipher_list(kconn->ssl, "AES256-SHA"); // Load the trusted certificate store into our SSL_CTX SSL_CTX_set_cert_store(kconn->ctx, kconn->passport->trusted_authority); // Force the peer cert verifying + fail if no cert is sent by the peer SSL_set_verify(kconn->ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); // Set the certificate and key SSL_use_certificate(kconn->ssl, kconn->passport->certificate); SSL_use_PrivateKey(kconn->ssl, kconn->passport->keyring); if (kconn->conn_type == KRYPT_SERVER) { jlog(L_NOTICE, "set verify"); // Change the session id to avoid resuming ADH session SSL_set_session_id_context(kconn->ssl, (void*)&s_server_auth_session_id_context, sizeof(s_server_auth_session_id_context)); } kconn->security_level = KRYPT_RSA; return 0; }
SpiceOpenSSLVerify* spice_openssl_verify_new(SSL *ssl, SPICE_SSL_VERIFY_OP verifyop, const char *hostname, const char *pubkey, size_t pubkey_size, const char *subject) { SpiceOpenSSLVerify *v; if (!verifyop) return NULL; v = spice_new0(SpiceOpenSSLVerify, 1); v->ssl = ssl; v->verifyop = verifyop; v->hostname = spice_strdup(hostname); v->pubkey = (char*)spice_memdup(pubkey, pubkey_size); v->pubkey_size = pubkey_size; v->subject = spice_strdup(subject); v->all_preverify_ok = 1; SSL_set_app_data(ssl, v); SSL_set_verify(ssl, SSL_VERIFY_PEER, openssl_verify); return v; }
tnet_dtls_socket_handle_t* tnet_dtls_socket_create(struct tnet_socket_s* wrapped_sock, struct ssl_ctx_st* ssl_ctx) { #if !HAVE_OPENSSL || !HAVE_OPENSSL_DTLS TSK_DEBUG_ERROR("OpenSSL or DTLS not enabled"); return tsk_null; #else tnet_dtls_socket_t* socket; if (!wrapped_sock || !ssl_ctx){ TSK_DEBUG_ERROR("Invalid parameter"); return tsk_null; } if ((socket = tsk_object_new(tnet_dtls_socket_def_t))) { const tsk_bool_t set_mtu = TNET_SOCKET_TYPE_IS_DGRAM(wrapped_sock->type) || 1; //!\ This is required even if the local transport is TCP/TLS because the relayed (TURN) transport could be UDP socket->wrapped_sock = tsk_object_ref(wrapped_sock); if (!(socket->ssl = SSL_new(ssl_ctx))) { TSK_DEBUG_ERROR("SSL_new(CTX) failed [%s]", ERR_error_string(ERR_get_error(), tsk_null)); TSK_OBJECT_SAFE_FREE(socket); return tsk_null; } if (set_mtu) { SSL_set_options(socket->ssl, SSL_OP_NO_QUERY_MTU); SSL_set_mtu(socket->ssl, TNET_DTLS_MTU - 28); socket->ssl->d1->mtu = TNET_DTLS_MTU - 28; } if (!(socket->rbio = BIO_new(BIO_s_mem())) || !(socket->wbio = BIO_new(BIO_s_mem()))){ TSK_DEBUG_ERROR("BIO_new_socket(%d) failed [%s]", socket->wrapped_sock->fd, ERR_error_string(ERR_get_error(), tsk_null)); if (socket->rbio){ BIO_free(socket->rbio); } if (socket->wbio){ BIO_free(socket->wbio); } TSK_OBJECT_SAFE_FREE(socket); return tsk_null; } BIO_set_mem_eof_return(socket->rbio, -1); BIO_set_mem_eof_return(socket->wbio, -1); SSL_set_bio(socket->ssl, socket->rbio, socket->wbio); SSL_set_mode(socket->ssl, SSL_MODE_AUTO_RETRY); SSL_set_read_ahead(socket->ssl, 1); if (set_mtu) { BIO_ctrl(SSL_get_wbio(socket->ssl), BIO_CTRL_DGRAM_SET_MTU, TNET_DTLS_MTU - 28, NULL); } if ((socket->verify_peer = (SSL_CTX_get_verify_mode(ssl_ctx) != SSL_VERIFY_NONE))){ TSK_DEBUG_INFO("SSL cert verify: ON"); socket->verify_peer = tsk_true; SSL_set_verify(socket->ssl, (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), _tnet_dtls_verify_cert); } else { TSK_DEBUG_ERROR("Verity not enabled"); } SSL_set_app_data(socket->ssl, socket); } return socket; #endif }
/* ////////////////////////////////////////////////////////////////////////////////////// * implementation */ tb_ssl_ref_t tb_ssl_init(tb_bool_t bserver) { // done tb_bool_t ok = tb_false; tb_ssl_t* ssl = tb_null; do { // load openssl library if (!tb_ssl_library_load()) break; // make ssl ssl = tb_malloc0_type(tb_ssl_t); tb_assert_and_check_break(ssl); // init timeout, 30s ssl->timeout = 30000; // init ctx ssl->ctx = SSL_CTX_new(SSLv3_method()); tb_assert_and_check_break(ssl->ctx); // make ssl ssl->ssl = SSL_new(ssl->ctx); tb_assert_and_check_break(ssl->ssl); // init endpoint if (bserver) SSL_set_accept_state(ssl->ssl); else SSL_set_connect_state(ssl->ssl); // init verify SSL_set_verify(ssl->ssl, 0, tb_ssl_verify); // init bio ssl->bio = BIO_new(&g_ssl_bio_method); tb_assert_and_check_break(ssl->bio); // set bio to ssl ssl->bio->ptr = ssl; SSL_set_bio(ssl->ssl, ssl->bio, ssl->bio); // init state ssl->state = TB_STATE_OK; // ok ok = tb_true; } while (0); // failed? exit it if (!ok) { if (ssl) tb_ssl_exit((tb_ssl_ref_t)ssl); ssl = tb_null; } // ok? return (tb_ssl_ref_t)ssl; }
/** Create a new client TLS session * * Configures a new client TLS session, configuring options, setting callbacks etc... * * @param ctx to alloc session data in. Should usually be NULL unless the lifetime of the * session is tied to another talloc'd object. * @param conf values for this TLS session. * @return * - A new session on success. * - NULL on error. */ tls_session_t *tls_session_init_client(TALLOC_CTX *ctx, fr_tls_conf_t *conf) { int ret; int verify_mode; tls_session_t *session = NULL; REQUEST *request; session = talloc_zero(ctx, tls_session_t); if (!session) return NULL; talloc_set_destructor(session, _tls_session_free); session->ctx = conf->ctx[(conf->ctx_count == 1) ? 0 : conf->ctx_next++ % conf->ctx_count]; /* mutex not needed */ rad_assert(session->ctx); session->ssl = SSL_new(session->ctx); if (!session->ssl) { talloc_free(session); return NULL; } request = request_alloc(session); SSL_set_ex_data(session->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request); /* * Add the message callback to identify what type of * message/handshake is passed */ SSL_set_msg_callback(session->ssl, tls_session_msg_cb); SSL_set_msg_callback_arg(session->ssl, session); SSL_set_info_callback(session->ssl, tls_session_info_cb); /* * Always verify the peer certificate. */ DEBUG2("Requiring Server certificate"); verify_mode = SSL_VERIFY_PEER; verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; SSL_set_verify(session->ssl, verify_mode, tls_validate_cert_cb); SSL_set_ex_data(session->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf); SSL_set_ex_data(session->ssl, FR_TLS_EX_INDEX_TLS_SESSION, (void *)session); ret = SSL_connect(session->ssl); if (ret <= 0) { tls_log_io_error(NULL, session, ret, "Failed in SSL_connect"); talloc_free(session); return NULL; } session->mtu = conf->fragment_size; return session; }
/// TLS callback function void ldappeerchain_tls_cb(LDAP * ld, SSL * ssl, SSL_CTX * ctx, void * arg) { ld = NULL; *((SSL **)arg) = ssl; SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); return; }
void SecuredServerSession::verifyPeer(const std::string &caFile) { if (!caFile.empty()) { auto certs = SSL_load_client_CA_file(caFile.c_str()); if (!certs) throw std::runtime_error(ERR_error_string(ERR_get_error(), nullptr)); SSL_set_client_CA_list(m_SSL, certs); } SSL_set_verify(m_SSL, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE, &verify_callback); SSL_set_verify_depth(m_SSL, 10); m_renegotiate = true; }
/* * Negotiate SSL on the socket. */ static BOOL server_negotiate_ssl(Remote *remote) { BOOL success = TRUE; SOCKET fd = 0; DWORD ret = 0; lock_acquire( remote->lock ); do { fd = remote_get_fd(remote); remote->meth = SSLv3_client_method(); remote->ctx = SSL_CTX_new(remote->meth); SSL_CTX_set_mode(remote->ctx, SSL_MODE_AUTO_RETRY); remote->ssl = SSL_new(remote->ctx); SSL_set_verify(remote->ssl, SSL_VERIFY_NONE, NULL); if( SSL_set_fd(remote->ssl, remote->fd) == 0 ) { dprintf("[SERVER] set fd failed"); success = FALSE; break; } if( (ret = SSL_connect(remote->ssl)) != 1 ) { dprintf("[SERVER] connect failed %d\n", SSL_get_error(remote->ssl, ret)); success = FALSE; break; } dprintf("[SERVER] Sending a HTTP GET request to the remote side..."); if( (ret = SSL_write(remote->ssl, "GET /123456789 HTTP/1.0\r\n\r\n", 27)) <= 0 ) { dprintf("[SERVER] SSL write failed during negotiation with return: %d (%d)", ret, SSL_get_error(remote->ssl, ret)); } } while(0); lock_release( remote->lock ); dprintf("[SERVER] Completed writing the HTTP GET request: %d", ret); if( ret < 0 ) success = FALSE; return success; }
ret_t cherokee_cryptor_libssl_find_vserver (SSL *ssl, cherokee_server_t *srv, cherokee_buffer_t *servername, cherokee_connection_t *conn) { ret_t ret; cherokee_virtual_server_t *vsrv = NULL; SSL_CTX *ctx; /* Try to match the connection to a server */ ret = cherokee_server_get_vserver(srv, servername, conn, &vsrv); if ((ret != ret_ok) || (vsrv == NULL)) { LOG_ERROR (CHEROKEE_ERROR_SSL_SRV_MATCH, servername->buf); return ret_error; } TRACE (ENTRIES, "Setting new TLS context. Virtual host='%s'\n", vsrv->name.buf); /* Check whether the Virtual Server supports TLS */ if ((vsrv->cryptor == NULL) || (CRYPTOR_VSRV_SSL(vsrv->cryptor)->context == NULL)) { TRACE (ENTRIES, "Virtual server '%s' does not support SSL\n", servername->buf); return ret_error; } /* Set the new SSL context */ ctx = SSL_set_SSL_CTX (ssl, CRYPTOR_VSRV_SSL(vsrv->cryptor)->context); if (ctx != CRYPTOR_VSRV_SSL(vsrv->cryptor)->context) { LOG_ERROR (CHEROKEE_ERROR_SSL_CHANGE_CTX, servername->buf); } /* SSL_set_SSL_CTX() only change certificates. We need to * changes more options by hand. */ SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx)); if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) || (SSL_num_renegotiations(ssl) == 0)) { SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), SSL_CTX_get_verify_callback(ssl->ctx)); } return ret_ok; }
VALUE engine_init_client(VALUE klass) { VALUE obj; ms_conn* conn = engine_alloc(klass, &obj); conn->ctx = SSL_CTX_new(DTLSv1_method()); conn->ssl = SSL_new(conn->ctx); SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); SSL_set_bio(conn->ssl, conn->read, conn->write); SSL_set_connect_state(conn->ssl); return obj; }
/* * Send an initial eap-tls request to the peer. * * Frame eap reply packet. * len = header + type + tls_typedata * tls_typedata = flags(Start (S) bit set, and no data) * * Once having received the peer's Identity, the EAP server MUST * respond with an EAP-TLS/Start packet, which is an * EAP-Request packet with EAP-Type=EAP-TLS, the Start (S) bit * set, and no data. The EAP-TLS conversation will then begin, * with the peer sending an EAP-Response packet with * EAP-Type = EAP-TLS. The data field of that packet will * be the TLS data. * * Fragment length is Framed-MTU - 4. */ tls_session_t *eaptls_session(fr_tls_server_conf_t *tls_conf, EAP_HANDLER *handler, int client_cert) { tls_session_t *ssn; int verify_mode = 0; REQUEST *request = handler->request; handler->tls = TRUE; handler->finished = FALSE; /* * Every new session is started only from EAP-TLS-START. * Before Sending EAP-TLS-START, open a new SSL session. * Create all the required data structures & store them * in Opaque. So that we can use these data structures * when we get the response */ ssn = tls_new_session(tls_conf, request, client_cert); if (!ssn) { return NULL; } /* * Verify the peer certificate, if asked. */ if (client_cert) { RDEBUG2("Requiring client certificate"); verify_mode = SSL_VERIFY_PEER; verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; verify_mode |= SSL_VERIFY_CLIENT_ONCE; } SSL_set_verify(ssn->ssl, verify_mode, cbtls_verify); /* * Create a structure for all the items required to be * verified for each client and set that as opaque data * structure. * * NOTE: If we want to set each item sepearately then * this index should be global. */ SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_HANDLER, (void *)handler); SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_CONF, (void *)tls_conf); SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_CERTS, (void *)&(handler->certs)); SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_IDENTITY, (void *)&(handler->identity)); #ifdef HAVE_OPENSSL_OCSP_H SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_STORE, (void *)tls_conf->ocsp_store); #endif return ssn; }
/*! * @brief Negotiate SSL on the socket. * @param transport Pointer to the transport instance. * @return Indication of success or failure. */ static BOOL server_negotiate_ssl(Transport* transport) { TcpTransportContext* ctx = (TcpTransportContext*)transport->ctx; BOOL success = TRUE; DWORD ret = 0; DWORD res = 0; lock_acquire(transport->lock); ctx->meth = (SSL_METHOD*)TLSv1_client_method(); ctx->ctx = SSL_CTX_new(ctx->meth); SSL_CTX_set_mode(ctx->ctx, SSL_MODE_AUTO_RETRY); ctx->ssl = SSL_new(ctx->ctx); SSL_set_verify(ctx->ssl, SSL_VERIFY_NONE, NULL); if (SSL_set_fd(ctx->ssl, ctx->fd) == 0) { dprintf("[SERVER] set fd failed"); success = FALSE; goto out; } do { if ((ret = SSL_connect(ctx->ssl)) != 1) { res = SSL_get_error(ctx->ssl, ret); dprintf("[SERVER] connect failed %d\n", res); if (res == SSL_ERROR_WANT_READ || res == SSL_ERROR_WANT_WRITE) { // Catch non-blocking socket errors and retry continue; } success = FALSE; break; } } while (ret != 1); if (success == FALSE) goto out; dprintf("[SERVER] Sending a HTTP GET request to the remote side..."); if ((ret = SSL_write(ctx->ssl, "GET /123456789 HTTP/1.0\r\n\r\n", 27)) <= 0) { dprintf("[SERVER] SSL write failed during negotiation with return: %d (%d)", ret, SSL_get_error(ctx->ssl, ret)); } out: lock_release(transport->lock); dprintf("[SERVER] Completed writing the HTTP GET request: %d", ret); if (ret < 0) { success = FALSE; } return success; }
int tls_connection_ca_cert(void *ssl_ctx, struct tls_connection *conn, const char *ca_cert, const char *subject_match) { if (conn == NULL) return -1; free(conn->subject_match); conn->subject_match = NULL; if (subject_match) { conn->subject_match = strdup(subject_match); if (conn->subject_match == NULL) return -1; } if (ca_cert) { if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, NULL) != 1) { wpa_printf(MSG_WARNING, "TLS: Failed to load root " "certificates: %s", ERR_error_string(ERR_get_error(), NULL)); return -1; } else { wpa_printf(MSG_DEBUG, "TLS: Trusted root " "certificate(s) loaded"); tls_get_errors(ssl_ctx); } SSL_set_app_data(conn->ssl, conn); SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); } else { /* No ca_cert configured - do not try to verify server * certificate */ SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); } return 0; }
static FILE *_ssl_fopen(int sd, int client) { int r; mssl_cookie_t *kuki; FILE *f; _dprintf("%s()\n", __FUNCTION__); if ((kuki = calloc(1, sizeof(*kuki))) == NULL) { errno = ENOMEM; return NULL; } kuki->sd = sd; if ((kuki->ssl = SSL_new(ctx)) == NULL) { _dprintf("%s: SSL_new failed\n", __FUNCTION__); goto ERROR; } #ifdef USE_OPENSSL SSL_set_verify(kuki->ssl, SSL_VERIFY_NONE, NULL); SSL_set_mode(kuki->ssl, SSL_MODE_AUTO_RETRY); #endif SSL_set_fd(kuki->ssl, kuki->sd); r = client ? SSL_connect(kuki->ssl) : SSL_accept(kuki->ssl); if (r <= 0) { _dprintf("%s: SSL handshake failed\n", __FUNCTION__); mssl_print_err(kuki->ssl); goto ERROR; } #ifdef USE_OPENSSL _dprintf("SSL connection using %s cipher\n", SSL_get_cipher(kuki->ssl)); #endif if ((f = fopencookie(kuki, "r+", mssl)) == NULL) { _dprintf("%s: fopencookie failed\n", __FUNCTION__); goto ERROR; } _dprintf("%s() success\n", __FUNCTION__); return f; ERROR: mssl_close(kuki); return NULL; }
int DoSSLServerNegotiation(STREAM *S, int Flags) { int result=FALSE; #ifdef HAVE_LIBSSL SSL_METHOD *Method; SSL_CTX *ctx; SSL *ssl; if (S) { INTERNAL_SSL_INIT(); Method=SSLv23_server_method(); if (! Method) Method=SSLv2_server_method(); if (Method) { ctx=SSL_CTX_new(Method); if (ctx) { STREAM_INTERNAL_SSL_ADD_SECURE_KEYS(S,ctx); ssl=SSL_new(ctx); SSL_set_fd(ssl,S->in_fd); STREAMSetItem(S,"LIBUSEFUL-SSL-CTX",ssl); SSL_set_verify(ssl,SSL_VERIFY_NONE,NULL); SSL_set_accept_state(ssl); result=SSL_accept(ssl); if (result != TRUE) { result=SSL_get_error(ssl,result); result=ERR_get_error(); fprintf(stderr,"error: %s\n",ERR_error_string(result,NULL)); result=FALSE; } S->Flags|=SF_SSL; } } } #endif return(result); }
int TPC_Logging_Acceptor::accept_svc_handler (TPC_Logging_Handler *sh) { if (PARENT::accept_svc_handler (sh) == -1) return -1; SSL_clear (ssl_); // Reset for new SSL connection. #if defined (ACE_WIN32) // ACE_WIN32 is the only platform where ACE_HANDLE is not an int. // See ace/config-lite.h for the typedefs. SSL_set_fd (ssl_, reinterpret_cast<int> (sh->get_handle ())); #else SSL_set_fd (ssl_, sh->get_handle ()); #endif /* ACE_WIN32 */ SSL_set_verify (ssl_, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); if (SSL_accept (ssl_) == -1 || SSL_shutdown (ssl_) == -1) return -1; return 0; }
NOEXPORT int servername_cb(SSL *ssl, int *ad, void *arg) { SERVICE_OPTIONS *section=(SERVICE_OPTIONS *)arg; const char *servername=SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); SERVERNAME_LIST *list; CLI *c; #ifdef USE_LIBWRAP char *accepted_address; #endif /* USE_LIBWRAP */ /* leave the alert type at SSL_AD_UNRECOGNIZED_NAME */ (void)ad; /* squash the unused parameter warning */ if(!section->servername_list_head) { s_log(LOG_DEBUG, "SNI: no virtual services defined"); return SSL_TLSEXT_ERR_OK; } if(!servername) { s_log(LOG_NOTICE, "SNI: no servername received"); return SSL_TLSEXT_ERR_NOACK; } s_log(LOG_INFO, "SNI: requested servername: %s", servername); for(list=section->servername_list_head; list; list=list->next) if(matches_wildcard((char *)servername, list->servername)) { s_log(LOG_DEBUG, "SNI: matched pattern: %s", list->servername); c=SSL_get_ex_data(ssl, index_cli); c->opt=list->opt; SSL_set_SSL_CTX(ssl, c->opt->ctx); SSL_set_verify(ssl, SSL_CTX_get_verify_mode(c->opt->ctx), SSL_CTX_get_verify_callback(c->opt->ctx)); s_log(LOG_NOTICE, "SNI: switched to service [%s]", c->opt->servname); #ifdef USE_LIBWRAP accepted_address=s_ntop(&c->peer_addr, c->peer_addr_len); libwrap_auth(c, accepted_address); /* retry on a service switch */ str_free(accepted_address); #endif /* USE_LIBWRAP */ return SSL_TLSEXT_ERR_OK; } s_log(LOG_ERR, "SNI: no pattern matched servername: %s", servername); return SSL_TLSEXT_ERR_ALERT_FATAL; }
/* rfc5764: 4.1. The use_srtp Extension */ int tnet_dtls_socket_use_srtp(tnet_dtls_socket_handle_t*handle) { #if !HAVE_OPENSSL || !HAVE_OPENSSL_DTLS || !HAVE_OPENSSL_DTLS_SRTP TSK_DEBUG_ERROR("OpenSSL or DTLS not enabled"); return -200; #else tnet_dtls_socket_t* socket = handle; if (!socket){ TSK_DEBUG_ERROR("Invalid parameter"); return -1; } if ((socket->use_srtp = tsk_true)){ if (!socket->verify_peer){ socket->verify_peer = tsk_true; // DTLS-SRTP requires certtificates SSL_set_verify(socket->ssl, (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), _tnet_dtls_verify_cert); } } return 0; #endif }
/* * Negotiate SSL on the socket */ static DWORD negotiate_ssl(Remote *remote) { DWORD hres = ERROR_SUCCESS; SOCKET fd = remote_get_fd(remote); DWORD ret; SSL_load_error_strings(); SSL_library_init(); remote->meth = TLSv1_client_method(); remote->ctx = SSL_CTX_new(remote->meth); SSL_CTX_set_mode(remote->ctx, SSL_MODE_AUTO_RETRY); remote->ssl = SSL_new(remote->ctx); SSL_set_verify(remote->ssl, SSL_VERIFY_NONE, NULL); if (SSL_set_fd(remote->ssl, remote->fd) == 0) { perror("set fd failed"); exit(1); } if ((ret = SSL_connect(remote->ssl)) != 1) { printf("connect failed %d\n", SSL_get_error(remote->ssl, ret)); exit(1); } dprintf("Sending a HTTP GET request to the remote side..."); if((ret = SSL_write(remote->ssl, "GET / HTTP/1.0\r\n\r\n", 18)) <= 0) { dprintf("SSL write failed during negotiation with return: %d (%d)", ret, SSL_get_error(remote->ssl, ret)); } dprintf("Completed writing the HTTP GET request: %d", ret); if(ret < 0) ExitThread(0); return(0); }