const SSL_METHOD *anubis_string_to_SSL_METOHD(const char *method, int role) {
if(!method)
return NULL;
if(!strcasecmp(method, "SSLv23"))
return role == ANUBIS_ROLE_SERVER ?
SSLv23_server_method() :
role == ANUBIS_ROLE_CLIENT ? SSLv23_client_method() : NULL;
#ifndef OPENSSL_NO_SSL2_METHOD
if(!strcasecmp(method, "SSLv2"))
return role == ANUBIS_ROLE_SERVER ?
SSLv3_server_method() :
role == ANUBIS_ROLE_CLIENT ? SSLv3_client_method() : NULL;
#endif
#ifndef OPENSSL_NO_SSL3_METHOD
if(!strcasecmp(method, "SSLv3"))
return role == ANUBIS_ROLE_SERVER ?
SSLv3_server_method() :
role == ANUBIS_ROLE_CLIENT ? SSLv3_client_method() : NULL;
#endif
if(!strcasecmp(method, "TLSv1.0"))
return role == ANUBIS_ROLE_SERVER ?
TLSv1_server_method() :
role == ANUBIS_ROLE_CLIENT ? TLSv1_client_method() : NULL;
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
if(!strcasecmp(method, "TLSv1.1"))
return role == ANUBIS_ROLE_SERVER ?
TLSv1_1_server_method() :
role == ANUBIS_ROLE_CLIENT ? TLSv1_1_client_method() : NULL;
if(!strcasecmp(method, "TLSv1.2"))
return role == ANUBIS_ROLE_SERVER ?
TLSv1_2_server_method() :
role == ANUBIS_ROLE_CLIENT ? TLSv1_2_client_method() : NULL;
#endif
/*
if(!strcasecmp(method, "DTLS1.0"))
return role == ANUBIS_ROLE_SERVER ?
DTLSv1_server_method() :
role == ANUBIS_ROLE_CLIENT ? DTLSv1_client_method() : NULL;
if(!strcasecmp(method, "DTLS1.2"))
return role == ANUBIS_ROLE_SERVER ?
DTLSv1_2_server_method() :
role == ANUBIS_ROLE_CLIENT ? DTLSv1_2_client_method() : NULL;
if(!strcasecmp(method, "DTLS"))
return role == ANUBIS_ROLE_SERVER ?
DTLS_server_method() :
role == ANUBIS_ROLE_CLIENT ? DTLS_client_method() : NULL;
*/
return NULL;
}//end anubis_string_to_SSL_METOHD
/**
* @desc Initialize OpenSSL lib
* @throw Char *
*/
void IOSocketSSL::initSSL(const bool force_server_method = false) {
TRACE_CALL();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
OpenSSL_add_ssl_algorithms();
switch (socket_t) {
case IOSOCKET_LISTEN_T:
ctx = SSL_CTX_new(SSLv3_server_method());
break;
case IOSOCKET_CONNECT_T:
if (force_server_method)
ctx = SSL_CTX_new(SSLv3_server_method());
else
ctx = SSL_CTX_new(SSLv3_client_method());
break;
default:
/* Shouln't happen, mother class constructor should have thrown
* an exception earlier */
throw("Unknown socket type");
break;
}
/**
* Should use a loop on ERR_get_error()
* to retrieve the whole error process
*/
if (ctx == NULL)
throw(new_SSL_error("initializing ssl context"));
if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) != 1)
throw(new_SSL_error("loading cert file"));
if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) != 1)
throw(new_SSL_error("loading private key file"));
if (SSL_CTX_check_private_key(ctx) != 1)
throw(new_SSL_error("verifying private key"));
/* Don't bother with renego */
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
init_ssl = true;
}
const SSL_METHOD * hb_ssl_method_id_to_ptr( int n )
{
const SSL_METHOD * p;
switch( n )
{
#if OPENSSL_VERSION_NUMBER < 0x10000000L
case HB_SSL_CTX_NEW_METHOD_SSLV2: p = SSLv2_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV2_SERVER: p = SSLv2_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV2_CLIENT: p = SSLv2_client_method(); break;
#endif
case HB_SSL_CTX_NEW_METHOD_SSLV3: p = SSLv3_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV3_SERVER: p = SSLv3_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV3_CLIENT: p = SSLv3_client_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1: p = TLSv1_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1_SERVER: p = TLSv1_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_TLSV1_CLIENT: p = TLSv1_client_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV23: p = SSLv23_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV23_SERVER: p = SSLv23_server_method(); break;
case HB_SSL_CTX_NEW_METHOD_SSLV23_CLIENT: p = SSLv23_client_method(); break;
default: p = SSLv23_method();
}
return p;
}
SSL_CTX *
_SSL_context_init (void (*info_cb_func), int server)
{
SSL_CTX *ctx;
#ifdef WIN32
int i, r;
#endif
SSLeay_add_ssl_algorithms ();
SSL_load_error_strings ();
ctx = SSL_CTX_new (server ? SSLv3_server_method() : SSLv3_client_method ());
SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
SSL_CTX_set_timeout (ctx, 300);
/* used in SSL_connect(), SSL_accept() */
SSL_CTX_set_info_callback (ctx, info_cb_func);
#ifdef WIN32
/* under win32, OpenSSL needs to be seeded with some randomness */
for (i = 0; i < 128; i++)
{
r = rand ();
RAND_seed ((unsigned char *)&r, sizeof (r));
}
#endif
return(ctx);
}
SSL_CTX* InitServerCTX(void)
{
const SSL_METHOD *method;
SSL_CTX *ctx;
char server_key[] = "server.key";
char server_crt[] = "server.crt";
SSL_library_init(); /* this functions always returns 1. */
OpenSSL_add_all_algorithms(); /* void return values */
SSL_load_error_strings();
if((method = SSLv3_server_method()) == NULL)
{
ERR_print_errors_fp(stderr);
abort();
}
if((ctx = SSL_CTX_new(method)) == NULL)
{
ERR_print_errors_fp(stderr);
abort();
}
LoadCertificates(ctx, server_crt, server_key); /* load certs */
return ctx;
}
SSL_METHOD *sycSSLv3_server_method(void) {
SSL_METHOD *result;
Debug("SSLv3_server_method()");
result = SSLv3_server_method();
Debug1("SSLv3_server_method() -> %p", result);
return result;
}
static int _init_server(OpenSSL * openssl, char const * name)
{
String * crt;
struct sockaddr_in sa;
if((crt = string_new_append(SYSCONFDIR, "/AppServer/", name, ".crt"))
== NULL)
return -1;
if((openssl->ssl_ctx = SSL_CTX_new(SSLv3_server_method())) == NULL
|| SSL_CTX_set_cipher_list(openssl->ssl_ctx,
SSL_DEFAULT_CIPHER_LIST) != 1
|| SSL_CTX_use_certificate_file(openssl->ssl_ctx, crt,
SSL_FILETYPE_PEM) == 0
|| SSL_CTX_use_PrivateKey_file(openssl->ssl_ctx, crt,
SSL_FILETYPE_PEM) == 0)
{
string_delete(crt);
return -_openssl_error_ssl(1);
}
string_delete(crt);
if((openssl->fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
return -_openssl_error("socket", 1);
sa.sin_family = AF_INET;
sa.sin_port = htons(4242); /* XXX hard-coded */
sa.sin_addr.s_addr = htonl(INADDR_ANY);
if(bind(openssl->fd, (struct sockaddr *)&sa, sizeof(sa)) != 0)
return -_openssl_error("bind", 1);
if(listen(openssl->fd, 5) != 0)
return -_openssl_error("listen", 1);
event_register_io_read(openssl->helper->event, openssl->fd,
(EventIOFunc)_openssl_callback_accept, openssl);
return 0;
}
/*
* initialize ssl methods
*/
static void
init_ssl_methods(void)
{
LM_DBG("entered\n");
#ifndef OPENSSL_NO_SSL2
ssl_methods[TLS_USE_SSLv2_cli - 1] = (SSL_METHOD*)SSLv2_client_method();
ssl_methods[TLS_USE_SSLv2_srv - 1] = (SSL_METHOD*)SSLv2_server_method();
ssl_methods[TLS_USE_SSLv2 - 1] = (SSL_METHOD*)SSLv2_method();
#endif
ssl_methods[TLS_USE_SSLv3_cli - 1] = (SSL_METHOD*)SSLv3_client_method();
ssl_methods[TLS_USE_SSLv3_srv - 1] = (SSL_METHOD*)SSLv3_server_method();
ssl_methods[TLS_USE_SSLv3 - 1] = (SSL_METHOD*)SSLv3_method();
ssl_methods[TLS_USE_TLSv1_cli - 1] = (SSL_METHOD*)TLSv1_client_method();
ssl_methods[TLS_USE_TLSv1_srv - 1] = (SSL_METHOD*)TLSv1_server_method();
ssl_methods[TLS_USE_TLSv1 - 1] = (SSL_METHOD*)TLSv1_method();
ssl_methods[TLS_USE_SSLv23_cli - 1] = (SSL_METHOD*)SSLv23_client_method();
ssl_methods[TLS_USE_SSLv23_srv - 1] = (SSL_METHOD*)SSLv23_server_method();
ssl_methods[TLS_USE_SSLv23 - 1] = (SSL_METHOD*)SSLv23_method();
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
ssl_methods[TLS_USE_TLSv1_2_cli - 1] = (SSL_METHOD*)TLSv1_2_client_method();
ssl_methods[TLS_USE_TLSv1_2_srv - 1] = (SSL_METHOD*)TLSv1_2_server_method();
ssl_methods[TLS_USE_TLSv1_2 - 1] = (SSL_METHOD*)TLSv1_2_method();
#endif
}
acceptor_impl( tcode::io::engine& l )
: pipeline_acceptor( l )
, e(l)
, _ssl_context( SSLv3_server_method() )
{
_ssl_context.use_generate_key();
}
int easyssl_bind(EASYSSL *ctx, char *ip, int port, int max_cli)
{
if(port < 0 || port > 65535) return -SSL_ERR_PARAM;
struct sockaddr_in addr;
ctx->fd = socket(AF_INET, SOCK_STREAM, 0);
if(ctx->fd < 0)
{
printf("create socket error %d(%s)\n", errno, strerror(errno));
return -SSL_ERR_SOCK;
}
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = INADDR_ANY;
//FIXME bind on specified IP address
if ( bind(ctx->fd, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
{
printf("bind socket error %d(%s)\n", errno, strerror(errno));
return -SSL_ERR_BIND;
}
if ( listen(ctx->fd, max_cli) != 0 )
{
printf("listen socket error %d(%s)\n", errno, strerror(errno));
return -SSL_ERR_LISTEN;
}
if(SSL_library_init() != 1) {
printf("Error: SSL lib init failure\n");
return -SSL_ERR_INIT;
}
const SSL_METHOD *method;
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
method = SSLv3_server_method();
ctx->ctx = SSL_CTX_new(method);
if ( ctx->ctx == NULL )
{
ERR_print_errors_fp(stderr);
return -SSL_ERR_NEW;
}
if ( SSL_CTX_use_certificate_file(ctx->ctx, ctx->cert_path, SSL_FILETYPE_PEM) <= 0 )
{
ERR_print_errors_fp(stderr);
return -SSL_ERR_CERT;
}
if ( SSL_CTX_use_PrivateKey_file(ctx->ctx, ctx->pkey_path, SSL_FILETYPE_PEM) <= 0 )
{
ERR_print_errors_fp(stderr);
return -SSL_ERR_PKEY;
}
if ( !SSL_CTX_check_private_key(ctx->ctx) )
{
printf("Private key does not match the public certificate\n");
return -SSL_ERR_PKEY;
}
return SSL_ERR_SUCCESS;
}
bool SSLSocket::setupCrypto(SSLSocket *session /* = NULL */) {
if (m_handle) {
raise_warning("SSL/TLS already set-up for this stream");
return false;
}
/* need to do slightly different things, based on client/server method,
* so lets remember which method was selected */
#if OPENSSL_VERSION_NUMBER < 0x00909000L
SSL_METHOD *smethod;
#else
const SSL_METHOD *smethod;
#endif
switch (m_method) {
case ClientSSLv23: m_client = true; smethod = SSLv23_client_method(); break;
case ClientSSLv3: m_client = true; smethod = SSLv3_client_method(); break;
case ClientTLS: m_client = true; smethod = TLSv1_client_method(); break;
case ServerSSLv23: m_client = false; smethod = SSLv23_server_method(); break;
case ServerSSLv3: m_client = false; smethod = SSLv3_server_method(); break;
/* SSLv2 protocol might be disabled in the OpenSSL library */
#ifndef OPENSSL_NO_SSL2
case ClientSSLv2: m_client = true; smethod = SSLv2_client_method(); break;
case ServerSSLv2: m_client = false; smethod = SSLv2_server_method(); break;
#else
case ClientSSLv2:
case ServerSSLv2:
raise_warning("OpenSSL library does not support SSL2 protocol");
return false;
break;
#endif
case ServerTLS: m_client = false; smethod = TLSv1_server_method(); break;
default:
return false;
}
SSL_CTX *ctx = SSL_CTX_new(smethod);
if (ctx == nullptr) {
raise_warning("failed to create an SSL context");
return false;
}
SSL_CTX_set_options(ctx, SSL_OP_ALL);
m_handle = createSSL(ctx);
if (m_handle == nullptr) {
raise_warning("failed to create an SSL handle");
SSL_CTX_free(ctx);
return false;
}
if (!SSL_set_fd(m_handle, m_fd)) {
handleError(0, true);
}
if (session) {
SSL_copy_session_id(m_handle, session->m_handle);
}
return true;
}
SSLContext::SSLContext(int _method){
#ifdef USE_EMBEDDED_CLASSNAMES
setClassName(__xvr2_Net_SSLContext);
#endif
__init_ssl_library(this);
pem = 0;
method = _method;
ctx = 0;
mydata = 0;
switch(method){
case SSL_V2:
ctx = SSL_CTX_new(SSLv2_method());
break;
case SSL_V2_CLIENT:
ctx = SSL_CTX_new(SSLv2_client_method());
break;
case SSL_V2_SERVER:
ctx = SSL_CTX_new(SSLv2_server_method());
break;
case SSL_V3:
ctx = SSL_CTX_new(SSLv3_method());
break;
case SSL_V3_CLIENT:
ctx = SSL_CTX_new(SSLv3_client_method());
break;
case SSL_V3_SERVER:
ctx = SSL_CTX_new(SSLv3_server_method());
break;
case SSL_V23_CLIENT:
ctx = SSL_CTX_new(SSLv23_client_method());
break;
case SSL_V23_SERVER:
ctx = SSL_CTX_new(SSLv23_server_method());
break;
case SSL_V23:
default:
ctx = SSL_CTX_new(SSLv23_method());
}
if(ctx == 0){
throw SSLContextCreation();
}
//Initialize password callback
__ssl_ctx_cb_args *x;
x = new __ssl_ctx_cb_args(this, 0, 0);
mydata = x;
#ifdef USE_DEBUG
debugmsgln(this, "Initializing password callback...");
#endif
SSL_CTX_set_default_passwd_cb((SSL_CTX *)ctx, passwdCB);
#ifdef USE_DEBUG
debugmsgln(this, "Initializing default password callback userdata...");
#endif
SSL_CTX_set_default_passwd_cb_userdata((SSL_CTX *)ctx, mydata);
}
bool VSslServer::doOpen()
{
VLock lock(stateOpenCs); // gilgil temp 2014.03.14
//
// Set server method
//
LOG_DEBUG("method=%s", qPrintable(methodType.str()));
switch (methodType)
{
#ifdef _WIN32 // Linux openssl does not support SSLv2_server_method
case VSslMethodType::mtSSLv2 : m_meth = (SSL_METHOD*)SSLv2_server_method(); break;
#endif // _WIN32
case VSslMethodType::mtSSLv3 : m_meth = (SSL_METHOD*)SSLv3_server_method(); break;
case VSslMethodType::mtSSLv23 : m_meth = (SSL_METHOD*)SSLv23_server_method(); break;
case VSslMethodType::mtTLSv1 : m_meth = (SSL_METHOD*)TLSv1_server_method(); break;
case VSslMethodType::mtTLSv1_1 : m_meth = (SSL_METHOD*)TLSv1_1_server_method(); break;
case VSslMethodType::mtTLSv1_2 : m_meth = (SSL_METHOD*)TLSv1_2_server_method(); break;
case VSslMethodType::mtDTLSv1 : m_meth = (SSL_METHOD*)DTLSv1_server_method(); break;
case VSslMethodType::mtNone :
default :
SET_ERROR(VSslError, QString("client method error(%1)").arg(methodType.str()), VSslError::INVALID_SSL_METHOD);
return false;
}
m_ctx = SSL_CTX_new(m_meth);
if (!SSL_CTX_set_tlsext_servername_callback(m_ctx, ssl_servername_cb))
{
LOG_ERROR("SSL_CTX_set_tlsext_servername_callback return false");
}
if (!SSL_CTX_set_tlsext_servername_arg(m_ctx, this))
{
LOG_ERROR("SSL_CTX_set_tlsext_servername_arg return false");
}
if (defaultKeyCrtFileName != "")
{
QString fileName = certificatePath;
QFileInfo fi(fileName);
// if (!fi.isAbsolute()) fileName = VApp::_filePath() + fileName; // gilgil temp 2014.12.25
if (!fi.isAbsolute()) fileName = QCoreApplication::applicationDirPath() + QDir::separator() + fileName; // gilgil temp 2014.12.25
if (!fileName.endsWith('/') && !fileName.endsWith('\\'))
{
fileName += QDir::separator();
}
fileName += defaultKeyCrtFileName;
if (!setup(fileName)) return false;
}
if (!VTcpServer::doOpen()) return false;
return true;
}
static SSL_METHOD *ssl23_get_server_method(int ver)
{
#ifndef OPENSSL_NO_SSL2
if (ver == SSL2_VERSION)
return(SSLv2_server_method());
#endif
if (ver == SSL3_VERSION)
return(SSLv3_server_method());
else if (ver == TLS1_VERSION)
return(TLSv1_server_method());
else
return(NULL);
}
static const SSL_METHOD *
ssl23_get_server_method(int ver)
{
if (ver == SSL3_VERSION)
return (SSLv3_server_method());
else if (ver == TLS1_VERSION)
return (TLSv1_server_method());
else if (ver == TLS1_1_VERSION)
return (TLSv1_1_server_method());
else if (ver == TLS1_2_VERSION)
return (TLSv1_2_server_method());
else
return (NULL);
}
static const SSL_METHOD *swSSL_get_method(int method)
{
switch (method)
{
#ifndef OPENSSL_NO_SSL3_METHOD
case SW_SSLv3_METHOD:
return SSLv3_method();
case SW_SSLv3_SERVER_METHOD:
return SSLv3_server_method();
case SW_SSLv3_CLIENT_METHOD:
return SSLv3_client_method();
#endif
case SW_SSLv23_SERVER_METHOD:
return SSLv23_server_method();
case SW_SSLv23_CLIENT_METHOD:
return SSLv23_client_method();
case SW_TLSv1_METHOD:
return TLSv1_method();
case SW_TLSv1_SERVER_METHOD:
return TLSv1_server_method();
case SW_TLSv1_CLIENT_METHOD:
return TLSv1_client_method();
#ifdef TLS1_1_VERSION
case SW_TLSv1_1_METHOD:
return TLSv1_1_method();
case SW_TLSv1_1_SERVER_METHOD:
return TLSv1_1_server_method();
case SW_TLSv1_1_CLIENT_METHOD:
return TLSv1_1_client_method();
#endif
#ifdef TLS1_2_VERSION
case SW_TLSv1_2_METHOD:
return TLSv1_2_method();
case SW_TLSv1_2_SERVER_METHOD:
return TLSv1_2_server_method();
case SW_TLSv1_2_CLIENT_METHOD:
return TLSv1_2_client_method();
#endif
case SW_DTLSv1_METHOD:
return DTLSv1_method();
case SW_DTLSv1_SERVER_METHOD:
return DTLSv1_server_method();
case SW_DTLSv1_CLIENT_METHOD:
return DTLSv1_client_method();
case SW_SSLv23_METHOD:
default:
return SSLv23_method();
}
return SSLv23_method();
}
/**
* @brief initialize SSL server and create context
* @decription THIS IS NOT MY CODE (from page 1)
* @return ctx The SSL_CTX object
*/
SSL_CTX* initialize_server(){
SSL_METHOD *method = SSLv3_server_method();
SSL_CTX *ctx = SSL_CTX_new(method);
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
//check if CTX object is valid
if(ctx == NULL){
printf("\n\nERROR: SSL_CTX_new() failed (server.c - initialize_server\n");
printf("Couldn't create a new SSL_CTX object.\n\n");
exit(1);
}
return ctx;
}
SSL_CTX* InitServerCTX(void)
{ SSL_METHOD *method;
SSL_CTX *ctx;
OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */
SSL_load_error_strings(); /* load all error messages */
method = const_cast<SSL_METHOD*>(SSLv3_server_method()); /* create new server-method instance */
ctx = SSL_CTX_new(method); /* create new context from method */
if ( ctx == NULL )
{
ERR_print_errors_fp(stderr);
abort();
}
return ctx;
}
void rcp_ssl_ctx_init()
{
const SSL_METHOD *method = SSLv3_server_method();
if (method == NULL){
rcp_error("e1\n");
}
ctx = SSL_CTX_new(method);
if (ctx== NULL){
rcp_error("e2\n");
}
SSL_CTX_use_certificate_file(ctx,
RCP_SSL_CERTIFICATE_FILE_PATH, SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ctx,
RCP_SSL_PRIVATEKEY_FILE_PATH, SSL_FILETYPE_PEM);
}
void init_options(void)
{
if((option.cafiles = malloc(sizeof(char *) * 1)) == (char **) 0)
{
fprintf(stderr, "malloc: %.100s (%i)\n", strerror(errno), errno);
exit(EXIT_FAILURE);
}
option.cafiles[0] = 0;
/* default options */
option.mysql_IP = "127.0.0.1";
option.mysql_user = "******";
option.mysql_pass = "******";
option.mysql_db = "eas";
option.mysql_port = 3306;
option.port = 5555;
option.lock_fd = -1;
option.pidfile = "/var/run/easd.pid";
option.facility = LOG_AUTH;
option.priority = LOG_INFO;
option.method = SSLv3_server_method();
option.pemfile = "/etc/eas/certs/server.pem";
option.egdfile = 0;
option.randomfile = 0;
option.cipher = "HIGH:MEDIUM";
option.hook = 0;
option.hook_timeout = 5;
option.sessiondirectory = "/var/log/easd";
option.listenaddress = "localhost";
option.keepalive = 1;
option.idletimeout = 7200;
option.uid = -1;
option.hook_failure_critical = 1;
option.sync = _IONBF;
option.strict_mode = 1;
option.strict_owner = 1;
option.strict_inode = 0;
option.strict_ctime = 0;
option.strict_mtime = 0;
option.uid = 0;
option.gid = 0;
option.level = eINFO;
return;
}
SSL_CTX *
InitCTX (void)
{
SSL_METHOD *method;
X509 *cert;
EVP_PKEY *key;
SSL_library_init ();
OpenSSL_add_all_algorithms (); /* Load cryptos, et.al. */
SSL_load_error_strings (); /* Bring in and register error messages */
method = SSLv3_server_method ();
ctx = SSL_CTX_new (method); /* Create new context */
if (ctx == NULL) {
#ifdef DEBUG
ERR_print_errors_fp (stderr);
#endif
abort ();
}
SSL_CTX_set_options (ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
SSL_CTX_set_cipher_list (ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
if (gen_cert (&cert, &key) == 0) {
#ifdef DEBUG
printf ("Error w/ gen_cert()\n");
#endif
exit (1);
}
if (SSL_CTX_use_certificate (ctx, cert) != 1) {
#ifdef DEBUG
fprintf (stderr, "SSL_CTX_use_certificate failed.\n");
#endif
exit (1);
}
if (SSL_CTX_use_PrivateKey (ctx, key) != 1) {
#ifdef DEBUG
fprintf (stderr, "SSL_CTX_use_PrivateKey failed.\n");
#endif
exit (1);
}
X509_free (cert);
EVP_PKEY_free (key);
return ctx;
}
static const SSL_METHOD *tls1_get_server_method(int ver)
{
if (ver == TLS_ANY_VERSION)
return TLS_server_method();
if (ver == TLS1_2_VERSION)
return TLSv1_2_server_method();
if (ver == TLS1_1_VERSION)
return TLSv1_1_server_method();
if (ver == TLS1_VERSION)
return TLSv1_server_method();
#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return (SSLv3_server_method());
#endif
return NULL;
}
SSL_CTX* initServerContext()
{
SSL_METHOD *method;
SSL_CTX *ctx;
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
method = const_cast<SSL_METHOD*>(SSLv3_server_method());
ctx = SSL_CTX_new(method);
if ( ctx == NULL )
{
ERR_print_errors_fp(stderr);
abort();
}
return ctx;
}
SSL_CTX* EdSSLContext::buildServerCtx(int sslmethod, const char* certfile, const char* privkeyfile)
{
const SSL_METHOD *method;
switch (sslmethod)
{
case SSL_VER_TLSV1:
method = TLSv1_server_method();
break;
case SSL_VER_TLSV11:
method = TLSv1_1_server_method();
break;
case SSL_VER_V23:
method = SSLv23_server_method();
break;
case SSL_VER_V3:
method = SSLv3_server_method();
break;
case SSL_VER_DTLSV1:
method = DTLSv1_server_method();
break;
default:
method = NULL;
break;
}
if (method == NULL)
return NULL;
SSL_CTX* pctx = SSL_CTX_new(method);
int ret;
ret = SSL_CTX_use_certificate_file(pctx, certfile, SSL_FILETYPE_PEM);
dbgd("set cert file, ret=%d", ret);
ret = SSL_CTX_use_PrivateKey_file(pctx, privkeyfile, SSL_FILETYPE_PEM);
dbgd("set key file, ret=%d", ret);
if (!SSL_CTX_check_private_key(pctx))
{
dbge("### private key check error......");
SSL_CTX_free(pctx);
return NULL;
}
return pctx;
}
SSL_CTX* setupSSL(void){
SSL_CTX *ssl_ctx;
const SSL_METHOD *method;
SSL_library_init();
/* loading cryptos and error messages*/
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
/* create new server-method instance */
method = SSLv3_server_method();
/* create new context from method */
ssl_ctx = SSL_CTX_new(method);
if (ssl_ctx == NULL){
perror("ssl_ctx");
exit(EXIT_FAILURE);
}
/* specifying what certificate to use, get from CERT_FILE*/
if(SSL_CTX_use_certificate_file(ssl_ctx, CERT_FILE, SSL_FILETYPE_PEM) <= 0){
perror("CERT_FILE error\n");
exit(EXIT_FAILURE);
}
/*Load the password for the Private Key*/
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx,KEY_PASSWD);
/* specifying what private key to use, get from KEY_FILE */
if(SSL_CTX_use_PrivateKey_file(ssl_ctx, KEY_FILE, SSL_FILETYPE_PEM) <= 0){
perror("KEY_FILE error\n");
exit(EXIT_FAILURE);
}
/* verifying that the private key matches the public certificate */
if (!SSL_CTX_check_private_key(ssl_ctx)){
perror("private key not matching the public certificate\n");
exit(EXIT_FAILURE);
}
return ssl_ctx;
}
static const SSL_METHOD *swSSL_get_method(int method)
{
switch (method)
{
case SW_SSLv3_METHOD:
return SSLv3_method();
case SW_SSLv3_SERVER_METHOD:
return SSLv3_server_method();
case SW_SSLv3_CLIENT_METHOD:
return SSLv3_client_method();
case SW_SSLv23_SERVER_METHOD:
return SSLv23_server_method();
case SW_SSLv23_CLIENT_METHOD:
return SSLv23_client_method();
case SW_TLSv1_METHOD:
return TLSv1_method();
case SW_TLSv1_SERVER_METHOD:
return TLSv1_server_method();
case SW_TLSv1_CLIENT_METHOD:
return TLSv1_client_method();
case SW_TLSv1_1_METHOD:
return TLSv1_1_method();
case SW_TLSv1_1_SERVER_METHOD:
return TLSv1_1_server_method();
case SW_TLSv1_1_CLIENT_METHOD:
return TLSv1_1_client_method();
case SW_TLSv1_2_METHOD:
return TLSv1_2_method();
case SW_TLSv1_2_SERVER_METHOD:
return TLSv1_2_server_method();
case SW_TLSv1_2_CLIENT_METHOD:
return TLSv1_2_client_method();
case SW_DTLSv1_METHOD:
return DTLSv1_method();
case SW_DTLSv1_SERVER_METHOD:
return DTLSv1_server_method();
case SW_DTLSv1_CLIENT_METHOD:
return DTLSv1_client_method();
case SW_SSLv23_METHOD:
default:
return SSLv23_method();
}
return SSLv23_method();
}
SSL_CTX *
_SSL_context_init (void (*info_cb_func), int server)
{
SSL_CTX *ctx;
SSLeay_add_ssl_algorithms ();
SSL_load_error_strings ();
ctx =
SSL_CTX_new (server ? SSLv3_server_method () :
SSLv3_client_method ());
SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
SSL_CTX_set_timeout (ctx, 300);
/* used in SSL_connect(), SSL_accept() */
SSL_CTX_set_info_callback (ctx, info_cb_func);
return (ctx);
}
void PosixSslServerSocket::loadCertificates( const std::string & certificateFile,
const std::string & keyFile ) {
SSL_CTX * sslContext;
int rc;
sslContext = SSL_CTX_new(SSLv3_server_method());
rc = SSL_CTX_load_verify_locations(sslContext,certificateFile.c_str(),keyFile.c_str());
if( rc <= 0 )
ERR_print_errors_fp(stdout);
rc = SSL_CTX_set_default_verify_paths(sslContext);
if( rc <= 0 )
ERR_print_errors_fp(stdout);
rc = SSL_CTX_use_certificate_file(sslContext,certificateFile.c_str(),SSL_FILETYPE_PEM);
if( rc <= 0 )
ERR_print_errors_fp(stdout);
rc = SSL_CTX_use_PrivateKey_file(sslContext,keyFile.c_str(),SSL_FILETYPE_PEM);
if( rc <= 0 )
ERR_print_errors_fp(stdout);
setSslContext(sslContext);
}
/*
* initialize ssl methods
*/
static void
init_ssl_methods(void)
{
DBG("init_methods: Entered\n");
ssl_methods[TLS_USE_SSLv2_cli - 1] = SSLv2_client_method();
ssl_methods[TLS_USE_SSLv2_srv - 1] = SSLv2_server_method();
ssl_methods[TLS_USE_SSLv2 - 1] = SSLv2_method();
ssl_methods[TLS_USE_SSLv3_cli - 1] = SSLv3_client_method();
ssl_methods[TLS_USE_SSLv3_srv - 1] = SSLv3_server_method();
ssl_methods[TLS_USE_SSLv3 - 1] = SSLv3_method();
ssl_methods[TLS_USE_TLSv1_cli - 1] = TLSv1_client_method();
ssl_methods[TLS_USE_TLSv1_srv - 1] = TLSv1_server_method();
ssl_methods[TLS_USE_TLSv1 - 1] = TLSv1_method();
ssl_methods[TLS_USE_SSLv23_cli - 1] = SSLv23_client_method();
ssl_methods[TLS_USE_SSLv23_srv - 1] = SSLv23_server_method();
ssl_methods[TLS_USE_SSLv23 - 1] = SSLv23_method();
}
int TPC_Logging_Acceptor::open
(const ACE_SOCK_Acceptor::PEER_ADDR &local_addr,
ACE_Reactor *reactor,
int flags, int use_select, int reuse_addr) {
if (PARENT::open (local_addr, reactor, flags,
use_select, reuse_addr) != 0)
return -1;
OpenSSL_add_ssl_algorithms ();
ssl_ctx_ = SSL_CTX_new (SSLv3_server_method ());
if (ssl_ctx_ == 0) return -1;
if (SSL_CTX_use_certificate_file (ssl_ctx_,
TPC_CERTIFICATE_FILENAME,
SSL_FILETYPE_PEM) <= 0
|| SSL_CTX_use_PrivateKey_file (ssl_ctx_,
TPC_KEY_FILENAME,
SSL_FILETYPE_PEM) <= 0
|| !SSL_CTX_check_private_key (ssl_ctx_))
return -1;
ssl_ = SSL_new (ssl_ctx_);
return ssl_ == 0 ? -1 : 0;
}
