/** * Closes an accepted SSL server connection and deletes it form the * connection list. * @param ssl_server data for ssl server connection * @param ssl data the connection to be deleted */ void close_accepted_ssl_socket(ssl_server_connection *ssl_server, ssl_connection *ssl) { if (!ssl || !ssl_server) return; close_socket(ssl->socket); LOCK(ssl_mutex); if (ssl->prev == NULL) ssl_server->ssl_conn_list = ssl->next; else ssl->prev->next = ssl->next; END_LOCK; delete_ssl_socket(ssl); }
/** * Deletes an accepted SSL server connection from the connection * list. * @param ssl_server data for ssl server connection * @param ssl data the connection to be deleted * @return TRUE, or FALSE if an error has occured. */ int delete_accepted_ssl_socket (ssl_server_connection *ssl_server, ssl_connection *ssl) { #ifdef HAVE_OPENSSL int return_value= TRUE; if ((ssl == NULL) || (ssl_server == NULL)) { return FALSE; } LOCK(ssl_mutex); if ( ssl->prev == NULL ) { ssl_server->ssl_conn_list=ssl->next; } else { ssl->prev->next=ssl->next; } END_LOCK; if(! cleanup_ssl_socket(ssl)) { return_value= FALSE; } if (! delete_ssl_socket(ssl)) { return_value= FALSE; } return return_value; #else return FALSE; #endif }
void socket_free(Socket_T *S) { ASSERT(S && *S); #ifdef HAVE_OPENSSL if((*S)->ssl && (*S)->ssl->handler) { if((*S)->connection_type==TYPE_LOCAL) { close_ssl_socket((*S)->ssl); delete_ssl_socket((*S)->ssl); } else if((*S)->connection_type==TYPE_ACCEPT && (*S)->sslserver) { close_accepted_ssl_socket((*S)->sslserver, (*S)->ssl); } } else #endif close_socket((*S)->socket); FREE((*S)->host); FREE(*S); }
/** * Generate a new ssl connection * @return ssl connection container */ ssl_connection *new_ssl_connection(char *clientpemfile, int sslversion) { ssl_connection *ssl; if (!ssl_initialized) start_ssl(); NEW(ssl); ssl->socket_bio = NULL; ssl->handler = NULL; ssl->cert = NULL; ssl->cipher = NULL; ssl->socket = 0; ssl->next = NULL; ssl->accepted = FALSE; ssl->cert_md5 = NULL; ssl->cert_md5_len = 0; ssl->clientpemfile = clientpemfile ? xstrdup(clientpemfile) : NULL; switch (sslversion) { case SSL_VERSION_AUTO: #ifdef OPENSSL_FIPS if (FIPS_mode()) { ssl->method = TLSv1_client_method(); } else #endif ssl->method = SSLv23_client_method(); break; case SSL_VERSION_SSLV2: #ifdef OPENSSL_NO_SSL2 LogError("SSLv2 is not allowed - use either SSLv3 or TLSv1"); goto sslerror; #else #ifdef OPENSSL_FIPS if (FIPS_mode()) { LogError("SSLv2 is not allowed in FIPS mode - use TLSv1"); goto sslerror; } else #endif ssl->method = SSLv2_client_method(); #endif break; case SSL_VERSION_SSLV3: #ifdef OPENSSL_FIPS if (FIPS_mode()) { LogError("SSLv3 is not allowed in FIPS mode - use TLSv1"); goto sslerror; } else #endif ssl->method = SSLv3_client_method(); break; case SSL_VERSION_TLS: ssl->method = TLSv1_client_method(); break; default: LogError("%s: Unknown SSL version!\n", prog); goto sslerror; } if (!ssl->method) { LogError("%s: Cannot initialize SSL method -- %s\n", prog, SSLERROR); goto sslerror; } if (!(ssl->ctx = SSL_CTX_new(ssl->method))) { LogError("%s: Cannot initialize SSL server certificate handler -- %s\n", prog, SSLERROR); goto sslerror; } if (ssl->clientpemfile) { if (SSL_CTX_use_certificate_chain_file(ssl->ctx, ssl->clientpemfile) <= 0) { LogError("%s: Cannot initialize SSL server certificate -- %s\n", prog, SSLERROR); goto sslerror; } if (SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->clientpemfile, SSL_FILETYPE_PEM) <= 0) { LogError("%s: Cannot initialize SSL server private key -- %s\n", prog, SSLERROR); goto sslerror; } if (!SSL_CTX_check_private_key(ssl->ctx)) { LogError("%s: Private key does not match the certificate public key -- %s\n", prog, SSLERROR); goto sslerror; } } return ssl; sslerror: delete_ssl_socket(ssl); return NULL; }
/** * Generate a new ssl connection * @return ssl connection container */ ssl_connection *new_ssl_connection(char *clientpemfile, int sslversion) { #ifdef HAVE_OPENSSL ssl_connection *ssl = (ssl_connection *) NEW(ssl); if (!ssl_initilized) { start_ssl(); } ssl->socket_bio= NULL; ssl->handler= NULL; ssl->cert= NULL; ssl->cipher= NULL; ssl->socket= 0; ssl->next = NULL; ssl->accepted = FALSE; ssl->cert_md5 = NULL; ssl->cert_md5_len = 0; if(clientpemfile!=NULL) { ssl->clientpemfile= xstrdup(clientpemfile); } else { ssl->clientpemfile= NULL; } switch (sslversion) { case SSL_VERSION_AUTO: ssl->method = SSLv23_client_method(); break; case SSL_VERSION_SSLV2: ssl->method = SSLv2_client_method(); break; case SSL_VERSION_SSLV3: ssl->method = SSLv3_client_method(); break; case SSL_VERSION_TLS: ssl->method = TLSv1_client_method(); break; default: log("%s: new_ssl_connection(): Unknown SSL version!\n", prog); goto sslerror; } if (ssl->method == NULL ) { handle_ssl_error("new_ssl_connection()"); log("%s: new_ssl_connection(): Cannot initilize SSL method!\n", prog); goto sslerror; } if ((ssl->ctx= SSL_CTX_new (ssl->method)) == NULL ) { handle_ssl_error("new_ssl_connection()"); log("%s: new_ssl_connection(): Cannot initilize SSL server certificate" " handler!\n", prog); goto sslerror; } if ( ssl->clientpemfile!=NULL ) { if (SSL_CTX_use_certificate_file(ssl->ctx, ssl->clientpemfile, SSL_FILETYPE_PEM) <= 0) { handle_ssl_error("new_ssl_connection()"); log("%s: new_ssl_connection(): Cannot initilize SSL server" " certificate!\n", prog); goto sslerror; } if (SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->clientpemfile, SSL_FILETYPE_PEM) <= 0) { handle_ssl_error("new_ssl_connection()"); log("%s: new_ssl_connection(): Cannot initilize SSL server" " private key!\n", prog); goto sslerror; } if (!SSL_CTX_check_private_key(ssl->ctx)) { handle_ssl_error("new_ssl_connection()"); log("%s: new_ssl_connection(): Private key does not match the" " certificate public key!\n", prog); goto sslerror; } } return ssl; sslerror: delete_ssl_socket(ssl); return NULL; #else return NULL; #endif }
/** * Generate a new ssl connection * @return ssl connection container */ ssl_connection *new_ssl_connection(char *clientpemfile, int sslversion) { ssl_connection *ssl; if (!ssl_initialized) start_ssl(); NEW(ssl); ssl->socket_bio = NULL; ssl->handler = NULL; ssl->cert = NULL; ssl->cipher = NULL; ssl->socket = 0; ssl->next = NULL; ssl->accepted = FALSE; ssl->cert_md5 = NULL; ssl->cert_md5_len = 0; ssl->clientpemfile = clientpemfile ? Str_dup(clientpemfile) : NULL; switch (sslversion) { case SSL_VERSION_SSLV2: #ifdef OPENSSL_NO_SSL2 LogError("SSLv2 is not allowed - use TLS\n"); goto sslerror; #else #ifdef OPENSSL_FIPS if (FIPS_mode()) { LogError("SSLv2 is not allowed in FIPS mode - use TLS\n"); goto sslerror; } else #endif ssl->method = SSLv2_client_method(); #endif break; case SSL_VERSION_SSLV3: #ifdef OPENSSL_FIPS if (FIPS_mode()) { LogError("SSLv3 is not allowed in FIPS mode - use TLS\n"); goto sslerror; } else #endif ssl->method = SSLv3_client_method(); break; case SSL_VERSION_TLSV1: ssl->method = TLSv1_client_method(); break; #ifdef HAVE_TLSV1_1 case SSL_VERSION_TLSV11: ssl->method = TLSv1_1_client_method(); break; #endif #ifdef HAVE_TLSV1_2 case SSL_VERSION_TLSV12: ssl->method = TLSv1_2_client_method(); break; #endif case SSL_VERSION_AUTO: default: ssl->method = SSLv23_client_method(); break; } if (!ssl->method) { LogError("Cannot initialize SSL method -- %s\n", SSLERROR); goto sslerror; } if (!(ssl->ctx = SSL_CTX_new(ssl->method))) { LogError("Cannot initialize SSL client certificate handler -- %s\n", SSLERROR); goto sslerror; } if (sslversion == SSL_VERSION_AUTO) SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); if (ssl->clientpemfile) { if (SSL_CTX_use_certificate_chain_file(ssl->ctx, ssl->clientpemfile) <= 0) { LogError("Cannot initialize SSL client certificate -- %s\n", SSLERROR); goto sslerror; } if (SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->clientpemfile, SSL_FILETYPE_PEM) <= 0) { LogError("Cannot initialize SSL client private key -- %s\n", SSLERROR); goto sslerror; } if (!SSL_CTX_check_private_key(ssl->ctx)) { LogError("Private key does not match the certificate public key -- %s\n", SSLERROR); goto sslerror; } } return ssl; sslerror: delete_ssl_socket(ssl); return NULL; }