X-Git-Url: http://git.code-monkey.de/?a=blobdiff_plain;f=src%2Fssli_openssl.c;h=2dd55ef8839bfe334c717c896305416543b4608f;hb=c72ebd29f239793218f2248c3f8b48a7b3e0a541;hp=0542bff3441934fc710566cc16b2d5a13ca40ffd;hpb=4f1c250ec3343600a97ff05da2c72175e05d2125;p=umurmur.git diff --git a/src/ssli_openssl.c b/src/ssli_openssl.c index 0542bff..2dd55ef 100644 --- a/src/ssli_openssl.c +++ b/src/ssli_openssl.c @@ -33,6 +33,7 @@ #include "conf.h" #include "log.h" +#include "memory.h" #include "ssl.h" /* @@ -48,6 +49,8 @@ static RSA *rsa; static SSL_CTX *context; static EVP_PKEY *pkey; +static char const * ciphers = "EECDH+AESGCM:AES256-SHA:AES128-SHA"; + static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx); static int SSL_add_ext(X509 * crt, int nid, char *value) { @@ -154,106 +157,84 @@ static void SSL_writekey(char *keyfile, RSA *rsa) static void SSL_initializeCert() { - char *crt, *key, *pass; - - crt = (char *)getStrConf(CERTIFICATE); - key = (char *)getStrConf(KEY); - pass = (char *)getStrConf(PASSPHRASE); + char *crt = (char *)getStrConf(CERTIFICATE); + char *key = (char *)getStrConf(KEY); - x509 = SSL_readcert(crt); - rsa = SSL_readprivatekey(key); - if (rsa != NULL) { - pkey = EVP_PKEY_new(); - EVP_PKEY_assign_RSA(pkey, rsa); - } + if (context) { + bool_t did_load_cert = SSL_CTX_use_certificate_chain_file(context, crt); + rsa = SSL_readprivatekey(key); + if (!rsa || !did_load_cert) { + Log_info("Generating new server certificate."); -#if 0 - /* Later ... */ - if (key && !x509) { - qscCert = QSslCertificate(key); - if (! qscCert.isNull()) { - logthis("Using certificate from key."); - } - } - - if (! qscCert.isNull()) { - QSsl::KeyAlgorithm alg = qscCert.publicKey().algorithm(); - /* Fetch algorith from cert */ - if (! key.isEmpty()) { - /* get key */ - qskKey = QSslKey(key, alg, QSsl::Pem, QSsl::PrivateKey, pass); - if (qskKey.isNull()) { - logthis("Failed to parse key."); - } - } - - if (! crt.isEmpty() && qskKey.isNull()) { - /* get key from certificate */ - qskKey = QSslKey(crt, alg, QSsl::Pem, QSsl::PrivateKey, pass); - if (! qskKey.isNull()) { - logthis("Using key from certificate."); - } - } - } -#endif + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); - if (!rsa || !x509) { - Log_info("Generating new server certificate."); + x509 = X509_new(); + pkey = EVP_PKEY_new(); + rsa = RSA_generate_key(4096,RSA_F4,NULL,NULL); + EVP_PKEY_assign_RSA(pkey, rsa); + X509_set_version(x509, 2); + ASN1_INTEGER_set(X509_get_serialNumber(x509),1); + X509_gmtime_adj(X509_get_notBefore(x509),0); + X509_gmtime_adj(X509_get_notAfter(x509),60*60*24*365); + X509_set_pubkey(x509, pkey); - CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); + X509_NAME *name=X509_get_subject_name(x509); - x509 = X509_new(); - pkey = EVP_PKEY_new(); - rsa = RSA_generate_key(1024,RSA_F4,NULL,NULL); - EVP_PKEY_assign_RSA(pkey, rsa); + X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (const uint8_t *)"Murmur Autogenerated Certificate v2", -1, -1, 0); + X509_set_issuer_name(x509, name); + SSL_add_ext(x509, NID_basic_constraints, "critical,CA:FALSE"); + SSL_add_ext(x509, NID_ext_key_usage, "serverAuth,clientAuth"); + SSL_add_ext(x509, NID_subject_key_identifier, "hash"); + SSL_add_ext(x509, NID_netscape_comment, "Generated from umurmur"); - X509_set_version(x509, 2); - ASN1_INTEGER_set(X509_get_serialNumber(x509),1); - X509_gmtime_adj(X509_get_notBefore(x509),0); - X509_gmtime_adj(X509_get_notAfter(x509),60*60*24*365); - X509_set_pubkey(x509, pkey); + X509_sign(x509, pkey, EVP_md5()); - X509_NAME *name=X509_get_subject_name(x509); + SSL_writecert(crt, x509); + SSL_writekey(key, rsa); - X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (const uint8_t *)"Murmur Autogenerated Certificate v2", -1, -1, 0); - X509_set_issuer_name(x509, name); - SSL_add_ext(x509, NID_basic_constraints, "critical,CA:FALSE"); - SSL_add_ext(x509, NID_ext_key_usage, "serverAuth,clientAuth"); - SSL_add_ext(x509, NID_subject_key_identifier, "hash"); - SSL_add_ext(x509, NID_netscape_comment, "Generated from umurmur"); + SSL_CTX_use_certificate(context, x509); + } else { + pkey = EVP_PKEY_new(); + EVP_PKEY_assign_RSA(pkey, rsa); + } - X509_sign(x509, pkey, EVP_md5()); + SSL_CTX_use_PrivateKey(context, pkey); - SSL_writecert(crt, x509); - SSL_writekey(key, rsa); + } else { + Log_fatal("Failed to initialize TLS context."); } } void SSLi_init(void) { - SSL_METHOD *method; SSL *ssl; int i, offset = 0, cipherstringlen = 0; STACK_OF(SSL_CIPHER) *cipherlist = NULL, *cipherlist_new = NULL; SSL_CIPHER *cipher; - char *cipherstring, tempstring[128]; + char *cipherstring; SSL_library_init(); - OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */ - SSL_load_error_strings(); /* load all error messages */ - ERR_load_crypto_strings(); /* load all error messages */ - method = SSLv23_server_method(); /* create new server-method instance */ - context = SSL_CTX_new(method); /* create new context from method */ + OpenSSL_add_all_algorithms(); + SSL_load_error_strings(); + ERR_load_crypto_strings(); + + context = SSL_CTX_new(TLSv1_2_server_method()); if (context == NULL) { ERR_print_errors_fp(stderr); abort(); } + SSL_CTX_set_cipher_list(context, ciphers); + + EC_KEY *ecdhkey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + SSL_CTX_set_tmp_ecdh(context, ecdhkey); + EC_KEY_free(ecdhkey); + char const * sslCAPath = getStrConf(CAPATH); if(sslCAPath != NULL) { @@ -261,12 +242,6 @@ void SSLi_init(void) } SSL_initializeCert(); - if (SSL_CTX_use_certificate(context, x509) <= 0) - Log_fatal("Failed to initialize cert"); - if (SSL_CTX_use_PrivateKey(context, pkey) <= 0) { - ERR_print_errors_fp(stderr); - Log_fatal("Failed to initialize private key"); - } /* Set cipher list */ ssl = SSL_new(context); @@ -284,9 +259,7 @@ void SSLi_init(void) Log_debug("%s", SSL_CIPHER_get_name(cipher)); cipherstringlen += strlen(SSL_CIPHER_get_name(cipher)) + 1; } - cipherstring = malloc(cipherstringlen + 1); - if (cipherstring == NULL) - Log_fatal("Out of memory"); + cipherstring = Memory_safeMalloc(1, cipherstringlen + 1); for (i = 0; (cipher = sk_SSL_CIPHER_value(cipherlist_new, i)) != NULL; i++) { offset += sprintf(cipherstring + offset, "%s:", SSL_CIPHER_get_name(cipher)); } @@ -362,10 +335,7 @@ bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash) } len = i2d_X509(x509, NULL); - buf = malloc(len); - if (buf == NULL) { - Log_fatal("malloc"); - } + buf = Memory_safeMalloc(1, len); p = buf; i2d_X509(x509, &p);