1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/poll.h>
#include <netdb.h>
#include <fcntl.h>
#include <openssl/ssl.h>
static int library_inited;
/* don't want to fail handshake if cert isn't verifiable */
static int verify_cb(int preverify_ok, X509_STORE_CTX *ctx) { return 1; }
const char* ssl_server_cert="server.pem";
const char* ssl_client_crl="clientcrl.pem";
const char* ssl_client_ca="clientca.pem";
const char* ssl_ciphers="DEFAULT";
const char* ssl_client_cert="clientcert.pem";
int init_serverside_tls(SSL** ssl,int sock) {
/* taken from the qmail tls patch */
SSL* myssl;
SSL_CTX* ctx;
X509_STORE *store;
X509_LOOKUP *lookup;
if (!library_inited) {
library_inited=1;
SSL_library_init();
}
/* a new SSL context with the bare minimum of options */
if (!(ctx=SSL_CTX_new(SSLv23_server_method()))) {
#if 0
printf("SSL_CTX_new failed\n");
#endif
return -1;
}
if (!SSL_CTX_use_certificate_chain_file(ctx, ssl_server_cert)) {
SSL_CTX_free(ctx);
#if 0
printf("SSL_CTX_use_certificate_chain_file failed\n");
#endif
return -1;
}
SSL_CTX_load_verify_locations(ctx, ssl_client_ca, NULL);
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
/* crl checking */
store = SSL_CTX_get_cert_store(ctx);
if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) &&
(X509_load_crl_file(lookup, ssl_client_crl, X509_FILETYPE_PEM) == 1))
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
#endif
/* set the callback here; SSL_set_verify didn't work before 0.9.6c */
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb);
/* a new SSL object, with the rest added to it directly to avoid copying */
myssl = SSL_new(ctx);
SSL_CTX_free(ctx);
if (!myssl) {
#if 0
printf("SSL_new failed\n");
#endif
return -1;
}
/* this will also check whether public and private keys match */
if (!SSL_use_RSAPrivateKey_file(myssl, ssl_server_cert, SSL_FILETYPE_PEM)) {
SSL_free(myssl);
#if 0
printf("SSL_use_RSAPrivateKey_file failed\n");
#endif
return -1;
}
SSL_set_cipher_list(myssl, ssl_ciphers);
#if 0
SSL_set_tmp_rsa_callback(myssl, tmp_rsa_cb);
SSL_set_tmp_dh_callback(myssl, tmp_dh_cb);
#endif
#if 0
SSL_set_rfd(myssl, sock);
SSL_set_wfd(myssl, sock);
#endif
SSL_set_fd(myssl, sock);
*ssl = myssl; /* call SSL_accept(*ssl) next */
return 0;
}
int init_clientside_tls(SSL** ssl,int sock) {
/* taken from the qmail tls patch */
SSL* myssl;
SSL_CTX* ctx;
if (!library_inited) {
library_inited=1;
SSL_library_init();
}
if (!(ctx=SSL_CTX_new(SSLv23_client_method()))) return -1;
if (SSL_CTX_use_certificate_chain_file(ctx, ssl_client_cert))
SSL_CTX_use_RSAPrivateKey_file(ctx, ssl_client_cert, SSL_FILETYPE_PEM);
myssl=SSL_new(ctx);
SSL_CTX_free(ctx);
if (!myssl) return -1;
SSL_set_cipher_list(myssl, ssl_ciphers);
SSL_set_fd(myssl, sock);
*ssl=myssl; /* call SSL_connect(*ssl) next */
return 0;
}
|
