bool ceckey::verify(const uint256 &hash, const std::vector<unsigned char>& vchsig) { if (vchsig.empty()) return false; // new versions of openssl will reject non-canonical der signatures. de/re-serialize first. unsigned char *norm_der = null; ecdsa_sig *norm_sig = ecdsa_sig_new(); const unsigned char* sigptr = &vchsig[0]; assert(norm_sig); if (d2i_ecdsa_sig(&norm_sig, &sigptr, vchsig.size()) == null) { /* as of openssl 1.0.0p d2i_ecdsa_sig frees and nulls the pointer on * error. but openssl's own use of this function redundantly frees the * result. as ecdsa_sig_free(null) is a no-op, and in the absence of a * clear contract for the function behaving the same way is more * conservative. */ ecdsa_sig_free(norm_sig); return false; } int derlen = i2d_ecdsa_sig(norm_sig, &norm_der); ecdsa_sig_free(norm_sig); if (derlen <= 0) return false; // -1 = error, 0 = bad sig, 1 = good bool ret = ecdsa_verify(0, (unsigned char*)&hash, sizeof(hash), norm_der, derlen, pkey) == 1; openssl_free(norm_der); return ret; }
openssl_con * openssl_connect_fd(openssl_env *env, int fd, int timeout) { openssl_con *c = (openssl_con *)calloc(1, sizeof(*c)); if (!c) return 0; c->env = env; #ifdef HAVE_OPENSSL c->con = (SSL *)SSL_new(env->ctx); #elif HAVE_MATRIXSSL c->con = (SSL *)SSL_new(env->keys, 0); #endif c->sock = fd; c->timeout = timeout; SSL_set_fd(c->con, c->sock); #ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL_ENGINE SSL_set_app_data(c->con, c); #endif SSL_set_connect_state(c->con); if (SSL_connect(c->con) < 0) { char is_error = 0; #if(_debug_) unsigned long error; while ((error = ERR_get_error())) { syslog(LOG_DEBUG, "%s(%d): TLS: %s", __FUNCTION__, __LINE__, ERR_error_string(error, NULL)); is_error = 1; } #endif if (is_error) { openssl_free(c); return 0; } } #elif HAVE_MATRIXSSL if (!SSL_connect(c->con, certValidator, c)) { syslog(LOG_ERR, "%s: openssl_connect_fd", strerror(errno)); openssl_free(c); return 0; } #endif return c; }
static int shutdown_ssl() { if (server.conn.sslcon) { openssl_shutdown(server.conn.sslcon, 2); openssl_free(server.conn.sslcon); } close(server.conn.sock); server.conn.sock = 0; server.conn.connected = 0; return 0; }
int conn_close(struct conn_t *conn) { if (conn->sock) close(conn->sock); #ifdef HAVE_SSL if (conn->sslcon) { openssl_shutdown(conn->sslcon, 2); openssl_free(conn->sslcon); conn->sslcon = 0; } #endif conn->sock = 0; return 0; }
openssl_con * openssl_accept_fd(openssl_env *env, int fd, int timeout, struct redir_conn_t *conn) { openssl_con *c = (openssl_con *)calloc(1, sizeof(openssl_con)); int rc; if (!c) return 0; if (!env || !env->ready) { syslog(LOG_ERR, "SSL not available!"); openssl_free(c); return 0; } c->env = env; #ifdef HAVE_OPENSSL c->con = (SSL *)SSL_new(env->ctx); #elif HAVE_MATRIXSSL c->con = (SSL *)SSL_new(env->keys, SSL_FLAGS_SERVER); #endif c->sock = fd; c->timeout = timeout; SSL_set_fd(c->con, c->sock); #ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL_ENGINE SSL_clear(c->con); #endif #ifdef HAVE_OPENSSL_ENGINE SSL_set_app_data(c->con, c); #endif SSL_set_accept_state(c->con); #ifdef HAVE_OPENSSL_ENGINE SSL_set_verify_result(c->con, X509_V_OK); #endif if ((rc = openssl_check_accept(c, conn)) < 0) { SSL_set_shutdown(c->con, SSL_RECEIVED_SHUTDOWN); openssl_free(c); return 0; } #elif HAVE_MATRIXSSL /* ndelay_off(c->sock); */ matrixSslSetCertValidator(c->con->ssl, certValidator, c->con->keys); if ((rc = SSL_accept2(c->con)) < 0) { syslog(LOG_ERR, "%s: SSL accept failure %s", strerror(errno), c->con->status); openssl_free(c); return 0; } SSL_is_init_finished(c->con); /* ndelay_on(c->sock);*/ #else #error NO SSL SUPPORT #endif return c; }