bool ceckey::verify(const uint256 &hash, const std::vector<unsigned char>& vchsig) {
if (vchsig.empty())
return false;
// new versions of openssl will reject non-canonical der signatures. de/re-serialize first.
unsigned char *norm_der = null;
ecdsa_sig *norm_sig = ecdsa_sig_new();
const unsigned char* sigptr = &vchsig[0];
assert(norm_sig);
if (d2i_ecdsa_sig(&norm_sig, &sigptr, vchsig.size()) == null)
{
/* as of openssl 1.0.0p d2i_ecdsa_sig frees and nulls the pointer on
* error. but openssl's own use of this function redundantly frees the
* result. as ecdsa_sig_free(null) is a no-op, and in the absence of a
* clear contract for the function behaving the same way is more
* conservative.
*/
ecdsa_sig_free(norm_sig);
return false;
}
int derlen = i2d_ecdsa_sig(norm_sig, &norm_der);
ecdsa_sig_free(norm_sig);
if (derlen <= 0)
return false;
// -1 = error, 0 = bad sig, 1 = good
bool ret = ecdsa_verify(0, (unsigned char*)&hash, sizeof(hash), norm_der, derlen, pkey) == 1;
openssl_free(norm_der);
return ret;
}
openssl_con *
openssl_connect_fd(openssl_env *env, int fd, int timeout) {
openssl_con *c = (openssl_con *)calloc(1, sizeof(*c));
if (!c) return 0;
c->env = env;
#ifdef HAVE_OPENSSL
c->con = (SSL *)SSL_new(env->ctx);
#elif HAVE_MATRIXSSL
c->con = (SSL *)SSL_new(env->keys, 0);
#endif
c->sock = fd;
c->timeout = timeout;
SSL_set_fd(c->con, c->sock);
#ifdef HAVE_OPENSSL
#ifdef HAVE_OPENSSL_ENGINE
SSL_set_app_data(c->con, c);
#endif
SSL_set_connect_state(c->con);
if (SSL_connect(c->con) < 0) {
char is_error = 0;
#if(_debug_)
unsigned long error;
while ((error = ERR_get_error())) {
syslog(LOG_DEBUG, "%s(%d): TLS: %s", __FUNCTION__, __LINE__, ERR_error_string(error, NULL));
is_error = 1;
}
#endif
if (is_error) {
openssl_free(c);
return 0;
}
}
#elif HAVE_MATRIXSSL
if (!SSL_connect(c->con, certValidator, c)) {
syslog(LOG_ERR, "%s: openssl_connect_fd", strerror(errno));
openssl_free(c);
return 0;
}
#endif
return c;
}
static int shutdown_ssl() {
if (server.conn.sslcon) {
openssl_shutdown(server.conn.sslcon, 2);
openssl_free(server.conn.sslcon);
}
close(server.conn.sock);
server.conn.sock = 0;
server.conn.connected = 0;
return 0;
}
int conn_close(struct conn_t *conn) {
if (conn->sock)
close(conn->sock);
#ifdef HAVE_SSL
if (conn->sslcon) {
openssl_shutdown(conn->sslcon, 2);
openssl_free(conn->sslcon);
conn->sslcon = 0;
}
#endif
conn->sock = 0;
return 0;
}
openssl_con *
openssl_accept_fd(openssl_env *env, int fd, int timeout, struct redir_conn_t *conn) {
openssl_con *c = (openssl_con *)calloc(1, sizeof(openssl_con));
int rc;
if (!c) return 0;
if (!env || !env->ready) {
syslog(LOG_ERR, "SSL not available!");
openssl_free(c);
return 0;
}
c->env = env;
#ifdef HAVE_OPENSSL
c->con = (SSL *)SSL_new(env->ctx);
#elif HAVE_MATRIXSSL
c->con = (SSL *)SSL_new(env->keys, SSL_FLAGS_SERVER);
#endif
c->sock = fd;
c->timeout = timeout;
SSL_set_fd(c->con, c->sock);
#ifdef HAVE_OPENSSL
#ifdef HAVE_OPENSSL_ENGINE
SSL_clear(c->con);
#endif
#ifdef HAVE_OPENSSL_ENGINE
SSL_set_app_data(c->con, c);
#endif
SSL_set_accept_state(c->con);
#ifdef HAVE_OPENSSL_ENGINE
SSL_set_verify_result(c->con, X509_V_OK);
#endif
if ((rc = openssl_check_accept(c, conn)) < 0) {
SSL_set_shutdown(c->con, SSL_RECEIVED_SHUTDOWN);
openssl_free(c);
return 0;
}
#elif HAVE_MATRIXSSL
/* ndelay_off(c->sock); */
matrixSslSetCertValidator(c->con->ssl, certValidator, c->con->keys);
if ((rc = SSL_accept2(c->con)) < 0) {
syslog(LOG_ERR, "%s: SSL accept failure %s", strerror(errno), c->con->status);
openssl_free(c);
return 0;
}
SSL_is_init_finished(c->con);
/* ndelay_on(c->sock);*/
#else
#error NO SSL SUPPORT
#endif
return c;
}
