ENVELOP_API int env_init(IN const char * cert,IN const char * key)
{
//初始化Openssl
do {
CRYPTO_malloc_init();
OpenSSL_add_all_algorithms();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
ERR_load_PEM_strings();//TaoNote ,如果不调这个函数,则在读读取PEM时会异常
ERR_load_crypto_strings();
} while(0);
//检查证书文件是否可用
if(cert != NULL)
{
if(g_pub_key != NULL)
EVP_PKEY_free(g_pub_key);
g_pub_key = read_pub_key(cert);
if(!g_pub_key)
return ERR_ENV_CERT_INVALID;
g_pub_key_size = EVP_PKEY_size(g_pub_key);
}
//检查私钥文件是否可用
if(g_prv_key != NULL)
EVP_PKEY_free(g_prv_key);
g_prv_key = read_private_key(key);
if (!g_prv_key)
return ERR_ENV_KEY_INVALID;
return 0;
}
/*
* Initialize the OpenSSL subsystem for use in a multi threaded enviroment.
*/
static BOOL server_initialize_ssl( Remote * remote )
{
int i = 0;
lock_acquire( remote->lock );
// Begin to bring up the OpenSSL subsystem...
CRYPTO_malloc_init();
SSL_load_error_strings();
SSL_library_init();
// Setup the required OpenSSL multi-threaded enviroment...
ssl_locks = (LOCK**)malloc( CRYPTO_num_locks() * sizeof(LOCK *) );
if( ssl_locks == NULL )
{
lock_release( remote->lock );
return FALSE;
}
for( i=0 ; i<CRYPTO_num_locks() ; i++ )
ssl_locks[i] = lock_create();
CRYPTO_set_id_callback( server_threadid_callback );
CRYPTO_set_locking_callback( server_locking_callback );
CRYPTO_set_dynlock_create_callback( server_dynamiclock_create );
CRYPTO_set_dynlock_lock_callback( server_dynamiclock_lock );
CRYPTO_set_dynlock_destroy_callback( server_dynamiclock_destroy );
lock_release( remote->lock );
return TRUE;
}
/*!
* @brief Initialize the OpenSSL subsystem for use in a multi threaded enviroment.
* @param transport Pointer to the transport instance.
* @return Indication of success or failure.
*/
static BOOL server_initialize_ssl(Transport* transport) {
int i;
lock_acquire(transport->lock);
// Begin to bring up the OpenSSL subsystem...
CRYPTO_malloc_init();
SSL_load_error_strings();
SSL_library_init();
// Setup the required OpenSSL multi-threaded enviroment...
ssl_locks = malloc(CRYPTO_num_locks() * sizeof(LOCK *));
if (ssl_locks == NULL) {
dprintf("[SSL INIT] failed to allocate locks (%d locks)", CRYPTO_num_locks());
lock_release(transport->lock);
return FALSE;
}
for (i = 0; i < CRYPTO_num_locks(); i++) {
ssl_locks[i] = lock_create();
}
CRYPTO_set_id_callback(server_threadid_callback);
CRYPTO_set_locking_callback(server_locking_callback);
CRYPTO_set_dynlock_create_callback(server_dynamiclock_create);
CRYPTO_set_dynlock_lock_callback(server_dynamiclock_lock);
CRYPTO_set_dynlock_destroy_callback(server_dynamiclock_destroy);
lock_release(transport->lock);
return TRUE;
}
static int apps_startup()
{
#ifdef SIGPIPE
signal(SIGPIPE, SIG_IGN);
#endif
CRYPTO_malloc_init();
ERR_load_crypto_strings();
ERR_load_SSL_strings();
OPENSSL_load_builtin_modules();
#ifndef OPENSSL_NO_ENGINE
ENGINE_load_builtin_engines();
#endif
if (!app_load_modules(NULL)) {
ERR_print_errors(bio_err);
BIO_printf(bio_err, "Error loading default configuration\n");
return 0;
}
OpenSSL_add_all_algorithms();
OpenSSL_add_ssl_algorithms();
setup_ui_method();
/*SSL_library_init();*/
return 1;
}
void anetSSLPrepare( ) {
CRYPTO_malloc_init(); // Initialize malloc, free, etc for OpenSSL's use
SSL_library_init(); // Initialize OpenSSL's SSL libraries
SSL_load_error_strings(); // Load SSL error strings
ERR_load_BIO_strings(); // Load BIO error strings
OpenSSL_add_all_algorithms(); // Load all available encryption algorithms
}
int ssl_test_ecdh(int argc, char *argv[])
{
BN_CTX *ctx=NULL;
int ret=1;
BIO *out;
CRYPTO_malloc_debug_init();
CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
#ifdef OPENSSL_SYS_WIN32
CRYPTO_malloc_init();
#endif
RAND_seed(rnd_seed, sizeof rnd_seed);
#ifndef OPENSSL_SYS_WINDOWS
out = BIO_new(BIO_s_mem());
if (out == NULL) return(1);
#else
out=BIO_new(BIO_s_file());
if (out == NULL) return(1);
BIO_set_fp(out,OPENSSL_TYPE__FILE_STDOUT,BIO_NOCLOSE);
#endif
if ((ctx=BN_CTX_new()) == NULL) goto err;
/* NIST PRIME CURVES TESTS */
if (!test_ecdh_curve(NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out)) goto err;
if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out)) goto err;
if (!test_ecdh_curve(NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) goto err;
if (!test_ecdh_curve(NID_secp384r1, "NIST Prime-Curve P-384", ctx, out)) goto err;
if (!test_ecdh_curve(NID_secp521r1, "NIST Prime-Curve P-521", ctx, out)) goto err;
/* NIST BINARY CURVES TESTS */
if (!test_ecdh_curve(NID_sect163k1, "NIST Binary-Curve K-163", ctx, out)) goto err;
if (!test_ecdh_curve(NID_sect163r2, "NIST Binary-Curve B-163", ctx, out)) goto err;
if (!test_ecdh_curve(NID_sect233k1, "NIST Binary-Curve K-233", ctx, out)) goto err;
if (!test_ecdh_curve(NID_sect233r1, "NIST Binary-Curve B-233", ctx, out)) goto err;
if (!test_ecdh_curve(NID_sect283k1, "NIST Binary-Curve K-283", ctx, out)) goto err;
if (!test_ecdh_curve(NID_sect283r1, "NIST Binary-Curve B-283", ctx, out)) goto err;
if (!test_ecdh_curve(NID_sect409k1, "NIST Binary-Curve K-409", ctx, out)) goto err;
if (!test_ecdh_curve(NID_sect409r1, "NIST Binary-Curve B-409", ctx, out)) goto err;
if (!test_ecdh_curve(NID_sect571k1, "NIST Binary-Curve K-571", ctx, out)) goto err;
if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out)) goto err;
ret = 0;
err:
ERR_print_errors_fp(OPENSSL_TYPE__FILE_STDERR);
if (ctx) BN_CTX_free(ctx);
BIO_free(out);
CRYPTO_cleanup_all_ex_data();
ERR_remove_thread_state(NULL);
CRYPTO_mem_leaks_fp(OPENSSL_TYPE__FILE_STDERR);
return(ret);
}
void SFSocketGlobalInit (void) {
if (!__globalInit) {
__globalInit = 1;
#ifdef _WIN32
CRYPTO_malloc_init();
#endif
SSL_library_init();
SSL_load_error_strings();
}
}
/*
功能:初始化OpenSSL
*/
void InitOpenSSL()
{
CRYPTO_malloc_init();
/* Just load the crypto library error strings,
* SSL_load_error_strings() loads the crypto AND the SSL ones */
/* SSL_load_error_strings();*/
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
}
int main(int argc, char *argv[]) {
int ret = 1;
BIO *out;
CRYPTO_malloc_debug_init();
CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
#ifdef OPENSSL_SYS_WIN32
CRYPTO_malloc_init();
#endif
RAND_seed(rnd_seed, sizeof rnd_seed);
out = BIO_new(BIO_s_file());
if (out == NULL) EXIT(1);
BIO_set_fp(out, stdout, BIO_NOCLOSE);
if (argc == 1) {
if (!test_lwekex(out, 1)) goto err;
} else if (argc == 2 && !strcmp((const char *)argv[1], "cont")) {
BIO_printf(out, "Running continuous test. ^C to quit.\n\n");
int iterations = 0;
int failures = 0;
time_t starttime = time(NULL);
while (1) {
iterations++;
if (test_lwekex(out, 0) == 1) {
} else {
failures++;
}
if ((iterations % 100) == 0) {
BIO_printf(out, "Iterations: %d, failures: %d, elapsed time: %ld\n",
iterations, failures, time(NULL) - starttime);
if (iterations > (1 << 20)) break;
}
}
} else {
BIO_printf(out,
"Error: argument must be \"cont\" for invoking \
continuously run test.\n");
}
ret = 0;
err:
ERR_print_errors_fp(stderr);
BIO_free(out);
CRYPTO_cleanup_all_ex_data();
ERR_remove_thread_state(NULL);
CRYPTO_mem_leaks_fp(stderr);
EXIT(ret);
return (ret);
}
int main(int argc, char *argv[])
{
/* Disable rwx memory.
This will also ensure full PAX/Grsecurity protections. */
qputenv("QV4_FORCE_INTERPRETER", "1");
qputenv("QT_ENABLE_REGEXP_JIT", "0");
QApplication a(argc, argv);
a.setApplicationVersion(QLatin1String("1.1.2"));
a.setOrganizationName(QStringLiteral("Ricochet"));
#if !defined(Q_OS_WIN) && !defined(Q_OS_MAC)
a.setWindowIcon(QIcon(QStringLiteral(":/icons/ricochet.svg")));
#endif
QScopedPointer<SettingsFile> settings(new SettingsFile);
SettingsObject::setDefaultFile(settings.data());
QString error;
QLockFile *lock = 0;
if (!initSettings(settings.data(), &lock, error)) {
QMessageBox::critical(0, qApp->translate("Main", "Ricochet Error"), error);
return 1;
}
QScopedPointer<QLockFile> lockFile(lock);
initTranslation();
/* Initialize OpenSSL's allocator */
CRYPTO_malloc_init();
/* Seed the OpenSSL RNG */
if (!SecureRNG::seed())
qFatal("Failed to initialize RNG");
qsrand(SecureRNG::randomInt(UINT_MAX));
/* Tor control manager */
Tor::TorManager *torManager = Tor::TorManager::instance();
torManager->setDataDirectory(QFileInfo(settings->filePath()).path() + QStringLiteral("/tor/"));
torControl = torManager->control();
torManager->start();
/* Identities */
identityManager = new IdentityManager;
QScopedPointer<IdentityManager> scopedIdentityManager(identityManager);
/* Window */
QScopedPointer<MainWindow> w(new MainWindow);
if (!w->showUI())
return 1;
return a.exec();
}
static void lumberjack_init(void) {
if (lumberjack_init_done) {
return;
}
/* ssl init */
CRYPTO_malloc_init();
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
lumberjack_init_done = 1;
} /* lumberjack_init */
/**
* Initialise the crypto library and perform one time initialisation.
*/
static apr_status_t crypto_init(apr_pool_t *pool, const char *params, int *rc)
{
CRYPTO_malloc_init();
ERR_load_crypto_strings();
/* SSL_load_error_strings(); */
OpenSSL_add_all_algorithms();
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
apr_pool_cleanup_register(pool, pool, crypto_shutdown_helper,
apr_pool_cleanup_null);
return APR_SUCCESS;
}
static void
openssl_startup(void)
{
signal(SIGPIPE, SIG_IGN);
CRYPTO_malloc_init();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
#ifndef OPENSSL_NO_ENGINE
ENGINE_load_builtin_engines();
#endif
setup_ui_method();
}
static void apps_startup()
{
#ifdef SIGPIPE
signal(SIGPIPE, SIG_IGN);
#endif
CRYPTO_malloc_init();
ERR_load_crypto_strings();
ERR_load_SSL_strings();
OpenSSL_add_all_algorithms();
OpenSSL_add_ssl_algorithms();
OPENSSL_load_builtin_modules();
setup_ui_method();
/*SSL_library_init();*/
#ifndef OPENSSL_NO_ENGINE
ENGINE_load_builtin_engines();
#endif
}
int main(int argc, char *argv[])
{
QApplication a(argc, argv);
a.setApplicationVersion(QLatin1String("1.1.0"));
a.setOrganizationName(QStringLiteral("Ricochet"));
initTranslation();
#if !defined(Q_OS_WIN) && !defined(Q_OS_MAC)
a.setWindowIcon(QIcon(QStringLiteral(":/icons/ricochet.svg")));
#endif
QScopedPointer<SettingsFile> settings(new SettingsFile);
SettingsObject::setDefaultFile(settings.data());
QString error;
QLockFile *lock = 0;
if (!initSettings(settings.data(), &lock, error)) {
QMessageBox::critical(0, qApp->translate("Main", "Ricochet Error"), error);
return 1;
}
QScopedPointer<QLockFile> lockFile(lock);
/* Initialize OpenSSL's allocator */
CRYPTO_malloc_init();
/* Seed the OpenSSL RNG */
if (!SecureRNG::seed())
qFatal("Failed to initialize RNG");
qsrand(SecureRNG::randomInt(UINT_MAX));
/* Tor control manager */
Tor::TorManager *torManager = Tor::TorManager::instance();
torManager->setDataDirectory(QFileInfo(settings->filePath()).path() + QStringLiteral("/tor/"));
torControl = torManager->control();
torManager->start();
/* Identities */
identityManager = new IdentityManager;
/* Window */
MainWindow w;
return a.exec();
}
static char *
create_jwt_authrequest(struct http_io_private *priv)
{
#define BUFLEN 1024
const struct http_io_conf *const config = priv->config;
char signed_jwt[BUFLEN], assertion[BUFLEN];
char *jwt, *postfields;
int len;
/* Anything to do? */
if (config->auth.u.gs.clientId == NULL)
return 0;
if ((jwt = create_jwt_token((const char *)config->auth.u.gs.clientId)) == NULL)
return NULL;
CRYPTO_malloc_init();
OpenSSL_add_all_algorithms();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
memset(signed_jwt, 0, BUFLEN);
if (sign_with_p12_key(config, config->auth.u.gs.secret_keyfile,
JWT_AUTH_DEFAULT_PASSWORD, jwt, signed_jwt, BUFLEN))
return NULL;
EVP_cleanup();
len = snprintf(assertion, BUFLEN, "%s%s%s", jwt, ".", signed_jwt);
assert(len < BUFLEN);
free(jwt);
if ((postfields = (char *)malloc(BUFLEN)) == NULL)
return NULL;
len = snprintf(postfields, BUFLEN,
"%s%s","grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=",
assertion);
assert(len < BUFLEN);
return postfields;
}
static void init_ssl_libraries(void)
{
apr_uint32_t val;
#if APR_VERSION_AT_LEAST(1,0,0)
val = apr_atomic_xchg32(&have_init_ssl, 1);
#else
val = apr_atomic_cas(&have_init_ssl, 1, 0);
#endif
if (!val) {
#if APR_HAS_THREADS
int i, numlocks;
#endif
CRYPTO_malloc_init();
ERR_load_crypto_strings();
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
#if APR_HAS_THREADS
numlocks = CRYPTO_num_locks();
apr_pool_create(&ssl_pool, NULL);
ssl_locks = apr_palloc(ssl_pool, sizeof(apr_thread_mutex_t*)*numlocks);
for (i = 0; i < numlocks; i++) {
apr_status_t rv;
/* Intraprocess locks don't /need/ a filename... */
rv = apr_thread_mutex_create(&ssl_locks[i],
APR_THREAD_MUTEX_DEFAULT, ssl_pool);
if (rv != APR_SUCCESS) {
/* FIXME: error out here */
}
}
CRYPTO_set_locking_callback(ssl_lock);
CRYPTO_set_id_callback(ssl_id);
CRYPTO_set_dynlock_create_callback(ssl_dyn_create);
CRYPTO_set_dynlock_lock_callback(ssl_dyn_lock);
CRYPTO_set_dynlock_destroy_callback(ssl_dyn_destroy);
apr_pool_cleanup_register(ssl_pool, NULL, cleanup_ssl, cleanup_ssl);
#endif
}
}
/**
* Initialise the crypto library and perform one time initialisation.
*/
static apr_status_t crypto_init(apr_pool_t *pool, const char *params,
const apu_err_t **result)
{
#if APR_USE_OPENSSL_PRE_1_1_API
(void)CRYPTO_malloc_init();
#else
OPENSSL_malloc_init();
#endif
ERR_load_crypto_strings();
/* SSL_load_error_strings(); */
OpenSSL_add_all_algorithms();
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
apr_pool_cleanup_register(pool, pool, crypto_shutdown_helper,
apr_pool_cleanup_null);
return APR_SUCCESS;
}
bool cOpenSSLSocket::Init() {
CRYPTO_malloc_init(); // Initialize malloc, free, etc for OpenSSL's use
SSL_library_init(); // Initialize OpenSSL's SSL libraries
SSL_load_error_strings(); // Load SSL error strings
ERR_load_BIO_strings(); // Load BIO error strings
OpenSSL_add_all_algorithms(); // Load all available encryption algorithms
//! Load the certificates and config
if ( FileSystem::FileExists( cSSLSocket::CertificatesPath ) ) {
SafeDataPointer data;
FileSystem::FileGet( cSSLSocket::CertificatesPath, data );
if ( data.DataSize > 0 ) {
BIO* mem = BIO_new(BIO_s_mem());
BIO_puts( mem, (const char*) data.Data );
while( true ) {
X509 * cert = PEM_read_bio_X509(mem, NULL, 0, NULL);
if (!cert)
break;
sCerts.push_back(cert);
}
BIO_free(mem);
}
eePRINTL( "Loaded certs from '%s': %d", cSSLSocket::CertificatesPath.c_str(), (int)sCerts.size() );
}
return true;
}
/* ssl_connect_to
* establish ssl connection over tcp connection
*/
SSL *ssl_connect_to(int s) {
SSL *ssl;
SSL_CTX *ctx;
BIO *sbio;
SSL_METHOD *meth;
CRYPTO_malloc_init();
SSL_load_error_strings();
SSL_library_init();
// meth = TLSv1_client_method();
meth = SSLv23_client_method();
ctx = SSL_CTX_new(meth);
ssl = SSL_new(ctx);
sbio = BIO_new_socket(s, BIO_NOCLOSE);
SSL_set_bio(ssl, sbio, sbio);
if (SSL_connect(ssl) <= 0) {
return NULL;
}
return ssl;
}
static int ssl_hook_pre_config(apr_pool_t *pconf,
apr_pool_t *plog,
apr_pool_t *ptemp)
{
/* We must register the library in full, to ensure our configuration
* code can successfully test the SSL environment.
*/
CRYPTO_malloc_init();
ERR_load_crypto_strings();
SSL_load_error_strings();
SSL_library_init();
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_load_builtin_engines();
#endif
OpenSSL_add_all_algorithms();
OPENSSL_load_builtin_modules();
/*
* Let us cleanup the ssl library when the module is unloaded
*/
apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config,
apr_pool_cleanup_null);
/* Register us to handle mod_log_config %c/%x variables */
ssl_var_log_config_register(pconf);
/* Register to handle mod_status status page generation */
ssl_scache_status_register(pconf);
/* Register mutex type names so they can be configured with Mutex */
ap_mutex_register(pconf, SSL_CACHE_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0);
#ifdef HAVE_OCSP_STAPLING
ap_mutex_register(pconf, SSL_STAPLING_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0);
#endif
return OK;
}
static int ssl_hook_pre_config(apr_pool_t *pconf,
apr_pool_t *plog,
apr_pool_t *ptemp)
{
/* We must register the library in full, to ensure our configuration
* code can successfully test the SSL environment.
*/
CRYPTO_malloc_init();
#ifdef HAVE_OPENSSL
ERR_load_crypto_strings();
#endif
SSL_load_error_strings();
SSL_library_init();
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_load_builtin_engines();
#endif
#ifdef HAVE_OPENSSL
OpenSSL_add_all_algorithms();
#if OPENSSL_VERSION_NUMBER >= 0x00907001
OPENSSL_load_builtin_modules();
#endif
#endif
/*
* Let us cleanup the ssl library when the module is unloaded
*/
apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config,
apr_pool_cleanup_null);
/* Register us to handle mod_log_config %c/%x variables */
ssl_var_log_config_register(pconf);
/* Register to handle mod_status status page generation */
ssl_scache_status_register(pconf);
return OK;
}
static apr_status_t
init_ssl_context(serv_ctx_t *serv_ctx,
const char *keyfile,
const char **certfiles,
const char *client_cn)
{
ssl_context_t *ssl_ctx = apr_pcalloc(serv_ctx->pool, sizeof(*ssl_ctx));
serv_ctx->ssl_ctx = ssl_ctx;
serv_ctx->client_cn = client_cn;
serv_ctx->bio_read_status = APR_SUCCESS;
/* Init OpenSSL globally */
if (!init_done)
{
CRYPTO_malloc_init();
ERR_load_crypto_strings();
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
init_done = 1;
}
/* Init this connection */
if (!ssl_ctx->ctx) {
X509_STORE *store;
const char *certfile;
int i;
int rv;
ssl_ctx->ctx = SSL_CTX_new(SSLv23_server_method());
SSL_CTX_set_default_passwd_cb(ssl_ctx->ctx, pem_passwd_cb);
rv = SSL_CTX_use_PrivateKey_file(ssl_ctx->ctx, keyfile,
SSL_FILETYPE_PEM);
if (rv != 1) {
fprintf(stderr, "Cannot load private key from file '%s'\n", keyfile);
exit(1);
}
/* Set server certificate, add ca certificates if provided. */
certfile = certfiles[0];
rv = SSL_CTX_use_certificate_file(ssl_ctx->ctx, certfile, SSL_FILETYPE_PEM);
if (rv != 1) {
fprintf(stderr, "Cannot load certficate from file '%s'\n", keyfile);
exit(1);
}
i = 1;
certfile = certfiles[i++];
store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
while(certfile) {
FILE *fp = fopen(certfile, "r");
if (fp) {
X509 *ssl_cert = PEM_read_X509(fp, NULL, NULL, NULL);
fclose(fp);
SSL_CTX_add_extra_chain_cert(ssl_ctx->ctx, ssl_cert);
X509_STORE_add_cert(store, ssl_cert);
}
certfile = certfiles[i++];
}
/* This makes the server send a client certificate request during
handshake. The client certificate is optional (most tests don't
send one) by default, but mandatory if client_cn was specified. */
SSL_CTX_set_verify(ssl_ctx->ctx, SSL_VERIFY_PEER,
validate_client_certificate);
SSL_CTX_set_mode(ssl_ctx->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
ssl_ctx->bio = BIO_new(&bio_apr_socket_method);
ssl_ctx->bio->ptr = serv_ctx;
init_ssl(serv_ctx);
}
return APR_SUCCESS;
}
/*
Open the SSL module
*/
PUBLIC int sslOpen()
{
RandBuf randBuf;
X509_STORE *store;
uchar resume[16];
char *ciphers;
trace(7, "Initializing SSL");
randBuf.now = time(0);
randBuf.pid = getpid();
RAND_seed((void*) &randBuf, sizeof(randBuf));
#if ME_UNIX_LIKE
trace(6, "OpenSsl: Before calling RAND_load_file");
RAND_load_file("/dev/urandom", 256);
trace(6, "OpenSsl: After calling RAND_load_file");
#endif
CRYPTO_malloc_init();
#if !ME_WIN_LIKE
OpenSSL_add_all_algorithms();
#endif
SSL_library_init();
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
if ((sslctx = SSL_CTX_new(SSLv23_server_method())) == 0) {
error("Unable to create SSL context");
return -1;
}
/*
Set the server certificate and key files
*/
if (*ME_GOAHEAD_SSL_KEY && sslSetKeyFile(ME_GOAHEAD_SSL_KEY) < 0) {
sslClose();
return -1;
}
if (*ME_GOAHEAD_SSL_CERTIFICATE && sslSetCertFile(ME_GOAHEAD_SSL_CERTIFICATE) < 0) {
sslClose();
return -1;
}
if (ME_GOAHEAD_SSL_VERIFY_PEER) {
SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verifyClientCertificate);
SSL_CTX_set_verify_depth(sslctx, VERIFY_DEPTH);
} else {
SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, verifyClientCertificate);
}
/*
Set the client certificate verification locations
*/
if (ME_GOAHEAD_SSL_AUTHORITY && *ME_GOAHEAD_SSL_AUTHORITY) {
if ((!SSL_CTX_load_verify_locations(sslctx, ME_GOAHEAD_SSL_AUTHORITY, NULL)) ||
(!SSL_CTX_set_default_verify_paths(sslctx))) {
error("Unable to read cert verification locations");
sslClose();
return -1;
}
/*
Define the list of CA certificates to send to the client before they send their client
certificate for validation
*/
SSL_CTX_set_client_CA_list(sslctx, SSL_load_client_CA_file(ME_GOAHEAD_SSL_AUTHORITY));
}
if (ME_GOAHEAD_SSL_REVOKE && *ME_GOAHEAD_SSL_REVOKE) {
store = SSL_CTX_get_cert_store(sslctx);
if (!X509_STORE_load_locations(store, ME_GOAHEAD_SSL_REVOKE, 0)) {
error("Cannot load certificate revoke list: %s", ME_GOAHEAD_SSL_REVOKE);
sslClose();
return -1;
}
}
/*
Configure DH parameters
*/
dhKey = getDhKey();
SSL_CTX_set_tmp_dh_callback(sslctx, dhcallback);
/*
Configure cipher suite
*/
if (ME_GOAHEAD_SSL_CIPHERS && *ME_GOAHEAD_SSL_CIPHERS) {
ciphers = ME_GOAHEAD_SSL_CIPHERS;
} else {
ciphers = OPENSSL_DEFAULT_CIPHERS;
}
ciphers = mapCipherNames(ciphers);
trace(5, "Using OpenSSL ciphers: %s", ciphers);
if (SSL_CTX_set_cipher_list(sslctx, ciphers) != 1) {
error("Unable to set cipher list \"%s\"", ciphers);
sslClose();
wfree(ciphers);
return -1;
}
wfree(ciphers);
/*
Define default OpenSSL options
*/
SSL_CTX_set_options(sslctx, SSL_OP_ALL);
/*
Ensure we generate a new private key for each connection
*/
SSL_CTX_set_options(sslctx, SSL_OP_SINGLE_DH_USE);
/*
Define a session reuse context
*/
RAND_bytes(resume, sizeof(resume));
SSL_CTX_set_session_id_context(sslctx, resume, sizeof(resume));
/*
Elliptic Curve initialization
*/
#if SSL_OP_SINGLE_ECDH_USE
#ifdef SSL_CTX_set_ecdh_auto
SSL_CTX_set_ecdh_auto(sslctx, 1);
#else
{
EC_KEY *ecdh;
cchar *name;
int nid;
name = ME_GOAHEAD_SSL_CURVE;
if ((nid = OBJ_sn2nid(name)) == 0) {
error("Unknown curve name \"%s\"", name);
sslClose();
return -1;
}
if ((ecdh = EC_KEY_new_by_curve_name(nid)) == 0) {
error("Unable to create curve \"%s\"", name);
sslClose();
return -1;
}
SSL_CTX_set_options(sslctx, SSL_OP_SINGLE_ECDH_USE);
SSL_CTX_set_tmp_ecdh(sslctx, ecdh);
EC_KEY_free(ecdh);
}
#endif
#endif
SSL_CTX_set_mode(sslctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_AUTO_RETRY | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
SSL_CTX_set_options(sslctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
#endif
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(sslctx, SSL_MODE_RELEASE_BUFFERS);
#endif
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
SSL_CTX_set_mode(sslctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
#endif
/*
Select the required protocols
Disable both SSLv2 and SSLv3 by default - they are insecure
*/
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv3);
#if defined(SSL_OP_NO_TLSv1) && ME_GOAHEAD_SSL_NO_V1
SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1);
#endif
#if defined(SSL_OP_NO_TLSv1_1) && ME_GOAHEAD_SSL_NO_V1_1
SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_1);
#endif
#if defined(SSL_OP_NO_TLSv1_2) && ME_GOAHEAD_SSL_NO_V1_2
SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_2);
#endif
#if defined(SSL_OP_NO_TICKET)
/*
Ticket based session reuse is enabled by default
*/
#if defined(ME_GOAHEAD_SSL_TICKET)
if (ME_GOAHEAD_SSL_TICKET) {
SSL_CTX_clear_options(sslctx, SSL_OP_NO_TICKET);
} else {
SSL_CTX_set_options(sslctx, SSL_OP_NO_TICKET);
}
#else
SSL_CTX_clear_options(sslctx, SSL_OP_NO_TICKET);
#endif
#endif
#if defined(SSL_OP_NO_COMPRESSION)
/*
CRIME attack targets compression
*/
SSL_CTX_clear_options(sslctx, SSL_OP_NO_COMPRESSION);
#endif
#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
/*
Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers.
Defaults to true.
*/
#if defined(ME_GOAHEAD_SSL_EMPTY_FRAGMENTS)
if (ME_GOAHEAD_SSL_EMPTY_FRAGMENTS) {
/* SSL_OP_ALL disables empty fragments. Only needed for ancient browsers like IE-6 on SSL-3.0/TLS-1.0 */
SSL_CTX_clear_options(sslctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
} else {
SSL_CTX_set_options(sslctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
}
#else
SSL_CTX_set_options(sslctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
#endif
#endif
#if defined(ME_GOAHEAD_SSL_CACHE)
/*
Set the number of sessions supported. Default in OpenSSL is 20K.
*/
SSL_CTX_sess_set_cache_size(sslctx, ME_GOAHEAD_SSL_CACHE);
#else
SSL_CTX_sess_set_cache_size(sslctx, 256);
#endif
return 0;
}
int main(int argc, char** argv) {
CString sConfig;
CString sDataDir = "";
seedPRNG();
// Win32 doesn't support shell escape codes, so we do this.
CUtils::SetStdoutIsTTY(false);
CString sConsoleTitle = "ZNC " + CZNC::GetVersion();
SetConsoleTitle(sConsoleTitle.c_str());
// register Ctrl handler
if (SetConsoleCtrlHandler((PHANDLER_ROUTINE)ConsoleCtrlHandler, TRUE) == NULL)
{
CUtils::PrintMessage("Couldn't register console Ctrl handler function!");
}
// this prevents open()/read() and friends from stripping \r
// from files... simply adding _O_BINARY to the modes doesn't seem
// to be enough for some reason...
// if we don't do this, Template.cpp will break
// because it uses string.size() for file pos
// calculations.
_set_fmode(_O_BINARY);
#ifdef HAVE_LIBSSL
CRYPTO_malloc_init();
#endif
// make sure the stuff in ZNC.dll matches this exe's version... bad crashes otherwise.
if(CZNC::GetCoreVersion() != MODVERSION)
{
CUtils::PrintError("The version number in ZNC.dll doesn't match. Aborting.");
return 1;
}
// process command line arguments
int iArg, iOptIndex = -1;
bool bMakeConf = false;
bool bMakePass = false;
bool bAllowRoot = false;
#ifdef HAVE_LIBSSL
bool bMakePem = false;
while ((iArg = getopt_long(argc, argv, "hvcspd:D", g_LongOpts, &iOptIndex)) != -1) {
#else
while ((iArg = getopt_long(argc, argv, "hvcsd:D", g_LongOpts, &iOptIndex)) != -1) {
#endif /* HAVE_LIBSSL */
switch (iArg) {
case 'h':
GenerateHelp(argv[0]);
return 0;
case 'v':
cout << CZNC::GetTag() << endl;
return 0;
case 'c':
bMakeConf = true;
break;
case 's':
bMakePass = true;
break;
#ifdef HAVE_LIBSSL
case 'p':
bMakePem = true;
break;
#endif /* HAVE_LIBSSL */
case 'd':
sDataDir = CString(optarg);
break;
case 'D':
CUtils::SetDebug(true);
break;
case '?':
default:
GenerateHelp(argv[0]);
return 1;
}
}
if (optind < argc) {
sConfig = argv[optind];
}
if (!InitCsocket()) {
CUtils::PrintError("Failed to initialize Csocket!");
exit(-1);
}
CZNC* pZNC = &CZNC::Get();
pZNC->InitDirs(((argc) ? argv[0] : ""), sDataDir);
#ifdef HAVE_LIBSSL
if (bMakePem) {
pZNC->WritePemFile();
delete pZNC;
return 0;
}
#endif /* HAVE_LIBSSL */
if (bMakePass) {
CString sSalt;
CString sHash = CUtils::GetSaltedHashPass(sSalt);
CUtils::PrintMessage("Use this in the <User> section of your config:");
CUtils::PrintMessage("Pass = "******"#" + sHash + "#" + sSalt + "#");
delete pZNC;
return 0;
}
#ifndef RUN_FROM_SOURCE
if (CFile::Exists(pZNC->GetCurPath() + "/znc-uninstalled.pc")) {
CUtils::PrintError("It looks like you are running znc without installing it first.");
CUtils::PrintError("Recompile with --enable-run-from-source if you intend to do that.");
}
#endif
if (bMakeConf) {
if (!pZNC->WriteNewConfig(sConfig)) {
delete pZNC;
return 0;
}
/* Fall through to normal bootup */
}
if (!pZNC->ParseConfig(sConfig)) {
if(argc < 2)
{
CUtils::PrintMessage("\n");
CUtils::PrintMessage("Press any key to continue...");
_getch();
}
else
{
CUtils::PrintError("Unrecoverable config error.");
}
delete pZNC;
return 1;
}
if (!pZNC->OnBoot()) {
CUtils::PrintError("Exiting due to module boot errors.");
delete pZNC;
return 1;
}
// removed: checks for isRoot, bForeground, forking and signal handlers
int iRet = 0;
CUtils::PrintMessage("\n\n***************************************************");
CUtils::PrintMessage("** ZNC is now running. Do not close this window. **");
CUtils::PrintMessage("***************************************************\n\n");
try {
pZNC->Loop(&g_bMainLoop);
CUtils::PrintMessage("Terminating ...");
} catch (CException e) {
switch (e.GetType()) {
case CException::EX_Shutdown:
iRet = 0;
CUtils::PrintMessage("************** Shutting down ZNC... **************");
break;
case CException::EX_Restart: {
// strdup() because GCC is stupid
char *args[] = {
strdup(argv[0]),
strdup("--datadir"),
strdup(pZNC->GetZNCPath().c_str()),
NULL,
NULL,
NULL,
NULL,
NULL
};
int pos = 3;
if (CUtils::Debug())
args[pos++] = strdup("--debug");
#if 0
else if (bForeground)
args[pos++] = strdup("--foreground");
if (!CUtils::StdoutIsTTY())
args[pos++] = strdup("--no-color");
if (bAllowRoot)
args[pos++] = strdup("--allow-root");
#endif
args[pos++] = strdup(pZNC->GetConfigFile().c_str());
// The above code adds 4 entries to args tops
// which means the array should be big enough
CUtils::PrintMessage("************** Restarting ZNC... **************");
delete pZNC; /* stuff screws up real bad if we don't close all sockets etc. */
pZNC = NULL;
execvp(args[0], args);
CUtils::PrintError("Unable to restart znc [" + CString(strerror(errno)) + "]");
} /* Fall through */
default:
iRet = 1;
}
}
delete pZNC;
#ifdef _DEBUG
::_getch();
#endif
return iRet;
}
PUBLIC int sslOpen()
{
RandBuf randBuf;
trace(7, "Initializing SSL");
randBuf.now = time(0);
randBuf.pid = getpid();
RAND_seed((void*) &randBuf, sizeof(randBuf));
#if BIT_UNIX_LIKE
trace(6, "OpenSsl: Before calling RAND_load_file");
RAND_load_file("/dev/urandom", 256);
trace(6, "OpenSsl: After calling RAND_load_file");
#endif
CRYPTO_malloc_init();
#if !BIT_WIN_LIKE
OpenSSL_add_all_algorithms();
#endif
SSL_library_init();
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
if ((sslctx = SSL_CTX_new(SSLv23_server_method())) == 0) {
error("Unable to create SSL context");
return -1;
}
/*
Set the client certificate verification locations
*/
if (*BIT_GOAHEAD_CA) {
if ((!SSL_CTX_load_verify_locations(sslctx, BIT_GOAHEAD_CA, NULL)) || (!SSL_CTX_set_default_verify_paths(sslctx))) {
error("Unable to read cert verification locations");
sslClose();
return -1;
}
}
/*
Set the server certificate and key files
*/
if (*BIT_GOAHEAD_KEY && sslSetKeyFile(BIT_GOAHEAD_KEY) < 0) {
sslClose();
return -1;
}
if (*BIT_GOAHEAD_CERTIFICATE && sslSetCertFile(BIT_GOAHEAD_CERTIFICATE) < 0) {
sslClose();
return -1;
}
SSL_CTX_set_tmp_rsa_callback(sslctx, rsaCallback);
#if VERIFY_CLIENT
if (verifyPeer) {
SSL_CTX_set_verify(context, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verifyX509Certificate);
#if FUTURE && KEEP
SSL_CTX_set_verify_depth(context, VERIFY_DEPTH);
#endif
} else {
SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, verifyX509Certificate);
}
#else
SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, verifyX509Certificate);
#endif
/*
Set the certificate authority list for the client
*/
if (BIT_GOAHEAD_CA && *BIT_GOAHEAD_CA) {
SSL_CTX_set_client_CA_list(sslctx, SSL_load_client_CA_file(BIT_GOAHEAD_CA));
}
SSL_CTX_set_cipher_list(sslctx, BIT_GOAHEAD_CIPHERS);
SSL_CTX_set_options(sslctx, SSL_OP_ALL);
SSL_CTX_sess_set_cache_size(sslctx, 128);
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(sslctx, SSL_OP_NO_TICKET);
#endif
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
SSL_CTX_set_options(sslctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
#endif
SSL_CTX_set_mode(sslctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_AUTO_RETRY);
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2);
/*
Ensure we generate a new private key for each connection
*/
SSL_CTX_set_options(sslctx, SSL_OP_SINGLE_DH_USE);
return 0;
}
int main(int argc, char *argv[])
{
BN_GENCB _cb;
DH *a;
DH *b=NULL;
char buf[12];
unsigned char *abuf=NULL,*bbuf=NULL;
int i,alen,blen,aout,bout,ret=1;
BIO *out;
CRYPTO_malloc_debug_init();
CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
#ifdef OPENSSL_SYS_WIN32
CRYPTO_malloc_init();
#endif
RAND_seed(rnd_seed, sizeof rnd_seed);
out=BIO_new(BIO_s_file());
if (out == NULL) EXIT(1);
BIO_set_fp(out,stdout,BIO_NOCLOSE);
BN_GENCB_set(&_cb, &cb, out);
if(((a = DH_new()) == NULL) || !DH_generate_parameters_ex(a, 64,
DH_GENERATOR_5, &_cb))
goto err;
if (!DH_check(a, &i)) goto err;
if (i & DH_CHECK_P_NOT_PRIME)
BIO_puts(out, "p value is not prime\n");
if (i & DH_CHECK_P_NOT_SAFE_PRIME)
BIO_puts(out, "p value is not a safe prime\n");
if (i & DH_UNABLE_TO_CHECK_GENERATOR)
BIO_puts(out, "unable to check the generator value\n");
if (i & DH_NOT_SUITABLE_GENERATOR)
BIO_puts(out, "the g value is not a generator\n");
BIO_puts(out,"\np =");
BN_print(out,a->p);
BIO_puts(out,"\ng =");
BN_print(out,a->g);
BIO_puts(out,"\n");
b=DH_new();
if (b == NULL) goto err;
b->p=BN_dup(a->p);
b->g=BN_dup(a->g);
if ((b->p == NULL) || (b->g == NULL)) goto err;
/* Set a to run with normal modexp and b to use constant time */
a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME;
b->flags |= DH_FLAG_NO_EXP_CONSTTIME;
if (!DH_generate_key(a)) goto err;
BIO_puts(out,"pri 1=");
BN_print(out,a->priv_key);
BIO_puts(out,"\npub 1=");
BN_print(out,a->pub_key);
BIO_puts(out,"\n");
if (!DH_generate_key(b)) goto err;
BIO_puts(out,"pri 2=");
BN_print(out,b->priv_key);
BIO_puts(out,"\npub 2=");
BN_print(out,b->pub_key);
BIO_puts(out,"\n");
alen=DH_size(a);
abuf=(unsigned char *)OPENSSL_malloc(alen);
aout=DH_compute_key(abuf,b->pub_key,a);
BIO_puts(out,"key1 =");
for (i=0; i<aout; i++)
{
snprintf(buf, sizeof(buf), "%02X",abuf[i]);
BIO_puts(out,buf);
}
BIO_puts(out,"\n");
blen=DH_size(b);
bbuf=(unsigned char *)OPENSSL_malloc(blen);
bout=DH_compute_key(bbuf,a->pub_key,b);
BIO_puts(out,"key2 =");
for (i=0; i<bout; i++)
{
snprintf(buf, sizeof(buf), "%02X",bbuf[i]);
BIO_puts(out,buf);
}
BIO_puts(out,"\n");
if ((aout < 4) || (bout != aout) || (memcmp(abuf,bbuf,aout) != 0))
{
fprintf(stderr,"Error in DH routines\n");
ret=1;
}
else
ret=0;
err:
ERR_print_errors_fp(stderr);
if (abuf != NULL) OPENSSL_free(abuf);
if (bbuf != NULL) OPENSSL_free(bbuf);
if(b != NULL) DH_free(b);
if(a != NULL) DH_free(a);
BIO_free(out);
#ifdef OPENSSL_SYS_NETWARE
if (ret) printf("ERROR: %d\n", ret);
#endif
EXIT(ret);
return(ret);
}
int main(int argc, char *argv[])
{
BN_CTX *ctx = NULL;
int ret = 1;
BIO *out;
CRYPTO_malloc_debug_init();
CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
# ifdef OPENSSL_SYS_WIN32
CRYPTO_malloc_init();
# endif
RAND_seed(rnd_seed, sizeof(rnd_seed));
out = BIO_new(BIO_s_file());
if (out == NULL)
EXIT(1);
BIO_set_fp(out, stdout, BIO_NOCLOSE);
if ((ctx = BN_CTX_new()) == NULL)
goto err;
/* NIST PRIME CURVES TESTS */
if (!test_ecdh_curve
(NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out))
goto err;
if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out))
goto err;
if (!test_ecdh_curve
(NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out))
goto err;
if (!test_ecdh_curve(NID_secp384r1, "NIST Prime-Curve P-384", ctx, out))
goto err;
if (!test_ecdh_curve(NID_secp521r1, "NIST Prime-Curve P-521", ctx, out))
goto err;
# ifndef OPENSSL_NO_EC2M
/* NIST BINARY CURVES TESTS */
if (!test_ecdh_curve(NID_sect163k1, "NIST Binary-Curve K-163", ctx, out))
goto err;
if (!test_ecdh_curve(NID_sect163r2, "NIST Binary-Curve B-163", ctx, out))
goto err;
if (!test_ecdh_curve(NID_sect233k1, "NIST Binary-Curve K-233", ctx, out))
goto err;
if (!test_ecdh_curve(NID_sect233r1, "NIST Binary-Curve B-233", ctx, out))
goto err;
if (!test_ecdh_curve(NID_sect283k1, "NIST Binary-Curve K-283", ctx, out))
goto err;
if (!test_ecdh_curve(NID_sect283r1, "NIST Binary-Curve B-283", ctx, out))
goto err;
if (!test_ecdh_curve(NID_sect409k1, "NIST Binary-Curve K-409", ctx, out))
goto err;
if (!test_ecdh_curve(NID_sect409r1, "NIST Binary-Curve B-409", ctx, out))
goto err;
if (!test_ecdh_curve(NID_sect571k1, "NIST Binary-Curve K-571", ctx, out))
goto err;
if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out))
goto err;
# endif
if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256))
goto err;
if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384))
goto err;
if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512))
goto err;
ret = 0;
err:
ERR_print_errors_fp(stderr);
if (ctx)
BN_CTX_free(ctx);
BIO_free(out);
CRYPTO_cleanup_all_ex_data();
ERR_remove_thread_state(NULL);
CRYPTO_mem_leaks_fp(stderr);
EXIT(ret);
return (ret);
}
static int parse_pkcs7_data(const options_t *options, const CRYPT_DATA_BLOB *blob)
{
int result = 0;
const cert_format_e input_fmt = CERT_FORMAT_DER;
PKCS7 *p7 = NULL;
BIO *in = NULL;
CRYPTO_malloc_init();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
in = BIO_new_mem_buf(blob->pbData, blob->cbData);
if (in == NULL) {
result = -2;
goto error;
}
switch (input_fmt) {
default: EXIT_ERROR("unhandled input format for certificate");
case CERT_FORMAT_DER:
p7 = d2i_PKCS7_bio(in, NULL);
break;
case CERT_FORMAT_PEM:
p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
break;
}
if (p7 == NULL) {
ERR_print_errors_fp(stderr);
result = -3;
goto error;
}
STACK_OF(X509) *certs = NULL;
int type = OBJ_obj2nid(p7->type);
switch (type) {
default: break;
case NID_pkcs7_signed: // PKCS7_type_is_signed(p7)
certs = p7->d.sign->cert;
break;
case NID_pkcs7_signedAndEnveloped: // PKCS7_type_is_signedAndEnveloped(p7)
certs = p7->d.signed_and_enveloped->cert;
break;
}
const int numcerts = certs != NULL ? sk_X509_num(certs) : 0;
for (int i = 0; i < numcerts; i++) {
X509 *cert = sk_X509_value(certs, i);
print_certificate(options->certout, options->certoutform, cert);
// NOTE: Calling X509_free(cert) is unnecessary.
}
// Print whether certificate signature is valid
if (numcerts > 0) {
X509 *subject = sk_X509_value(certs, 0);
X509 *issuer = sk_X509_value(certs, numcerts - 1);
int valid_sig = X509_verify(subject, X509_get_pubkey(issuer));
output("Signature", valid_sig == 1 ? "valid" : "invalid");
}
// Print signers
if (numcerts > 0) {
output_open_scope("signers", OUTPUT_SCOPE_TYPE_ARRAY);
for (int i = 0; i < numcerts; i++) {
X509 *cert = sk_X509_value(certs, i);
X509_NAME *name = X509_get_subject_name(cert);
int issuer_name_len = X509_NAME_get_text_by_NID(name, NID_commonName, NULL, 0);
if (issuer_name_len > 0) {
output_open_scope("signer", OUTPUT_SCOPE_TYPE_OBJECT);
char issuer_name[issuer_name_len + 1];
X509_NAME_get_text_by_NID(name, NID_commonName, issuer_name, issuer_name_len + 1);
output("Issuer", issuer_name);
output_close_scope(); // signer
}
}
output_close_scope(); // signers
}
error:
if (p7 != NULL)
PKCS7_free(p7);
if (in != NULL)
BIO_free(in);
// Deallocate everything from OpenSSL_add_all_algorithms
EVP_cleanup();
// Deallocate everything from ERR_load_crypto_strings
ERR_free_strings();
return result;
}
int main(int argc, char * const argv[])
{
int err = 0, r, c, long_optind = 0;
int action_count = 0;
int do_initialize = 0;
int do_import_dkek_share = 0;
int do_create_dkek_share = 0;
int do_wrap_key = 0;
int do_unwrap_key = 0;
sc_path_t path;
sc_file_t *file = NULL;
const char *opt_so_pin = NULL;
const char *opt_pin = NULL;
const char *opt_filename = NULL;
char *opt_password = NULL;
int opt_retry_counter = 3;
int opt_dkek_shares = -1;
int opt_key_reference = -1;
int opt_password_shares_threshold = -1;
int opt_password_shares_total = -1;
int opt_force = 0;
int opt_iter = 10000000;
sc_context_param_t ctx_param;
setbuf(stderr, NULL);
setbuf(stdout, NULL);
while (1) {
c = getopt_long(argc, argv, "XC:I:W:U:s:i:fr:wv", options, &long_optind);
if (c == -1)
break;
if (c == '?')
util_print_usage_and_die(app_name, options, option_help, NULL);
switch (c) {
case 'X':
do_initialize = 1;
action_count++;
break;
case 'C':
do_create_dkek_share = 1;
opt_filename = optarg;
action_count++;
break;
case 'I':
do_import_dkek_share = 1;
opt_filename = optarg;
action_count++;
break;
case 'W':
do_wrap_key = 1;
opt_filename = optarg;
action_count++;
break;
case 'U':
do_unwrap_key = 1;
opt_filename = optarg;
action_count++;
break;
case OPT_PASSWORD:
opt_password = optarg;
break;
case OPT_SO_PIN:
opt_so_pin = optarg;
break;
case OPT_PIN:
opt_pin = optarg;
break;
case OPT_RETRY:
opt_retry_counter = atol(optarg);
break;
case OPT_PASSWORD_SHARES_THRESHOLD:
opt_password_shares_threshold = atol(optarg);
break;
case OPT_PASSWORD_SHARES_TOTAL:
opt_password_shares_total = atol(optarg);
break;
case 's':
opt_dkek_shares = atol(optarg);
break;
case 'f':
opt_force = 1;
break;
case 'i':
opt_key_reference = atol(optarg);
break;
case 'r':
opt_reader = optarg;
break;
case 'v':
verbose++;
break;
case 'w':
opt_wait = 1;
break;
}
}
CRYPTO_malloc_init();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
memset(&ctx_param, 0, sizeof(sc_context_param_t));
ctx_param.app_name = app_name;
r = sc_context_create(&ctx, &ctx_param);
if (r != SC_SUCCESS) {
fprintf(stderr, "Failed to establish context: %s\n", sc_strerror(r));
return 1;
}
/* Only change if not in opensc.conf */
if (verbose > 1 && ctx->debug == 0) {
ctx->debug = verbose;
sc_ctx_log_to_file(ctx, "stderr");
}
err = util_connect_card(ctx, &card, opt_reader, opt_wait, verbose);
if (r != SC_SUCCESS) {
fprintf(stderr, "Failed to connect to card: %s\n", sc_strerror(r));
goto end;
}
sc_path_set(&path, SC_PATH_TYPE_DF_NAME, sc_hsm_aid.value, sc_hsm_aid.len, 0, 0);
r = sc_select_file(card, &path, &file);
if (r != SC_SUCCESS) {
fprintf(stderr, "Failed to select application: %s\n", sc_strerror(r));
goto end;
}
if (do_initialize) {
initialize(card, opt_so_pin, opt_pin, opt_retry_counter, opt_dkek_shares);
}
if (do_create_dkek_share) {
create_dkek_share(card, opt_filename, opt_iter, opt_password, opt_password_shares_threshold, opt_password_shares_total);
}
if (do_import_dkek_share) {
import_dkek_share(card, opt_filename, opt_iter, opt_password, opt_password_shares_total);
}
if (do_wrap_key) {
wrap_key(card, opt_key_reference, opt_filename, opt_pin);
}
if (do_unwrap_key) {
unwrap_key(card, opt_key_reference, opt_filename, opt_pin, opt_force);
}
if (action_count == 0) {
print_info(card, file);
}
end:
if (card) {
sc_unlock(card);
sc_disconnect_card(card);
}
if (ctx)
sc_release_context(ctx);
ERR_print_errors_fp(stderr);
return err;
}
