static int
tls_sc_add_crl(lua_State *L) {
tls_sc_t *ctx = getSC(L);
X509_CRL *x509;
BIO *bio;
bio = _lua_load_bio(L, -1);
if (!bio) {
lua_pushboolean(L, 0);
return 1;
}
x509 = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL);
if (x509 == NULL) {
BIO_free(bio);
lua_pushboolean(L, 0);
return 1;
}
X509_STORE_add_crl(ctx->ca_store, x509);
X509_STORE_set_flags(ctx->ca_store,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
BIO_free(bio);
X509_CRL_free(x509);
lua_pushboolean(L, 1);
return 1;
}
int check (X509_STORE *ctx, const char *file)
{
X509 *cert = NULL;
int res = 0;
X509_STORE_CTX *csc;
cert = load_cert_from_file (file);
if (!cert)
return 0;
csc = X509_STORE_CTX_new();
if (!csc)
{
if (cert)
X509_free(cert);
return 0;
}
X509_STORE_set_flags(ctx, 0);
if(!X509_STORE_CTX_init(csc, ctx, cert, 0))
{
if (cert)
X509_free(cert);
if (csc)
X509_STORE_CTX_free(csc);
return 0;
}
res = X509_verify_cert(csc);
X509_STORE_CTX_free(csc);
X509_free(cert);
return (res > 0);
}
int C_TransIPTLS::load_crls(char *P_crlfile)
{
X509_STORE *L_store;
X509_LOOKUP *L_lookup;
/* Get the X509_STORE from SSL context */
if (!(L_store = SSL_CTX_get_cert_store(m_ssl_ctx))) {
return (-1);
}
/* Add lookup file to X509_STORE */
if (!(L_lookup = X509_STORE_add_lookup(L_store,X509_LOOKUP_file()))) {
return (-1);
}
/* Add the CRLS to the lookpup object */
if (X509_load_crl_file(L_lookup,m_crl_file,X509_FILETYPE_PEM) != 1) {
return (-1);
}
/* Set the flags of the store so that CRLS's are consulted */
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
X509_STORE_set_flags( L_store,X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
#else
GEN_ERROR(1, "version OpenSSL (<0.9.7) cannot handle CRL files in capath");
#endif
return (1);
}
static X509_STORE *create_store(nsp_state *N)
{
#define __FN__ __FILE__ ":create_store()"
X509_STORE *store;
X509_LOOKUP *lookup;
if (!(store = X509_STORE_new())) {
n_warn(N, __FN__, "Error creating X509_STORE_CTX object");
goto err;
}
X509_STORE_set_verify_cb_func(store, verify_callback);
if (X509_STORE_load_locations(store, CA_FILE, CA_DIR) != 1) {
n_warn(N, __FN__, "Error loading the CA file or directory");
goto err;
}
if (X509_STORE_set_default_paths(store) != 1) {
n_warn(N, __FN__, "Error loading the system-wide CA certificates");
goto err;
}
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) {
n_warn(N, __FN__, "Error creating X509_LOOKUP object");
goto err;
}
if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1) {
n_warn(N, __FN__, "Error reading the CRL file");
goto err;
}
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
return store;
err:
return NULL;
#undef __FN__
}
/**
* @brief Load CRL from file
* @param d domain
* @return 0 if not configured or on success, -1 on error
*/
static int load_crl(tls_domain_t* d)
{
int i;
int procs_no;
X509_STORE* store;
if (!d->crl_file.s) {
DBG("%s: No CRL configured\n", tls_domain_str(d));
return 0;
}
if (fix_shm_pathname(&d->crl_file) < 0)
return -1;
LOG(L_INFO, "%s: Certificate revocation lists will be checked (%.*s)\n",
tls_domain_str(d), d->crl_file.len, d->crl_file.s);
procs_no=get_max_procs();
for(i = 0; i < procs_no; i++) {
if (SSL_CTX_load_verify_locations(d->ctx[i], d->crl_file.s, 0) != 1) {
ERR("%s: Unable to load certificate revocation list '%s'\n",
tls_domain_str(d), d->crl_file.s);
TLS_ERR("load_crl:");
return -1;
}
store = SSL_CTX_get_cert_store(d->ctx[i]);
X509_STORE_set_flags(store,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
return 0;
}
IoSecureServer *IoSecureServer_setCRLFile(IoSecureServer *self, IoObject *locals, IoMessage *msg)
{
SSL_CTX *ctx = OCTX(self);
IoSeq *pathSeq = IoMessage_locals_seqArgAt_(msg, locals, 0);
char *path = IoSeq_asCString(pathSeq);
if(ctx == NULL)
{
IoState_error_(IOSTATE, msg, "SecureServer has no SSL_CTX");
return IONIL(self);
}
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
X509_STORE_set_verify_cb_func(store, IoSecureSockets_Verify_CRL_Callback);
X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
X509_LOOKUP *lookup;
if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ())))
{
ERR_print_errors_fp(stderr);
IoState_error_(IOSTATE, msg, "Error creating X509_LOOKUP object.");
return IONIL(self);
}
if (X509_load_crl_file(lookup, path, X509_FILETYPE_PEM) != 1)
{
ERR_print_errors_fp(stderr);
IoState_error_(IOSTATE, msg, "Error loading CRL from file %s\n", path);
return IONIL(self);
}
return self;
}
int net_nfc_util_openssl_verify_certificate(net_nfc_openssl_verify_context_s *context)
{
int result = 0;
X509_STORE_CTX *store_ctx = NULL;
store_ctx = X509_STORE_CTX_new();
if (store_ctx != NULL)
{
X509_STORE_set_flags(context->store, 0);
if (X509_STORE_CTX_init(store_ctx, context->store, context->signer_cert, 0) == true)
{
result = X509_verify_cert(store_ctx);
}
else
{
DEBUG_ERR_MSG("X509_STORE_CTX_init failed");
}
X509_STORE_CTX_free(store_ctx);
}
else
{
DEBUG_ERR_MSG("X509_STORE_CTX_new failed");
}
return result;
}
int main(int argc, char *argv[]) {
X509 *cert;
X509_STORE *store;
X509_LOOKUP *lookup;
X509_STORE_CTX *verify_ctx;
FILE *fp;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
/* frist read the client certificate */
if (!(fp = fopen(CLIENT_CERT, "r"))) {
int_error("Error reading client certificate file");
}
if (!(cert = PEM_read_X509(fp, NULL, NULL, NULL))) {
int_error("Error reading client certificate in file");
}
fclose(fp);
/* create the cert store and set the verify callback */
if (!(store = X509_STORE_new())) {
int_error("Error creating X509_STORE_CTX object");
}
X509_STORE_set_verify_cb_func(store, verify_callback);
/* load the CA certificates and CRLs */
if (X509_STORE_load_locations(store, CA_FILE, CA_DIR) != 1) {
int_error("Error loading the CA file or directory");
}
if (X509_STORE_set_default_paths(store) != 1) {
int_error("Error loading the system-wide CA certificates");
}
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) {
int_error("Error creating X509_LOOKUP object");
}
if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1) {
int_error("Error reading the CRL file");
}
/* set the flags of the store so that the CRLs are consulted */
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
/* create a verification context and initialize it */
if (!(verify_ctx = X509_STORE_CTX_new())) {
int_error("Error creating X509_STORE_CTX object");
}
if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1) {
int_error("Error initializing verification context");
}
/* verify the certificate */
if (X509_verify_cert(verify_ctx) != 1) {
int_error("Error verifying the certificate");
}
else {
printf("Certificate verified correctly!\n");
}
return 0;
}
extern "C" int32_t CryptoNative_X509StoreSetRevocationFlag(X509_STORE* ctx, X509RevocationFlag revocationFlag)
{
unsigned long verifyFlags = X509_V_FLAG_CRL_CHECK;
if (revocationFlag != X509RevocationFlag::EndCertificateOnly)
{
verifyFlags |= X509_V_FLAG_CRL_CHECK_ALL;
}
return X509_STORE_set_flags(ctx, verifyFlags);
}
boolean x509_verify_cert(CryptoCert cert, rdpSettings* settings)
{
char* cert_loc;
X509_STORE_CTX* csc;
boolean status = false;
X509_STORE* cert_ctx = NULL;
X509_LOOKUP* lookup = NULL;
X509* xcert = cert->px509;
cert_ctx = X509_STORE_new();
if (cert_ctx == NULL)
goto end;
OpenSSL_add_all_algorithms();
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
if (lookup == NULL)
goto end;
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
if (lookup == NULL)
goto end;
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
cert_loc = get_local_certloc(settings->home_path);
if(cert_loc != NULL)
{
X509_LOOKUP_add_dir(lookup, cert_loc, X509_FILETYPE_ASN1);
xfree(cert_loc);
}
csc = X509_STORE_CTX_new();
if (csc == NULL)
goto end;
X509_STORE_set_flags(cert_ctx, 0);
if(!X509_STORE_CTX_init(csc, cert_ctx, xcert, 0))
goto end;
if (X509_verify_cert(csc) == 1)
status = true;
X509_STORE_CTX_free(csc);
X509_STORE_free(cert_ctx);
end:
return status;
}
/**
* Set extra flags for handshake verification.
*/
static int meth_set_verify_ext(lua_State *L)
{
int i;
const char *str;
int crl_flag = 0;
int lsec_flag = 0;
SSL_CTX *ctx = lsec_checkcontext(L, 1);
int max = lua_gettop(L);
for (i = 2; i <= max; i++) {
str = luaL_checkstring(L, i);
if (!strcmp(str, "lsec_continue")) {
lsec_flag |= LSEC_VERIFY_CONTINUE;
} else if (!strcmp(str, "lsec_ignore_purpose")) {
lsec_flag |= LSEC_VERIFY_IGNORE_PURPOSE;
} else if (!strcmp(str, "crl_check")) {
crl_flag |= X509_V_FLAG_CRL_CHECK;
} else if (!strcmp(str, "crl_check_chain")) {
crl_flag |= X509_V_FLAG_CRL_CHECK_ALL;
} else {
lua_pushboolean(L, 0);
lua_pushfstring(L, "invalid verify option (%s)", str);
return 2;
}
}
/* Set callback? */
if (lsec_flag) {
SSL_CTX_set_verify(ctx, SSL_CTX_get_verify_mode(ctx), verify_cb);
SSL_CTX_set_cert_verify_callback(ctx, cert_verify_cb, (void*)ctx);
/* Save flag */
luaL_getmetatable(L, "SSL:Verify:Registry");
lua_pushlightuserdata(L, (void*)ctx);
lua_pushnumber(L, lsec_flag);
lua_settable(L, -3);
} else {
SSL_CTX_set_verify(ctx, SSL_CTX_get_verify_mode(ctx), NULL);
SSL_CTX_set_cert_verify_callback(ctx, NULL, NULL);
/* Remove flag */
luaL_getmetatable(L, "SSL:Verify:Registry");
lua_pushlightuserdata(L, (void*)ctx);
lua_pushnil(L);
lua_settable(L, -3);
}
/* X509 flag */
X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), crl_flag);
/* Ok */
lua_pushboolean(L, 1);
return 1;
}
BOOL x509_verify_certificate(CryptoCert cert, char* certificate_store_path)
{
X509_STORE_CTX* csc;
BOOL status = FALSE;
X509_STORE* cert_ctx = NULL;
X509_LOOKUP* lookup = NULL;
X509* xcert = cert->px509;
cert_ctx = X509_STORE_new();
if (cert_ctx == NULL)
goto end;
OpenSSL_add_all_algorithms();
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
if (lookup == NULL)
goto end;
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
if (lookup == NULL)
goto end;
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
if (certificate_store_path != NULL)
{
X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_ASN1);
}
csc = X509_STORE_CTX_new();
if (csc == NULL)
goto end;
X509_STORE_set_flags(cert_ctx, 0);
if (!X509_STORE_CTX_init(csc, cert_ctx, xcert, 0))
goto end;
if (X509_verify_cert(csc) == 1)
status = TRUE;
X509_STORE_CTX_free(csc);
X509_STORE_free(cert_ctx);
end:
return status;
}
/*
* This function is used to populate an X509_STORE structure,
* which can be used by the OpenSSL TLS stack to verifying
* a TLS peer. The X509_STORE should already have been allocated.
*
* Parameters:
* store - Pointer to X509_STORE structure to hold the certs
* raw1 - char array containing PEM encoded certs to put
* into the store.
* size1 - Length of the raw1 char array
*/
EST_ERROR ossl_init_cert_store (X509_STORE *store,
unsigned char *raw1, int size1)
{
X509_STORE_set_flags(store, 0);
int cnt;
if (raw1) {
cnt = ossl_init_cert_store_from_raw(store, raw1, size1);
if (!cnt) {
EST_LOG_ERR("Cert count is zero for store");
return (EST_ERR_NO_CERTS_FOUND);
}
}
return (EST_ERR_NONE);
}
static VALUE
ossl_x509store_set_flags(VALUE self, VALUE flags)
{
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
X509_STORE *store;
long f = NUM2LONG(flags);
GetX509Store(self, store);
X509_STORE_set_flags(store, f);
#else
rb_iv_set(self, "@flags", flags);
#endif
return flags;
}
/// \brief Used by pkcs7_main() - not to be used directly.
///
/// \param N/A
/// \return N/A
///
X509_STORE *
create_store (void)
{
X509_STORE *store;
X509_LOOKUP *lookup;
/* create the cert store and set the verify callback */
if (!(store = X509_STORE_new ()))
{
fprintf (stderr, "Error creating X509_STORE_CTX object\n");
goto err;
}
X509_STORE_set_verify_cb_func (store, verify_callback);
/* load the CA certificates and CRLs */
if (X509_STORE_load_locations (store, CA_FILE, CA_DIR) != 1)
{
fprintf (stderr, "Error loading the CA file or directory\n");
goto err;
}
if (X509_STORE_set_default_paths (store) != 1)
{
fprintf (stderr, "Error loading the system-wide CA certificates\n");
goto err;
}
if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ())))
{
fprintf (stderr, "Error creating X509_LOOKUP object\n");
goto err;
}
/* if (X509_load_crl_file (lookup, CRL_FILE, X509_FILETYPE_PEM) != 1)
{
fprintf (stderr, "Error reading the CRL file\n");
goto err;
}
*/
/* set the flags of the store so that CRLs are consulted */
X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
return store;
err:
return NULL;
}
int s2n_x509_trust_store_from_system_defaults(struct s2n_x509_trust_store *store) {
if (!store->trust_store) {
store->trust_store = X509_STORE_new();
notnull_check(store->trust_store);
}
int err_code = X509_STORE_set_default_paths(store->trust_store);
if (!err_code) {
s2n_x509_trust_store_wipe(store);
return -1;
}
X509_STORE_set_flags(store->trust_store, X509_VP_FLAG_DEFAULT);
return 0;
}
static int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
STACK_OF(X509_NAME) *calist;
X509_STORE *x509_s;
unsigned long error;
if (!SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) {
while ((error = ERR_get_error()))
debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
debug(DBG_ERR, "tlsaddcacrl: Error updating TLS context %s", conf->name);
return 0;
}
calist = conf->cacertfile ? SSL_load_client_CA_file(conf->cacertfile) : NULL;
if (!conf->cacertfile || calist) {
if (conf->cacertpath) {
if (!calist)
calist = sk_X509_NAME_new_null();
if (!SSL_add_dir_cert_subjects_to_stack(calist, conf->cacertpath)) {
sk_X509_NAME_free(calist);
calist = NULL;
}
}
}
if (!calist) {
while ((error = ERR_get_error()))
debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
debug(DBG_ERR, "tlsaddcacrl: Error adding CA subjects in TLS context %s", conf->name);
return 0;
}
ERR_clear_error(); /* add_dir_cert_subj returns errors on success */
SSL_CTX_set_client_CA_list(ctx, calist);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb);
SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1);
if (conf->crlcheck || conf->vpm) {
x509_s = SSL_CTX_get_cert_store(ctx);
if (conf->crlcheck)
X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
if (conf->vpm)
X509_STORE_set1_param(x509_s, conf->vpm);
}
debug(DBG_DBG, "tlsaddcacrl: updated TLS context %s", conf->name);
return 1;
}
static bool
_mongoc_ssl_setup_crl (SSL_CTX *ctx,
const char *crlfile)
{
X509_STORE *store;
X509_LOOKUP *lookup;
int status;
store = SSL_CTX_get_cert_store (ctx);
X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK);
lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ());
status = X509_load_crl_file (lookup, crlfile, X509_FILETYPE_PEM);
return status != 0;
}
bool SSLManager::_setupCRL(SSL_CTX* context, const std::string& crlFile) {
X509_STORE *store = SSL_CTX_get_cert_store(context);
fassert(16583, store);
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
fassert(16584, lookup);
int status = X509_load_crl_file(lookup, crlFile.c_str(), X509_FILETYPE_PEM);
if (status == 0) {
error() << "cannot read CRL file: " << crlFile << ' ' <<
getSSLErrorMessage(ERR_get_error()) << endl;
return false;
}
log() << "ssl imported " << status << " revoked certificate" <<
((status == 1) ? "" : "s") << " from the revocation list." <<
endl;
return true;
}
/*
* Create Global X509 revocation store and use it to verify
* OCSP responses
*
* - Load the trusted CAs
* - Load the trusted issuer certificates
*/
static X509_STORE *init_revocation_store(EAP_TLS_CONF *conf)
{
X509_STORE *store = NULL;
store = X509_STORE_new();
/* Load the CAs we trust */
if (conf->ca_file || conf->ca_path)
if(!X509_STORE_load_locations(store, conf->ca_file, conf->ca_path)) {
radlog(L_ERR, "rlm_eap: X509_STORE error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading Trusted root CA list %s",conf->ca_file );
return NULL;
}
#ifdef X509_V_FLAG_CRL_CHECK
if (conf->check_crl)
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
#endif
return store;
}
SSL_CTX *_sslctx_common_setup (SSL_CTX * the_ctx, _netsnmpTLSBaseData * tlsbase)
{
char *crlFile;
char *cipherList;
X509_LOOKUP *lookup;
X509_STORE *cert_store = NULL;
_load_trusted_certs (the_ctx);
/* add in the CRLs if available */
crlFile = netsnmp_ds_get_string (NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_X509_CRL_FILE);
if (NULL != crlFile)
{
cert_store = SSL_CTX_get_cert_store (the_ctx);
DEBUGMSGTL (("sslctx_client", "loading CRL: %s\n", crlFile));
if (!cert_store)
LOGANDDIE ("failed to find certificate store");
if (!(lookup = X509_STORE_add_lookup (cert_store, X509_LOOKUP_file ())))
LOGANDDIE ("failed to create a lookup function for the CRL file");
if (X509_load_crl_file (lookup, crlFile, X509_FILETYPE_PEM) != 1)
LOGANDDIE ("failed to load the CRL file");
/* tell openssl to check CRLs */
X509_STORE_set_flags (cert_store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
cipherList = netsnmp_ds_get_string (NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_TLS_ALGORITMS);
if (NULL != cipherList)
{
if (SSL_CTX_set_cipher_list (the_ctx, cipherList) != 1)
LOGANDDIE ("failed to set the cipher list to the requested value");
else
snmp_log (LOG_INFO, "set SSL cipher list to '%s'\n", cipherList);
}
return the_ctx;
}
int s2n_x509_trust_store_from_ca_file(struct s2n_x509_trust_store *store, const char *ca_pem_filename, const char *ca_dir) {
if (!store->trust_store) {
store->trust_store = X509_STORE_new();
notnull_check(store->trust_store);
}
int err_code = X509_STORE_load_locations(store->trust_store, ca_pem_filename, ca_dir);
if (!err_code) {
s2n_x509_trust_store_wipe(store);
return -1;
}
/* It's a likely scenario if this function is called, a self-signed certificate is used, and that is was generated
* without a trust anchor. However if you call this function, the assumption is you trust ca_file or path and if a certificate
* is encountered that's in that path, it should be trusted. The following flag tells libcrypto to not care that the cert
* is missing a root anchor. */
unsigned long flags = X509_VP_FLAG_DEFAULT;
flags |= X509_V_FLAG_PARTIAL_CHAIN;
X509_STORE_set_flags(store->trust_store, flags);
return 0;
}
static Eina_Bool
_ecore_con_ssl_server_crl_add_openssl(Ecore_Con_Server *svr,
const char *crl_file)
{
X509_STORE *st;
X509_LOOKUP *lu;
static Eina_Bool flag = EINA_FALSE;
SSL_ERROR_CHECK_GOTO_ERROR(!(st = SSL_CTX_get_cert_store(svr->ssl_ctx)));
SSL_ERROR_CHECK_GOTO_ERROR(!(lu = X509_STORE_add_lookup(st, X509_LOOKUP_file())));
SSL_ERROR_CHECK_GOTO_ERROR(X509_load_crl_file(lu, crl_file, X509_FILETYPE_PEM) < 1);
if (!flag)
{
X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
flag = EINA_TRUE;
}
return EINA_TRUE;
error:
_openssl_print_errors();
return EINA_FALSE;
}
static int ma_tls_set_certs(MYSQL *mysql)
{
char *certfile= mysql->options.ssl_cert,
*keyfile= mysql->options.ssl_key;
/* add cipher */
if ((mysql->options.ssl_cipher &&
mysql->options.ssl_cipher[0] != 0) &&
SSL_CTX_set_cipher_list(SSL_context, mysql->options.ssl_cipher) == 0)
goto error;
/* ca_file and ca_path */
if (SSL_CTX_load_verify_locations(SSL_context,
mysql->options.ssl_ca,
mysql->options.ssl_capath) == 0)
{
if (mysql->options.ssl_ca || mysql->options.ssl_capath)
goto error;
if (SSL_CTX_set_default_verify_paths(SSL_context) == 0)
goto error;
}
if (keyfile && !certfile)
certfile= keyfile;
if (certfile && !keyfile)
keyfile= certfile;
/* set cert */
if (certfile && certfile[0] != 0)
if (SSL_CTX_use_certificate_file(SSL_context, certfile, SSL_FILETYPE_PEM) != 1)
goto error;
/* If the private key file is encrypted, we need to register a callback function
* for providing password. */
if (OPT_HAS_EXT_VAL(mysql, tls_pw))
{
SSL_CTX_set_default_passwd_cb_userdata(SSL_context, (void *)mysql->options.extension->tls_pw);
SSL_CTX_set_default_passwd_cb(SSL_context, ma_tls_get_password);
}
if (keyfile && keyfile[0])
{
if (SSL_CTX_use_PrivateKey_file(SSL_context, keyfile, SSL_FILETYPE_PEM) != 1)
{
unsigned long err= ERR_peek_error();
if (!(ERR_GET_LIB(err) == ERR_LIB_X509 &&
ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE))
goto error;
}
}
if (OPT_HAS_EXT_VAL(mysql, tls_pw))
{
SSL_CTX_set_default_passwd_cb_userdata(SSL_context, NULL);
SSL_CTX_set_default_passwd_cb(SSL_context, NULL);
}
/* verify key */
if (certfile && !SSL_CTX_check_private_key(SSL_context))
goto error;
if (mysql->options.extension &&
(mysql->options.extension->ssl_crl || mysql->options.extension->ssl_crlpath))
{
X509_STORE *certstore;
if ((certstore= SSL_CTX_get_cert_store(SSL_context)))
{
if (X509_STORE_load_locations(certstore, mysql->options.extension->ssl_crl,
mysql->options.extension->ssl_crlpath) == 0)
goto error;
X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
}
return 0;
error:
ma_tls_set_error(mysql);
return 1;
}
int MAIN(int argc, char **argv)
{
int off=0;
SSL *con=NULL,*con2=NULL;
X509_STORE *store = NULL;
int s,k,width,state=0;
char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
int cbuf_len,cbuf_off;
int sbuf_len,sbuf_off;
fd_set readfds,writefds;
short port=PORT;
int full_log=1;
char *host=SSL_HOST_NAME;
char *cert_file=NULL,*key_file=NULL;
int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
char *passarg = NULL, *pass = NULL;
X509 *cert = NULL;
EVP_PKEY *key = NULL;
char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
int crlf=0;
int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
SSL_CTX *ctx=NULL;
int ret=1,in_init=1,i,nbio_test=0;
int starttls_proto = PROTO_OFF;
int prexit = 0, vflags = 0;
SSL_METHOD *meth=NULL;
#ifdef sock_type
#undef sock_type
#endif
int sock_type=SOCK_STREAM;
BIO *sbio;
char *inrand=NULL;
int mbuf_len=0;
#ifndef OPENSSL_NO_ENGINE
char *engine_id=NULL;
ENGINE *e=NULL;
#endif
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
struct timeval tv;
#endif
struct sockaddr peer;
int peerlen = sizeof(peer);
int enable_timeouts = 0 ;
long mtu = 0;
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_client_method();
#elif !defined(OPENSSL_NO_SSL3)
meth=SSLv3_client_method();
#elif !defined(OPENSSL_NO_SSL2)
meth=SSLv2_client_method();
#endif
apps_startup();
c_Pause=0;
c_quiet=0;
c_ign_eof=0;
c_debug=0;
c_msg=0;
c_showcerts=0;
if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
if (!load_config(bio_err, NULL))
goto end;
if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
{
BIO_printf(bio_err,"out of memory\n");
goto end;
}
verify_depth=0;
verify_error=X509_V_OK;
#ifdef FIONBIO
c_nbio=0;
#endif
argc--;
argv++;
while (argc >= 1)
{
if (strcmp(*argv,"-host") == 0)
{
if (--argc < 1) goto bad;
host= *(++argv);
}
else if (strcmp(*argv,"-port") == 0)
{
if (--argc < 1) goto bad;
port=atoi(*(++argv));
if (port == 0) goto bad;
}
else if (strcmp(*argv,"-connect") == 0)
{
if (--argc < 1) goto bad;
if (!extract_host_port(*(++argv),&host,NULL,&port))
goto bad;
}
else if (strcmp(*argv,"-verify") == 0)
{
verify=SSL_VERIFY_PEER;
if (--argc < 1) goto bad;
verify_depth=atoi(*(++argv));
BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
}
else if (strcmp(*argv,"-cert") == 0)
{
if (--argc < 1) goto bad;
cert_file= *(++argv);
}
else if (strcmp(*argv,"-certform") == 0)
{
if (--argc < 1) goto bad;
cert_format = str2fmt(*(++argv));
}
else if (strcmp(*argv,"-crl_check") == 0)
vflags |= X509_V_FLAG_CRL_CHECK;
else if (strcmp(*argv,"-crl_check_all") == 0)
vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
else if (strcmp(*argv,"-prexit") == 0)
prexit=1;
else if (strcmp(*argv,"-crlf") == 0)
crlf=1;
else if (strcmp(*argv,"-quiet") == 0)
{
c_quiet=1;
c_ign_eof=1;
}
else if (strcmp(*argv,"-ign_eof") == 0)
c_ign_eof=1;
else if (strcmp(*argv,"-pause") == 0)
c_Pause=1;
else if (strcmp(*argv,"-debug") == 0)
c_debug=1;
#ifdef WATT32
else if (strcmp(*argv,"-wdebug") == 0)
dbug_init();
#endif
else if (strcmp(*argv,"-msg") == 0)
c_msg=1;
else if (strcmp(*argv,"-showcerts") == 0)
c_showcerts=1;
else if (strcmp(*argv,"-nbio_test") == 0)
nbio_test=1;
else if (strcmp(*argv,"-state") == 0)
state=1;
#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv,"-ssl2") == 0)
meth=SSLv2_client_method();
#endif
#ifndef OPENSSL_NO_SSL3
else if (strcmp(*argv,"-ssl3") == 0)
meth=SSLv3_client_method();
#endif
#ifndef OPENSSL_NO_TLS1
else if (strcmp(*argv,"-tls1") == 0)
meth=TLSv1_client_method();
#endif
#ifndef OPENSSL_NO_DTLS1
else if (strcmp(*argv,"-dtls1") == 0)
{
meth=DTLSv1_client_method();
sock_type=SOCK_DGRAM;
}
else if (strcmp(*argv,"-timeout") == 0)
enable_timeouts=1;
else if (strcmp(*argv,"-mtu") == 0)
{
if (--argc < 1) goto bad;
mtu = atol(*(++argv));
}
#endif
else if (strcmp(*argv,"-bugs") == 0)
bugs=1;
else if (strcmp(*argv,"-keyform") == 0)
{
if (--argc < 1) goto bad;
key_format = str2fmt(*(++argv));
}
else if (strcmp(*argv,"-pass") == 0)
{
if (--argc < 1) goto bad;
passarg = *(++argv);
}
else if (strcmp(*argv,"-key") == 0)
{
if (--argc < 1) goto bad;
key_file= *(++argv);
}
else if (strcmp(*argv,"-reconnect") == 0)
{
reconnect=5;
}
else if (strcmp(*argv,"-CApath") == 0)
{
if (--argc < 1) goto bad;
CApath= *(++argv);
}
else if (strcmp(*argv,"-CAfile") == 0)
{
if (--argc < 1) goto bad;
CAfile= *(++argv);
}
else if (strcmp(*argv,"-no_tls1") == 0)
off|=SSL_OP_NO_TLSv1;
else if (strcmp(*argv,"-no_ssl3") == 0)
off|=SSL_OP_NO_SSLv3;
else if (strcmp(*argv,"-no_ssl2") == 0)
off|=SSL_OP_NO_SSLv2;
else if (strcmp(*argv,"-serverpref") == 0)
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
else if (strcmp(*argv,"-cipher") == 0)
{
if (--argc < 1) goto bad;
cipher= *(++argv);
}
#ifdef FIONBIO
else if (strcmp(*argv,"-nbio") == 0)
{
c_nbio=1;
}
#endif
else if (strcmp(*argv,"-starttls") == 0)
{
if (--argc < 1) goto bad;
++argv;
if (strcmp(*argv,"smtp") == 0)
starttls_proto = PROTO_SMTP;
else if (strcmp(*argv,"pop3") == 0)
starttls_proto = PROTO_POP3;
else if (strcmp(*argv,"imap") == 0)
starttls_proto = PROTO_IMAP;
else if (strcmp(*argv,"ftp") == 0)
starttls_proto = PROTO_FTP;
else
goto bad;
}
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv,"-engine") == 0)
{
if (--argc < 1) goto bad;
engine_id = *(++argv);
}
#endif
else if (strcmp(*argv,"-rand") == 0)
{
if (--argc < 1) goto bad;
inrand= *(++argv);
}
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
badop=1;
break;
}
argc--;
argv++;
}
if (badop)
{
bad:
sc_usage();
goto end;
}
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
#ifndef OPENSSL_NO_ENGINE
e = setup_engine(bio_err, engine_id, 1);
#endif
if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
{
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (key_file == NULL)
key_file = cert_file;
if (key_file)
{
key = load_key(bio_err, key_file, key_format, 0, pass, e,
"client certificate private key file");
if (!key)
{
ERR_print_errors(bio_err);
goto end;
}
}
if (cert_file)
{
cert = load_cert(bio_err,cert_file,cert_format,
NULL, e, "client certificate file");
if (!cert)
{
ERR_print_errors(bio_err);
goto end;
}
}
if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
&& !RAND_status())
{
BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
}
if (inrand != NULL)
BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
app_RAND_load_files(inrand));
if (bio_c_out == NULL)
{
if (c_quiet && !c_debug && !c_msg)
{
bio_c_out=BIO_new(BIO_s_null());
}
else
{
if (bio_c_out == NULL)
bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
}
}
ctx=SSL_CTX_new(meth);
if (ctx == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (bugs)
SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
else
SSL_CTX_set_options(ctx,off);
/* DTLS: partial reads end up discarding unread UDP bytes :-(
* Setting read ahead solves this problem.
*/
if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
if (cipher != NULL)
if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
BIO_printf(bio_err,"error setting cipher list\n");
ERR_print_errors(bio_err);
goto end;
}
#if 0
else
SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
#endif
SSL_CTX_set_verify(ctx,verify,verify_callback);
if (!set_cert_key_stuff(ctx,cert,key))
goto end;
if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx)))
{
/* BIO_printf(bio_err,"error setting default verify locations\n"); */
ERR_print_errors(bio_err);
/* goto end; */
}
store = SSL_CTX_get_cert_store(ctx);
X509_STORE_set_flags(store, vflags);
con=SSL_new(ctx);
#ifndef OPENSSL_NO_KRB5
if (con && (con->kssl_ctx = kssl_ctx_new()) != NULL)
{
kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVER, host);
}
#endif /* OPENSSL_NO_KRB5 */
/* SSL_set_cipher_list(con,"RC4-MD5"); */
re_start:
if (init_client(&s,host,port,sock_type) == 0)
{
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
SHUTDOWN(s);
goto end;
}
BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
#ifdef FIONBIO
if (c_nbio)
{
unsigned long l=1;
BIO_printf(bio_c_out,"turning on non blocking io\n");
if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
{
ERR_print_errors(bio_err);
goto end;
}
}
#endif
if (c_Pause & 0x01) con->debug=1;
if ( SSL_version(con) == DTLS1_VERSION)
{
struct timeval timeout;
sbio=BIO_new_dgram(s,BIO_NOCLOSE);
if (getsockname(s, &peer, (void *)&peerlen) < 0)
{
BIO_printf(bio_err, "getsockname:errno=%d\n",
get_last_socket_error());
SHUTDOWN(s);
goto end;
}
(void)BIO_ctrl_set_connected(sbio, 1, &peer);
if ( enable_timeouts)
{
timeout.tv_sec = 0;
timeout.tv_usec = DGRAM_RCV_TIMEOUT;
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
timeout.tv_sec = 0;
timeout.tv_usec = DGRAM_SND_TIMEOUT;
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
}
if ( mtu > 0)
{
SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu(con, mtu);
}
else
/* want to do MTU discovery */
BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
}
else
sbio=BIO_new_socket(s,BIO_NOCLOSE);
if (nbio_test)
{
BIO *test;
test=BIO_new(BIO_f_nbio_test());
sbio=BIO_push(test,sbio);
}
if (c_debug)
{
con->debug=1;
BIO_set_callback(sbio,bio_dump_callback);
BIO_set_callback_arg(sbio,(char *)bio_c_out);
}
if (c_msg)
{
SSL_set_msg_callback(con, msg_cb);
SSL_set_msg_callback_arg(con, bio_c_out);
}
SSL_set_bio(con,sbio,sbio);
SSL_set_connect_state(con);
/* ok, lets connect */
width=SSL_get_fd(con)+1;
read_tty=1;
write_tty=0;
tty_on=0;
read_ssl=1;
write_ssl=1;
cbuf_len=0;
cbuf_off=0;
sbuf_len=0;
sbuf_off=0;
/* This is an ugly hack that does a lot of assumptions */
/* We do have to handle multi-line responses which may come
in a single packet or not. We therefore have to use
BIO_gets() which does need a buffering BIO. So during
the initial chitchat we do push a buffering BIO into the
chain that is removed again later on to not disturb the
rest of the s_client operation. */
if (starttls_proto == PROTO_SMTP)
{
int foundit=0;
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
/* wait for multi-line response to end from SMTP */
do
{
mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
}
while (mbuf_len>3 && mbuf[3]=='-');
/* STARTTLS command requires EHLO... */
BIO_printf(fbio,"EHLO openssl.client.net\r\n");
(void)BIO_flush(fbio);
/* wait for multi-line response to end EHLO SMTP response */
do
{
mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
if (strstr(mbuf,"STARTTLS"))
foundit=1;
}
while (mbuf_len>3 && mbuf[3]=='-');
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
if (!foundit)
BIO_printf(bio_err,
"didn't found starttls in server response,"
" try anyway...\n");
BIO_printf(sbio,"STARTTLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
else if (starttls_proto == PROTO_POP3)
{
BIO_read(sbio,mbuf,BUFSIZZ);
BIO_printf(sbio,"STLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
else if (starttls_proto == PROTO_IMAP)
{
int foundit=0;
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
BIO_gets(fbio,mbuf,BUFSIZZ);
/* STARTTLS command requires CAPABILITY... */
BIO_printf(fbio,". CAPABILITY\r\n");
(void)BIO_flush(fbio);
/* wait for multi-line CAPABILITY response */
do
{
mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
if (strstr(mbuf,"STARTTLS"))
foundit=1;
}
while (mbuf_len>3 && mbuf[0]!='.');
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
if (!foundit)
BIO_printf(bio_err,
"didn't found STARTTLS in server response,"
" try anyway...\n");
BIO_printf(sbio,". STARTTLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
else if (starttls_proto == PROTO_FTP)
{
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
/* wait for multi-line response to end from FTP */
do
{
mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
}
while (mbuf_len>3 && mbuf[3]=='-');
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
BIO_printf(sbio,"AUTH TLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
for (;;)
{
FD_ZERO(&readfds);
FD_ZERO(&writefds);
if (SSL_in_init(con) && !SSL_total_renegotiations(con))
{
in_init=1;
tty_on=0;
}
else
{
tty_on=1;
if (in_init)
{
in_init=0;
print_stuff(bio_c_out,con,full_log);
if (full_log > 0) full_log--;
if (starttls_proto)
{
BIO_printf(bio_err,"%s",mbuf);
/* We don't need to know any more */
starttls_proto = PROTO_OFF;
}
if (reconnect)
{
reconnect--;
BIO_printf(bio_c_out,"drop connection and then reconnect\n");
SSL_shutdown(con);
SSL_set_connect_state(con);
SHUTDOWN(SSL_get_fd(con));
goto re_start;
}
}
}
ssl_pending = read_ssl && SSL_pending(con);
if (!ssl_pending)
{
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
if (tty_on)
{
if (read_tty) FD_SET(fileno(stdin),&readfds);
if (write_tty) FD_SET(fileno(stdout),&writefds);
}
if (read_ssl)
FD_SET(SSL_get_fd(con),&readfds);
if (write_ssl)
FD_SET(SSL_get_fd(con),&writefds);
#else
if(!tty_on || !write_tty) {
if (read_ssl)
FD_SET(SSL_get_fd(con),&readfds);
if (write_ssl)
FD_SET(SSL_get_fd(con),&writefds);
}
#endif
/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
/* Note: under VMS with SOCKETSHR the second parameter
* is currently of type (int *) whereas under other
* systems it is (void *) if you don't have a cast it
* will choke the compiler: if you do have a cast then
* you can either go for (int *) or (void *).
*/
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
/* Under Windows/DOS we make the assumption that we can
* always write to the tty: therefore if we need to
* write to the tty we just fall through. Otherwise
* we timeout the select every second and see if there
* are any keypresses. Note: this is a hack, in a proper
* Windows application we wouldn't do this.
*/
i=0;
if(!write_tty) {
if(read_tty) {
tv.tv_sec = 1;
tv.tv_usec = 0;
i=select(width,(void *)&readfds,(void *)&writefds,
NULL,&tv);
#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
if(!i && (!_kbhit() || !read_tty) ) continue;
#else
if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
#endif
} else i=select(width,(void *)&readfds,(void *)&writefds,
NULL,NULL);
}
#elif defined(OPENSSL_SYS_NETWARE)
if(!write_tty) {
if(read_tty) {
tv.tv_sec = 1;
tv.tv_usec = 0;
i=select(width,(void *)&readfds,(void *)&writefds,
NULL,&tv);
} else i=select(width,(void *)&readfds,(void *)&writefds,
NULL,NULL);
}
#else
i=select(width,(void *)&readfds,(void *)&writefds,
NULL,NULL);
#endif
if ( i < 0)
{
BIO_printf(bio_err,"bad select %d\n",
get_last_socket_error());
goto shut;
/* goto end; */
}
}
if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
{
k=SSL_write(con,&(cbuf[cbuf_off]),
(unsigned int)cbuf_len);
switch (SSL_get_error(con,k))
{
case SSL_ERROR_NONE:
cbuf_off+=k;
cbuf_len-=k;
if (k <= 0) goto end;
/* we have done a write(con,NULL,0); */
if (cbuf_len <= 0)
{
read_tty=1;
write_ssl=0;
}
else /* if (cbuf_len > 0) */
{
read_tty=0;
write_ssl=1;
}
break;
case SSL_ERROR_WANT_WRITE:
BIO_printf(bio_c_out,"write W BLOCK\n");
write_ssl=1;
read_tty=0;
break;
case SSL_ERROR_WANT_READ:
BIO_printf(bio_c_out,"write R BLOCK\n");
write_tty=0;
read_ssl=1;
write_ssl=0;
break;
case SSL_ERROR_WANT_X509_LOOKUP:
BIO_printf(bio_c_out,"write X BLOCK\n");
break;
case SSL_ERROR_ZERO_RETURN:
if (cbuf_len != 0)
{
BIO_printf(bio_c_out,"shutdown\n");
goto shut;
}
else
{
read_tty=1;
write_ssl=0;
break;
}
case SSL_ERROR_SYSCALL:
if ((k != 0) || (cbuf_len != 0))
{
BIO_printf(bio_err,"write:errno=%d\n",
get_last_socket_error());
goto shut;
}
else
{
read_tty=1;
write_ssl=0;
}
break;
case SSL_ERROR_SSL:
ERR_print_errors(bio_err);
goto shut;
}
}
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
/* Assume Windows/DOS can always write */
else if (!ssl_pending && write_tty)
#else
else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
#endif
{
#ifdef CHARSET_EBCDIC
ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
#endif
i=write(fileno(stdout),&(sbuf[sbuf_off]),sbuf_len);
if (i <= 0)
{
BIO_printf(bio_c_out,"DONE\n");
goto shut;
/* goto end; */
}
sbuf_len-=i;;
sbuf_off+=i;
if (sbuf_len <= 0)
{
read_ssl=1;
write_tty=0;
}
}
else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
{
#ifdef RENEG
{ static int iiii; if (++iiii == 52) {
SSL_renegotiate(con);
iiii=0;
}
}
#endif
#if 1
k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
#else
/* Demo for pending and peek :-) */
k=SSL_read(con,sbuf,16);
{ char zbuf[10240];
printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
}
#endif
switch (SSL_get_error(con,k))
{
case SSL_ERROR_NONE:
if (k <= 0)
goto end;
sbuf_off=0;
sbuf_len=k;
read_ssl=0;
write_tty=1;
break;
case SSL_ERROR_WANT_WRITE:
BIO_printf(bio_c_out,"read W BLOCK\n");
write_ssl=1;
read_tty=0;
break;
case SSL_ERROR_WANT_READ:
BIO_printf(bio_c_out,"read R BLOCK\n");
write_tty=0;
read_ssl=1;
if ((read_tty == 0) && (write_ssl == 0))
write_ssl=1;
break;
case SSL_ERROR_WANT_X509_LOOKUP:
BIO_printf(bio_c_out,"read X BLOCK\n");
break;
case SSL_ERROR_SYSCALL:
BIO_printf(bio_err,"read:errno=%d\n",get_last_socket_error());
goto shut;
case SSL_ERROR_ZERO_RETURN:
BIO_printf(bio_c_out,"closed\n");
goto shut;
case SSL_ERROR_SSL:
ERR_print_errors(bio_err);
goto shut;
/* break; */
}
}
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
else if (_kbhit())
#else
else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
#endif
#elif defined (OPENSSL_SYS_NETWARE)
else if (_kbhit())
#else
else if (FD_ISSET(fileno(stdin),&readfds))
#endif
{
if (crlf)
{
int j, lf_num;
i=read(fileno(stdin),cbuf,BUFSIZZ/2);
lf_num = 0;
/* both loops are skipped when i <= 0 */
for (j = 0; j < i; j++)
if (cbuf[j] == '\n')
lf_num++;
for (j = i-1; j >= 0; j--)
{
cbuf[j+lf_num] = cbuf[j];
if (cbuf[j] == '\n')
{
lf_num--;
i++;
cbuf[j+lf_num] = '\r';
}
}
assert(lf_num == 0);
}
else
i=read(fileno(stdin),cbuf,BUFSIZZ);
if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
{
BIO_printf(bio_err,"DONE\n");
goto shut;
}
if ((!c_ign_eof) && (cbuf[0] == 'R'))
{
BIO_printf(bio_err,"RENEGOTIATING\n");
SSL_renegotiate(con);
cbuf_len=0;
}
else
{
cbuf_len=i;
cbuf_off=0;
#ifdef CHARSET_EBCDIC
ebcdic2ascii(cbuf, cbuf, i);
#endif
}
write_ssl=1;
read_tty=0;
}
}
shut:
SSL_shutdown(con);
SHUTDOWN(SSL_get_fd(con));
ret=0;
end:
if(prexit) print_stuff(bio_c_out,con,1);
if (con != NULL) SSL_free(con);
if (con2 != NULL) SSL_free(con2);
if (ctx != NULL) SSL_CTX_free(ctx);
if (cert)
X509_free(cert);
if (key)
EVP_PKEY_free(key);
if (pass)
OPENSSL_free(pass);
if (cbuf != NULL) {
OPENSSL_cleanse(cbuf,BUFSIZZ);
OPENSSL_free(cbuf);
}
if (sbuf != NULL) {
OPENSSL_cleanse(sbuf,BUFSIZZ);
OPENSSL_free(sbuf);
}
if (mbuf != NULL) {
OPENSSL_cleanse(mbuf,BUFSIZZ);
OPENSSL_free(mbuf);
}
if (bio_c_out != NULL)
{
BIO_free(bio_c_out);
bio_c_out=NULL;
}
apps_shutdown();
OPENSSL_EXIT(ret);
}
/* This function makes sure the certificate is still valid by not having any
* compromised certificates in the chain.
* If there is no Certificate Revocation List (CRL) it may be that the private
* keys have not been compromised or the CRL has not been generated by the
* Certificate Authority (CA)
*
* returns: 0 if certificate is valid, X509 store error code otherwise */
static int validate_certificate(void)
{
X509_LOOKUP *lookup = NULL;
X509_STORE_CTX *verify_ctx = NULL;
/* TODO: CRL and Chains are not required for the current setup, but we may
* implement them in the future
if (!crl) {
printf("No certificate revocation list provided\n");
}
if (!chain) {
printf("No certificate chain provided\n");
}
*/
/* create the cert store and set the verify callback */
if (!(store = X509_STORE_new())) {
fprintf(stderr, "Failed X509_STORE_new() for %s\n", CERTNAME);
goto error;
}
X509_STORE_set_verify_cb_func(store, verify_callback);
/* Add the certificates to be verified to the store */
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) {
fprintf(stderr, "Failed X509_STORE_add_lookup() for %s\n", CERTNAME);
goto error;
}
/* Load the our Root cert, which can be in either DER or PEM format */
if (!X509_load_cert_file(lookup, CERTNAME, X509_FILETYPE_PEM)) {
fprintf(stderr, "Failed X509_load_cert_file() for %s\n", CERTNAME);
goto error;
}
if (crl) {
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) ||
(X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM) != 1)) {
fprintf(stderr, "Failed X509 crl init for %s\n", CERTNAME);
goto error;
}
/* set the flags of the store so that CLRs are consulted */
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
/* create a verification context and initialize it */
if (!(verify_ctx = X509_STORE_CTX_new())) {
fprintf(stderr, "Failed X509_STORE_CTX_new() for %s\n", CERTNAME);
goto error;
}
if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1) {
fprintf(stderr, "Failed X509_STORE_CTX_init() for %s\n", CERTNAME);
goto error;
}
/* Specify which cert to validate in the verify context.
* This is required because we may add multiple certs to the X509 store,
* but we want to validate a specific one out of the group/chain. */
X509_STORE_CTX_set_cert(verify_ctx, cert);
/* verify the certificate */
if (X509_verify_cert(verify_ctx) != 1) {
fprintf(stderr, "Failed X509_verify_cert() for %s\n", CERTNAME);
goto error;
}
X509_STORE_CTX_free(verify_ctx);
/* Certificate verified correctly */
return 0;
error:
ERR_print_errors_fp(stderr);
if (verify_ctx) {
X509_STORE_CTX_free(verify_ctx);
}
return verify_ctx->error;
}
/*
* Create a new TLS_CONTEXT instance.
*
* Returns: Pointer to TLS_CONTEXT instance on success
* NULL on failure;
*/
TLS_CONTEXT *new_tls_context(const char *ca_certfile,
const char *ca_certdir,
const char *crlfile,
const char *certfile,
const char *keyfile,
CRYPTO_PEM_PASSWD_CB *pem_callback,
const void *pem_userdata,
const char *dhfile,
bool verify_peer)
{
TLS_CONTEXT *ctx;
BIO *bio;
DH *dh;
ctx = (TLS_CONTEXT *)malloc(sizeof(TLS_CONTEXT));
/*
* Allocate our OpenSSL TLSv1 Context
*/
ctx->openssl = SSL_CTX_new(TLSv1_method());
if (!ctx->openssl) {
openssl_post_errors(M_FATAL, _("Error initializing SSL context"));
goto err;
}
/*
* Set up pem encryption callback
*/
if (pem_callback) {
ctx->pem_callback = pem_callback;
ctx->pem_userdata = pem_userdata;
} else {
ctx->pem_callback = crypto_default_pem_callback;
ctx->pem_userdata = NULL;
}
ctx->verify_peer = verify_peer;
SSL_CTX_set_default_passwd_cb(ctx->openssl, tls_pem_callback_dispatch);
SSL_CTX_set_default_passwd_cb_userdata(ctx->openssl, (void *) ctx);
/*
* Set certificate verification paths. This requires that at least one value be non-NULL
*/
if (ca_certfile || ca_certdir) {
if (!SSL_CTX_load_verify_locations(ctx->openssl, ca_certfile, ca_certdir)) {
openssl_post_errors(M_FATAL, _("Error loading certificate verification stores"));
goto err;
}
} else if (verify_peer) {
/* At least one CA is required for peer verification */
Jmsg0(NULL, M_ERROR, 0, _("Either a certificate file or a directory must be"
" specified as a verification store\n"));
goto err;
}
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
/*
* Set certificate revocation list.
*/
if (crlfile) {
X509_STORE *store;
X509_LOOKUP *lookup;
store = SSL_CTX_get_cert_store(ctx->openssl);
if (!store) {
openssl_post_errors(M_FATAL, _("Error loading revocation list file"));
goto err;
}
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_crl_reloader());
if (!lookup) {
openssl_post_errors(M_FATAL, _("Error loading revocation list file"));
goto err;
}
if (!load_new_crl_file(lookup, (char *)crlfile)) {
openssl_post_errors(M_FATAL, _("Error loading revocation list file"));
goto err;
}
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
#endif
/*
* Load our certificate file, if available. This file may also contain a
* private key, though this usage is somewhat unusual.
*/
if (certfile) {
if (!SSL_CTX_use_certificate_chain_file(ctx->openssl, certfile)) {
openssl_post_errors(M_FATAL, _("Error loading certificate file"));
goto err;
}
}
/*
* Load our private key.
*/
if (keyfile) {
if (!SSL_CTX_use_PrivateKey_file(ctx->openssl, keyfile, SSL_FILETYPE_PEM)) {
openssl_post_errors(M_FATAL, _("Error loading private key"));
goto err;
}
}
/*
* Load Diffie-Hellman Parameters.
*/
if (dhfile) {
if (!(bio = BIO_new_file(dhfile, "r"))) {
openssl_post_errors(M_FATAL, _("Unable to open DH parameters file"));
goto err;
}
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if (!dh) {
openssl_post_errors(M_FATAL, _("Unable to load DH parameters from specified file"));
goto err;
}
if (!SSL_CTX_set_tmp_dh(ctx->openssl, dh)) {
openssl_post_errors(M_FATAL, _("Failed to set TLS Diffie-Hellman parameters"));
DH_free(dh);
goto err;
}
/*
* Enable Single-Use DH for Ephemeral Keying
*/
SSL_CTX_set_options(ctx->openssl, SSL_OP_SINGLE_DH_USE);
}
if (SSL_CTX_set_cipher_list(ctx->openssl, TLS_DEFAULT_CIPHERS) != 1) {
Jmsg0(NULL, M_ERROR, 0,
_("Error setting cipher list, no valid ciphers available\n"));
goto err;
}
/*
* Verify Peer Certificate
*/
if (verify_peer) {
/*
* SSL_VERIFY_FAIL_IF_NO_PEER_CERT has no effect in client mode
*/
SSL_CTX_set_verify(ctx->openssl,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
openssl_verify_peer);
} else {
SSL_CTX_set_verify(ctx->openssl,
SSL_VERIFY_NONE,
NULL);
}
return ctx;
err:
/*
* Clean up after ourselves
*/
if (ctx->openssl) {
SSL_CTX_free(ctx->openssl);
}
free(ctx);
return NULL;
}
/*
* Create Global context SSL and use it in every new session
*
* - Load the trusted CAs
* - Load the Private key & the certificate
* - Set the Context options & Verify options
*/
static SSL_CTX *init_tls_ctx(EAP_TLS_CONF *conf)
{
SSL_METHOD *meth;
SSL_CTX *ctx;
X509_STORE *certstore;
int verify_mode = SSL_VERIFY_NONE;
int ctx_options = 0;
int type;
/*
* Add all the default ciphers and message digests
* Create our context.
*/
SSL_library_init();
SSL_load_error_strings();
/*
* SHA256 is in all versions of OpenSSL, but isn't
* initialized by default. It's needed for WiMAX
* certificates.
*/
#ifdef HAVE_OPENSSL_EVP_SHA256
EVP_add_digest(EVP_sha256());
#endif
meth = TLSv1_method();
ctx = SSL_CTX_new(meth);
/*
* Identify the type of certificates that needs to be loaded
*/
if (conf->file_type) {
type = SSL_FILETYPE_PEM;
} else {
type = SSL_FILETYPE_ASN1;
}
/*
* Set the password to load private key
*/
if (conf->private_key_password) {
#ifdef __APPLE__
/*
* We don't want to put the private key password in eap.conf, so check
* for our special string which indicates we should get the password
* programmatically.
*/
const char* special_string = "Apple:UseCertAdmin";
if (strncmp(conf->private_key_password,
special_string,
strlen(special_string)) == 0)
{
char cmd[256];
const long max_password_len = 128;
snprintf(cmd, sizeof(cmd) - 1,
"/usr/sbin/certadmin --get-private-key-passphrase \"%s\"",
conf->private_key_file);
DEBUG2("rlm_eap: Getting private key passphrase using command \"%s\"", cmd);
FILE* cmd_pipe = popen(cmd, "r");
if (!cmd_pipe) {
radlog(L_ERR, "rlm_eap: %s command failed. Unable to get private_key_password", cmd);
radlog(L_ERR, "rlm_eap: Error reading private_key_file %s", conf->private_key_file);
return NULL;
}
free(conf->private_key_password);
conf->private_key_password = malloc(max_password_len * sizeof(char));
if (!conf->private_key_password) {
radlog(L_ERR, "rlm_eap: Can't malloc space for private_key_password");
radlog(L_ERR, "rlm_eap: Error reading private_key_file %s", conf->private_key_file);
pclose(cmd_pipe);
return NULL;
}
fgets(conf->private_key_password, max_password_len, cmd_pipe);
pclose(cmd_pipe);
/* Get rid of newline at end of password. */
conf->private_key_password[strlen(conf->private_key_password) - 1] = '\0';
DEBUG2("rlm_eap: Password from command = \"%s\"", conf->private_key_password);
}
#endif
SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->private_key_password);
SSL_CTX_set_default_passwd_cb(ctx, cbtls_password);
}
/*
* Load our keys and certificates
*
* If certificates are of type PEM then we can make use
* of cert chain authentication using openssl api call
* SSL_CTX_use_certificate_chain_file. Please see how
* the cert chain needs to be given in PEM from
* openSSL.org
*/
if (type == SSL_FILETYPE_PEM) {
if (!(SSL_CTX_use_certificate_chain_file(ctx, conf->certificate_file))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading certificate file %s", conf->certificate_file);
return NULL;
}
} else if (!(SSL_CTX_use_certificate_file(ctx, conf->certificate_file, type))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading certificate file %s", conf->certificate_file);
return NULL;
}
/* Load the CAs we trust */
if (conf->ca_file || conf->ca_path) {
if (!SSL_CTX_load_verify_locations(ctx, conf->ca_file, conf->ca_path)) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading Trusted root CA list %s",conf->ca_file );
return NULL;
}
}
if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
if (!(SSL_CTX_use_PrivateKey_file(ctx, conf->private_key_file, type))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading private key file %s", conf->private_key_file);
return NULL;
}
/*
* Check if the loaded private key is the right one
*/
if (!SSL_CTX_check_private_key(ctx)) {
radlog(L_ERR, "rlm_eap_tls: Private key does not match the certificate public key");
return NULL;
}
/*
* Set ctx_options
*/
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
#ifdef SSL_OP_NO_TICKET
ctx_options |= SSL_OP_NO_TICKET ;
#endif
/*
* SSL_OP_SINGLE_DH_USE must be used in order to prevent
* small subgroup attacks and forward secrecy. Always
* using
*
* SSL_OP_SINGLE_DH_USE has an impact on the computer
* time needed during negotiation, but it is not very
* large.
*/
ctx_options |= SSL_OP_SINGLE_DH_USE;
/*
* SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS to work around issues
* in Windows Vista client.
* http://www.openssl.org/~bodo/tls-cbc.txt
* http://www.nabble.com/(RADIATOR)-Radiator-Version-3.16-released-t2600070.html
*/
ctx_options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
SSL_CTX_set_options(ctx, ctx_options);
/*
* TODO: Set the RSA & DH
* SSL_CTX_set_tmp_rsa_callback(ctx, cbtls_rsa);
* SSL_CTX_set_tmp_dh_callback(ctx, cbtls_dh);
*/
/*
* set the message callback to identify the type of
* message. For every new session, there can be a
* different callback argument.
*
* SSL_CTX_set_msg_callback(ctx, cbtls_msg);
*/
/* Set Info callback */
SSL_CTX_set_info_callback(ctx, cbtls_info);
/*
* Callbacks, etc. for session resumption.
*/
if (conf->session_cache_enable) {
SSL_CTX_sess_set_new_cb(ctx, cbtls_new_session);
SSL_CTX_sess_set_get_cb(ctx, cbtls_get_session);
SSL_CTX_sess_set_remove_cb(ctx, cbtls_remove_session);
SSL_CTX_set_quiet_shutdown(ctx, 1);
}
/*
* Check the certificates for revocation.
*/
#ifdef X509_V_FLAG_CRL_CHECK
if (conf->check_crl) {
certstore = SSL_CTX_get_cert_store(ctx);
if (certstore == NULL) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading Certificate Store");
return NULL;
}
X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
}
#endif
/*
* Set verify modes
* Always verify the peer certificate
*/
verify_mode |= SSL_VERIFY_PEER;
verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
verify_mode |= SSL_VERIFY_CLIENT_ONCE;
SSL_CTX_set_verify(ctx, verify_mode, cbtls_verify);
if (conf->verify_depth) {
SSL_CTX_set_verify_depth(ctx, conf->verify_depth);
}
/* Load randomness */
if (!(RAND_load_file(conf->random_file, 1024*1024))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error loading randomness");
return NULL;
}
/*
* Set the cipher list if we were told to
*/
if (conf->cipher_list) {
if (!SSL_CTX_set_cipher_list(ctx, conf->cipher_list)) {
radlog(L_ERR, "rlm_eap_tls: Error setting cipher list");
return NULL;
}
}
/*
* Setup session caching
*/
if (conf->session_cache_enable) {
/*
* Create a unique context Id per EAP-TLS configuration.
*/
if (conf->session_id_name) {
snprintf(conf->session_context_id,
sizeof(conf->session_context_id),
"FreeRADIUS EAP-TLS %s",
conf->session_id_name);
} else {
snprintf(conf->session_context_id,
sizeof(conf->session_context_id),
"FreeRADIUS EAP-TLS %p", conf);
}
/*
* Cache it, and DON'T auto-clear it.
*/
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR);
SSL_CTX_set_session_id_context(ctx,
(unsigned char *) conf->session_context_id,
(unsigned int) strlen(conf->session_context_id));
/*
* Our timeout is in hours, this is in seconds.
*/
SSL_CTX_set_timeout(ctx, conf->session_timeout * 3600);
/*
* Set the maximum number of entries in the
* session cache.
*/
SSL_CTX_sess_set_cache_size(ctx, conf->session_cache_size);
} else {
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
}
/*
* Register the application indices. We can't use
* hard-coded "0" and "1" as before, because we need to
* set up a "free" handler for the cached session
* information.
*/
if (eaptls_handle_idx < 0) {
eaptls_handle_idx = SSL_get_ex_new_index(0, &eaptls_handle_idx,
NULL, NULL, NULL);
}
if (eaptls_conf_idx < 0) {
eaptls_conf_idx = SSL_get_ex_new_index(0, &eaptls_conf_idx,
NULL, NULL, NULL);
}
if (eaptls_store_idx < 0) {
eaptls_store_idx = SSL_get_ex_new_index(0, "eaptls_store_idx",
NULL, NULL, NULL);
}
if (eaptls_session_idx < 0) {
eaptls_session_idx = SSL_get_ex_new_index(0, &eaptls_session_idx,
NULL, NULL,
eaptls_session_free);
}
return ctx;
}
/* XXX share code with x509_read_from_dir() ? */
int
x509_read_crls_from_dir(X509_STORE *ctx, char *name)
{
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
FILE *crlfp;
X509_CRL *crl;
struct stat sb;
char fullname[PATH_MAX];
char file[PATH_MAX];
int fd, off, size;
if (strlen(name) >= sizeof fullname - 1) {
log_print("x509_read_crls_from_dir: directory name too long");
return 0;
}
LOG_DBG((LOG_CRYPTO, 40, "x509_read_crls_from_dir: reading CRLs "
"from %s", name));
if (monitor_req_readdir(name) == -1) {
LOG_DBG((LOG_CRYPTO, 10, "x509_read_crls_from_dir: opendir "
"(\"%s\") failed: %s", name, strerror(errno)));
return 0;
}
strlcpy(fullname, name, sizeof fullname);
off = strlen(fullname);
size = sizeof fullname - off;
while ((fd = monitor_readdir(file, sizeof file)) != -1) {
LOG_DBG((LOG_CRYPTO, 60, "x509_read_crls_from_dir: reading "
"CRL %s", file));
if (fstat(fd, &sb) == -1) {
log_error("x509_read_crls_from_dir: fstat failed");
close(fd);
continue;
}
if (!S_ISREG(sb.st_mode)) {
close(fd);
continue;
}
if ((crlfp = fdopen(fd, "r")) == NULL) {
log_error("x509_read_crls_from_dir: fdopen failed");
close(fd);
continue;
}
crl = PEM_read_X509_CRL(crlfp, NULL, NULL, NULL);
fclose(crlfp);
if (crl == NULL) {
log_print("x509_read_crls_from_dir: "
"PEM_read_X509_CRL failed for %s",
file);
continue;
}
if (!X509_STORE_add_crl(ctx, crl)) {
LOG_DBG((LOG_CRYPTO, 50, "x509_read_crls_from_dir: "
"X509_STORE_add_crl failed for %s", file));
continue;
}
/*
* XXX This is to make x509_cert_validate set this (and
* XXX another) flag when validating certificates. Currently,
* XXX OpenSSL defaults to reject an otherwise valid
* XXX certificate (chain) if these flags are set but there
* XXX are no CRLs to check. The current workaround is to only
* XXX set the flags if we actually loaded some CRL data.
*/
X509_STORE_set_flags(ctx, X509_V_FLAG_CRL_CHECK);
}
#endif /* OPENSSL_VERSION_NUMBER >= 0x00907000L */
return 1;
}
/* This function makes sure the certificate is still valid by not having any
* compromised certificates in the chain.
* If there is no Certificate Revocation List (CRL) it may be that the private
* keys have not been compromised or the CRL has not been generated by the
* Certificate Authority (CA)
*
* returns: 0 if certificate is valid, X509 store error code otherwise */
static int validate_certificate(X509 *cert, const char *certificate_path, const char *crl)
{
X509_LOOKUP *lookup = NULL;
X509_STORE_CTX *verify_ctx = NULL;
//TODO: Implement a chain verification when required
/* create the cert store and set the verify callback */
if (!(store = X509_STORE_new())) {
error("Failed X509_STORE_new() for %s\n", certificate_path);
goto error;
}
X509_STORE_set_verify_cb_func(store, verify_callback);
if (X509_STORE_set_purpose(store, X509_PURPOSE_ANY) != 1) {
error("Failed X509_STORE_set_purpose() for %s\n", certificate_path);
goto error;
}
/* Add the certificates to be verified to the store */
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) {
error("Failed X509_STORE_add_lookup() for %s\n", certificate_path);
goto error;
}
/* Load the our Root cert, which can be in either DER or PEM format */
if (!X509_load_cert_file(lookup, certificate_path, X509_FILETYPE_PEM)) {
error("Failed X509_load_cert_file() for %s\n", certificate_path);
goto error;
}
if (crl) {
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) ||
(X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM) != 1)) {
error("Failed X509 crl init for %s\n", certificate_path);
goto error;
}
/* set the flags of the store so that CLRs are consulted */
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
/* create a verification context and initialize it */
if (!(verify_ctx = X509_STORE_CTX_new())) {
error("Failed X509_STORE_CTX_new() for %s\n", certificate_path);
goto error;
}
if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1) {
error("Failed X509_STORE_CTX_init() for %s\n", certificate_path);
goto error;
}
/* Specify which cert to validate in the verify context.
* This is required because we may add multiple certs to the X509 store,
* but we want to validate a specific one out of the group/chain. */
X509_STORE_CTX_set_cert(verify_ctx, cert);
/* verify the certificate */
if (X509_verify_cert(verify_ctx) != 1) {
error("Failed X509_verify_cert() for %s\n", certificate_path);
goto error;
}
X509_STORE_CTX_free(verify_ctx);
if (validate_authority(cert) < 0) {
error("Failed to validate certificate using 'Authority Information Access'\n");
return -1;
}
/* Certificate verified correctly */
return 0;
error:
ERR_print_errors_fp(stderr);
if (verify_ctx) {
X509_STORE_CTX_free(verify_ctx);
}
return X509_STORE_CTX_get_error(verify_ctx);
}
