int main(int argc, char *argv[]) { char *delegation_id = "", *reqtxt, *certtxt, *valid = NULL, *cert = NULL, *key = NULL, *capath = NULL, *keycert, timestr[81], *vomsdir = "/etc/grid-security/vomsdir", *executable, *keytxt, *proxychain, *ptr, *p; struct ns__putProxyResponse *unused = NULL; struct tm *finish_tm; int option_index, c, noverify = 0, i, ret, method = HTPROXY_PUT, verbose = 0, fd, minutes; struct soap soap_get, soap_put; struct ns__getNewProxyReqResponse getNewProxyReqResponse; struct ns__renewProxyReqResponse renewProxyReqResponse; struct ns__destroyResponse destroyResponse; struct ns__getTerminationTimeResponse getTerminationTimeResponse; FILE *ifp, *ofp; STACK_OF(X509) *x509_certstack; X509 *x509_cert; BIO *certmem; GRSTx509Chain *grst_chain = NULL; GRSTx509Cert *grst_cert = NULL; long ptrlen; struct stat statbuf; struct passwd *userpasswd; struct option long_options[] = { {"verbose", 0, 0, 'v'}, {"cert", 1, 0, 0}, {"key", 1, 0, 0}, {"capath", 1, 0, 0}, {"destroy", 0, 0, 0}, {"time", 0, 0, 0}, {"no-verify", 0, 0, 0}, {"valid", 1, 0, 0}, {"delegation-id",1, 0, 0}, {"put", 0, 0, 0}, {"renew", 0, 0, 0}, {"unixtime", 0, 0, 0}, {"make", 0, 0, 0}, {"info", 0, 0, 0}, {0, 0, 0, 0} }; if (argc == 1) { printsyntax(argv[0]); return 0; } while (1) { option_index = 0; c = getopt_long(argc, argv, "v", long_options, &option_index); if (c == -1) break; else if (c == 0) { if (option_index == 1) cert = optarg; else if (option_index == 2) key = optarg; else if (option_index == 3) capath = optarg; else if (option_index == 4) method = HTPROXY_DESTROY; else if (option_index == 5) method = HTPROXY_TIME; else if (option_index == 6) noverify = 1; else if (option_index == 7) valid = optarg; else if (option_index == 8) delegation_id = optarg; else if (option_index == 9) method = HTPROXY_PUT; else if (option_index == 10) method = HTPROXY_RENEW; else if (option_index == 11) method = HTPROXY_UNIXTIME; else if (option_index == 12) method = HTPROXY_MAKE; else if (option_index == 13) method = HTPROXY_INFO; } else if (c == 'v') { GRSTerrorLogFunc = htproxy_logfunc; ++verbose; } } executable = rindex(argv[0], '/'); if (executable != NULL) executable++; else executable = argv[0]; if (strcmp(executable, "htproxydestroy") == 0) method = HTPROXY_DESTROY; else if (strcmp(executable, "htproxyrenew") == 0) method = HTPROXY_RENEW; else if (strcmp(executable, "htproxytime") == 0) method = HTPROXY_TIME; else if (strcmp(executable, "htproxyunixtime") == 0) method = HTPROXY_UNIXTIME; else if (strcmp(executable, "htproxymake") == 0) method = HTPROXY_MAKE; else if (strcmp(executable, "htproxyinfo") == 0) method = HTPROXY_INFO; if ((method != HTPROXY_MAKE) && (method != HTPROXY_INFO) && (optind + 1 != argc)) { fprintf(stderr, "Must specify a delegation service URL!\n"); return 1; } if ((method == HTPROXY_RENEW) && (delegation_id[0] == '\0')) { fprintf(stderr, "Must give a Delegation ID when renewing\n"); return 1; } if (valid == NULL) minutes = 60 * 12; else minutes = atoi(valid); if (verbose) fprintf(stderr, "Proxy valid for %d minutes\n", minutes); ERR_load_crypto_strings (); OpenSSL_add_all_algorithms(); if ((cert == NULL) && (key != NULL)) cert = key; else if ((cert != NULL) && (key == NULL)) key = cert; else if ((cert == NULL) && (key == NULL)) { if (method != HTPROXY_MAKE) cert = getenv("X509_USER_PROXY"); if (cert != NULL) key = cert; else { if (method != HTPROXY_MAKE) asprintf(&(cert), "/tmp/x509up_u%d", geteuid()); /* one fine day, we will check the proxy file for expiry too to avoid suprises when we try to use it ... */ if (stat(cert, &statbuf) == 0) key = cert; else if (method != HTPROXY_INFO) { cert = getenv("X509_USER_CERT"); key = getenv("X509_USER_KEY"); userpasswd = getpwuid(geteuid()); if ((cert == NULL) && (userpasswd != NULL) && (userpasswd->pw_dir != NULL)) asprintf(&(cert), "%s/.globus/usercert.pem", userpasswd->pw_dir); if ((key == NULL) && (userpasswd != NULL) && (userpasswd->pw_dir != NULL)) asprintf(&(key), "%s/.globus/userkey.pem", userpasswd->pw_dir); } } } if (capath == NULL) capath = getenv("X509_CERT_DIR"); if (capath == NULL) capath = "/etc/grid-security/certificates"; if (verbose) fprintf(stderr, "key=%s\ncert=%s\ncapath=%s\n", key, cert, capath); if ((key != NULL) && (cert != NULL) && (strcmp(key, cert) != 0)) /* we have to concatenate for gSOAP */ { keycert = strdup("/tmp/.XXXXXX"); fd = mkstemp(keycert); ofp = fdopen(fd, "w"); if (!ofp) { fprintf(stderr, "Cannot open tmp file for the key\n"); return 1; } ifp = fopen(key, "r"); { fprintf(stderr, "Cannot open the file with the key\n"); return 1; } while ((c = fgetc(ifp)) != EOF) fputc(c, ofp); fclose(ifp); ifp = fopen(cert, "r"); { fprintf(stderr, "Cannot open the file with the cert\n"); return 1; } while ((c = fgetc(ifp)) != EOF) fputc(c, ofp); fclose(ifp); fclose(ofp); if (verbose) fprintf(stderr, "Created %s key/cert file\n", keycert); } else keycert = key; if ((method == HTPROXY_PUT) || (method == HTPROXY_RENEW)) { if (verbose) { fprintf(stderr, "Using SOAP delegation protocol\n"); fprintf(stderr, "Delegation-ID: %s\n", delegation_id); } soap_init(&soap_get); if (soap_ssl_client_context(&soap_get, SOAP_SSL_DEFAULT, keycert, "", NULL, capath, NULL)) { soap_print_fault(&soap_get, stderr); return 1; } if ((method == HTPROXY_RENEW) && (delegation_id[0] != '\0')) { if (verbose) fprintf(stderr, "Send renewProxyReq to service\n"); soap_call_ns__renewProxyReq(&soap_get, argv[optind], /* HTTPS url of service */ "http://www.gridsite.org/namespaces/delegation-1", delegation_id, &renewProxyReqResponse); if (soap_get.error) { soap_print_fault(&soap_get, stderr); return 1; } reqtxt = renewProxyReqResponse._renewProxyReqReturn; } else { if (verbose) fprintf(stderr, "Send getNewProxyReq to service\n"); soap_call_ns__getNewProxyReq(&soap_get, argv[optind], /* HTTPS url of service */ "http://www.gridsite.org/namespaces/delegation-1", &getNewProxyReqResponse); if (soap_get.error) { soap_print_fault(&soap_get, stderr); return 1; } if (!getNewProxyReqResponse.getNewProxyReqReturn) { fprintf(stderr, "Empty response from getNewProxyReq\n"); return 1; } reqtxt = getNewProxyReqResponse.getNewProxyReqReturn->proxyRequest; delegation_id = getNewProxyReqResponse.getNewProxyReqReturn->delegationID; } if (verbose) fprintf(stderr, "reqtxt:\n%s", reqtxt); if (GRSTx509MakeProxyCert(&certtxt, stderr, reqtxt, cert, key, minutes) != GRST_RET_OK) { return 1; } soap_init(&soap_put); if (verbose) fprintf(stderr, "Send putProxy to service:\n%s\n", certtxt); if (soap_ssl_client_context(&soap_put, SOAP_SSL_DEFAULT, keycert, "", NULL, capath, NULL)) { soap_print_fault(&soap_put, stderr); return 1; } soap_call_ns__putProxy(&soap_put, argv[optind], "http://www.gridsite.org/namespaces/delegation-1", delegation_id, certtxt, unused); if (soap_put.error) { soap_print_fault(&soap_put, stderr); return 1; } puts(delegation_id); return 0; } else if (method == HTPROXY_DESTROY) { if (verbose) { fprintf(stderr, "Using SOAP proxy destroy protocol\n"); fprintf(stderr, "Delegation-ID: %s\n", delegation_id); } soap_init(&soap_put); if (verbose) fprintf(stderr, "Send destroy to service:\n"); if (soap_ssl_client_context(&soap_put, SOAP_SSL_DEFAULT, keycert, "", NULL, capath, NULL)) { soap_print_fault(&soap_put, stderr); return 1; } soap_call_ns__destroy(&soap_put, argv[optind], "http://www.gridsite.org/namespaces/delegation-1", delegation_id, &destroyResponse); if (soap_put.error) { soap_print_fault(&soap_put, stderr); return 1; } return 0; } else if ((method == HTPROXY_TIME) || (method == HTPROXY_UNIXTIME)) { if (verbose) { fprintf(stderr, "Using SOAP proxy get expiration time protocol\n"); fprintf(stderr, "Delegation-ID: %s\n", delegation_id); } soap_init(&soap_put); if (verbose) fprintf(stderr, "Send get time to service:\n"); if (soap_ssl_client_context(&soap_put, SOAP_SSL_DEFAULT, keycert, "", NULL, capath, NULL)) { soap_print_fault(&soap_put, stderr); return 1; } soap_call_ns__getTerminationTime(&soap_put, argv[optind], "http://www.gridsite.org/namespaces/delegation-1", delegation_id, &getTerminationTimeResponse); if (soap_put.error) { soap_print_fault(&soap_put, stderr); return 1; } if (method == HTPROXY_UNIXTIME) printf("%ld\n", getTerminationTimeResponse._getTerminationTimeReturn); else { finish_tm = localtime(&(getTerminationTimeResponse._getTerminationTimeReturn)); strftime(timestr, sizeof(timestr), "%a %b %e %H:%M:%S %Z %Y\n", finish_tm); fputs(timestr, stdout); } return 0; } else if (method == HTPROXY_MAKE) #ifdef HT_LEAK_TEST { int ii; FILE *ffpp; char lineline[80]; for (ii=0; ii < 1000; ++ii) #endif { if (GRSTx509CreateProxyRequestKS(&reqtxt, &keytxt, NULL, 0) != GRST_RET_OK) { fprintf(stderr, "Failed to create internal proxy cert request\n"); return 1; } #ifdef HT_LEAK_TEST ffpp = fopen("/proc/self/statm", "r"); fgets(lineline, sizeof(lineline), ffpp); fprintf(stderr, "%d a %s", ii, lineline); fclose(ffpp); #endif if (GRSTx509MakeProxyCert(&proxychain, NULL, reqtxt, cert, key, minutes) != GRST_RET_OK) { fprintf(stderr, "Failed to sign internal proxy cert request\n"); return 2; } #ifdef HT_LEAK_TEST ffpp = fopen("/proc/self/statm", "r"); fgets(lineline, sizeof(lineline), ffpp); fprintf(stderr, "%d b %s", ii, lineline); fclose(ffpp); #endif /* convert back to cert stack so can output in the right order */ if (GRSTx509StringToChain(&x509_certstack, proxychain) != GRST_RET_OK) { fprintf(stderr, "Failed to convert internal proxy chain\n"); return 3; } #ifdef HT_LEAK_TEST ffpp = fopen("/proc/self/statm", "r"); fgets(lineline, sizeof(lineline), ffpp); fprintf(stderr, "%d c %s", ii, lineline); fclose(ffpp); #endif /* just the proxy certificate we have created */ if ((x509_cert = sk_X509_value(x509_certstack, 0))) { certmem = BIO_new(BIO_s_mem()); if (PEM_write_bio_X509(certmem, x509_cert) == 1) { ptrlen = BIO_get_mem_data(certmem, &ptr); fwrite(ptr, 1, ptrlen, stdout); } BIO_free(certmem); } #ifdef HT_LEAK_TEST ffpp = fopen("/proc/self/statm", "r"); fgets(lineline, sizeof(lineline), ffpp); fprintf(stderr, "%d d %s", ii, lineline); fclose(ffpp); #endif /* then the private key */ fputs(keytxt, stdout); /* and only now the rest of the certificates */ for (i=1; i <= sk_X509_num(x509_certstack) - 1; ++i) /* loop through the proxy chain starting at 2nd most recent proxy */ { if ((x509_cert = sk_X509_value(x509_certstack, i))) { certmem = BIO_new(BIO_s_mem()); if (PEM_write_bio_X509(certmem, x509_cert) == 1) { ptrlen = BIO_get_mem_data(certmem, &ptr); fwrite(ptr, 1, ptrlen, stdout); } BIO_free(certmem); } } #ifdef HT_LEAK_TEST ffpp = fopen("/proc/self/statm", "r"); fgets(lineline, sizeof(lineline), ffpp); fprintf(stderr, "%d e %s", ii, lineline); fclose(ffpp); #endif free(proxychain); free(keytxt); free(reqtxt); sk_X509_free(x509_certstack); #ifdef HT_LEAK_TEST ffpp = fopen("/proc/self/statm", "r"); fgets(lineline, sizeof(lineline), ffpp); fprintf(stderr, "%d f %s", ii, lineline); fclose(ffpp); } #endif return 0; } else if (method == HTPROXY_INFO) { if (cert != NULL) { if (verbose) fprintf(stderr, "Getting proxy info from %s\n", cert); ifp = fopen(cert, "r"); if (ifp == NULL) { fprintf(stderr, "Failed to open proxy file\n"); return 2; } } else { if (verbose) fprintf(stderr, "Getting proxy info from stdin\n"); ifp = stdin; } ptrlen = 4096; ptr = malloc(ptrlen); i = 0; while ((c = fgetc(ifp)) != EOF) { ptr[i] = c; ++i; if (i >= ptrlen) { ptrlen += 4096; ptr = realloc(ptr, ptrlen); } } ptr[i] = '\0'; if (cert != NULL) fclose(ifp); if ((GRSTx509StringToChain(&x509_certstack, ptr) != GRST_RET_OK) || (x509_certstack == NULL)) { fprintf(stderr, "Failed to parse proxy file for certificate chain\n"); free(ptr); return 2; } free(ptr); if (verbose) fprintf(stderr, "Parsing certificate chain\n"); ret = GRSTx509ChainLoadCheck(&grst_chain, x509_certstack, NULL, capath, vomsdir); if ((ret != GRST_RET_OK) || (grst_chain == NULL) || (grst_chain->firstcert == NULL)) { fprintf(stderr, "Failed parsing certificate chain\n"); return 3; } grst_cert = grst_chain->firstcert; for (i=0; grst_cert != NULL; grst_cert = grst_cert->next, ++i) { if (grst_cert->type == GRST_CERT_TYPE_CA) p = "(CA) "; else if (grst_cert->type == GRST_CERT_TYPE_EEC) p = "(EEC) "; else if (grst_cert->type == GRST_CERT_TYPE_PROXY) p = "(PC) "; else if (grst_cert->type == GRST_CERT_TYPE_VOMS) p = "(AC) "; else p = ""; printf("%d %s%s\n", i, p, (grst_cert->type == GRST_CERT_TYPE_VOMS) ? grst_cert->value : grst_cert->dn); printf(" Status : %d ( %s%s%s%s%s%s)\n", grst_cert->errors, (grst_cert->errors == 0) ? "OK " : "", (grst_cert->errors & GRST_CERT_BAD_FORMAT) ? "BAD_FORMAT ":"", (grst_cert->errors & GRST_CERT_BAD_CHAIN) ? "BAD_CHAIN ":"", (grst_cert->errors & GRST_CERT_BAD_SIG) ? "BAD_SIG ":"", (grst_cert->errors & GRST_CERT_BAD_TIME) ? "BAD_TIME ":"", (grst_cert->errors & GRST_CERT_BAD_OCSP) ? "BAD_OCSP ":""); printf(" Start : %s", ctime(&(grst_cert->notbefore))); printf(" Finish : %s", ctime(&(grst_cert->notafter))); printf(" Delegation : %d\n", grst_cert->delegation); if (grst_cert->type == GRST_CERT_TYPE_VOMS) { printf(" User DN : %s\n", grst_cert->dn); printf(" VOMS DN : %s\n\n", grst_cert->issuer); } else { printf(" Serial : %s\n", grst_cert->serial); printf(" Issuer : %s\n\n", grst_cert->issuer); } } GRSTx509ChainFree(grst_chain); } /* weirdness */ }
/* * OSSL library init */ void Init_openssl() { /* * Init timezone info */ #if 0 tzset(); #endif /* * Init all digests, ciphers */ /* CRYPTO_malloc_init(); */ /* ENGINE_load_builtin_engines(); */ OpenSSL_add_ssl_algorithms(); OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); SSL_load_error_strings(); /* * FIXME: * On unload do: */ #if 0 CONF_modules_unload(1); destroy_ui_method(); EVP_cleanup(); ENGINE_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); ERR_free_strings(); #endif /* * Init main module */ mOSSL = rb_define_module("OpenSSL"); /* * Constants */ rb_define_const(mOSSL, "VERSION", rb_str_new2(OSSL_VERSION)); rb_define_const(mOSSL, "OPENSSL_VERSION", rb_str_new2(OPENSSL_VERSION_TEXT)); rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER)); /* * Generic error, * common for all classes under OpenSSL module */ eOSSLError = rb_define_class_under(mOSSL,"OpenSSLError",rb_eStandardError); /* * Verify callback Proc index for ext-data */ if ((ossl_verify_cb_idx = X509_STORE_CTX_get_ex_new_index(0, (void *)"ossl_verify_cb_idx", 0, 0, 0)) < 0) ossl_raise(eOSSLError, "X509_STORE_CTX_get_ex_new_index"); /* * Init debug core */ dOSSL = Qfalse; rb_define_module_function(mOSSL, "debug", ossl_debug_get, 0); rb_define_module_function(mOSSL, "debug=", ossl_debug_set, 1); rb_define_module_function(mOSSL, "errors", ossl_get_errors, 0); /* * Get ID of to_der */ ossl_s_to_der = rb_intern("to_der"); /* * Init components */ Init_ossl_bn(); Init_ossl_cipher(); Init_ossl_config(); Init_ossl_digest(); Init_ossl_hmac(); Init_ossl_ns_spki(); Init_ossl_pkcs12(); Init_ossl_pkcs7(); Init_ossl_pkcs5(); Init_ossl_pkey(); Init_ossl_rand(); Init_ossl_ssl(); Init_ossl_x509(); Init_ossl_ocsp(); Init_ossl_engine(); Init_ossl_asn1(); }
int main(int argc, char **argv) { Buffer b; Options options; #define NUM_KEYTYPES 3 Key *keys[NUM_KEYTYPES], *key = NULL; struct passwd *pw; int key_fd[NUM_KEYTYPES], i, found, version = 2, fd; u_char *signature, *data; char *host; u_int slen, dlen; u_int32_t rnd[256]; /* Ensure that stdin and stdout are connected */ if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2) exit(1); /* Leave /dev/null fd iff it is attached to stderr */ if (fd > 2) close(fd); i = 0; key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); original_real_uid = getuid(); /* XXX readconf.c needs this */ if ((pw = getpwuid(original_real_uid)) == NULL) fatal("getpwuid failed"); pw = pwcopy(pw); permanently_set_uid(pw); #ifdef DEBUG_SSH_KEYSIGN log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); #endif /* verify that ssh-keysign is enabled by the admin */ initialize_options(&options); (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0); fill_default_options(&options); if (options.enable_ssh_keysign != 1) fatal("ssh-keysign not enabled in %s", _PATH_HOST_CONFIG_FILE); for (i = found = 0; i < NUM_KEYTYPES; i++) { if (key_fd[i] != -1) found = 1; } if (found == 0) fatal("could not open any host key"); OpenSSL_add_all_algorithms(); for (i = 0; i < 256; i++) rnd[i] = arc4random(); RAND_seed(rnd, sizeof(rnd)); found = 0; for (i = 0; i < NUM_KEYTYPES; i++) { keys[i] = NULL; if (key_fd[i] == -1) continue; keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC, NULL, NULL); close(key_fd[i]); if (keys[i] != NULL) found = 1; } if (!found) fatal("no hostkey found"); buffer_init(&b); if (ssh_msg_recv(STDIN_FILENO, &b) < 0) fatal("ssh_msg_recv failed"); if (buffer_get_char(&b) != version) fatal("bad version"); fd = buffer_get_int(&b); if ((fd == STDIN_FILENO) || (fd == STDOUT_FILENO)) fatal("bad fd"); if ((host = get_local_name(fd)) == NULL) fatal("cannot get local name for fd"); data = buffer_get_string(&b, &dlen); if (valid_request(pw, host, &key, data, dlen) < 0) fatal("not a valid request"); xfree(host); found = 0; for (i = 0; i < NUM_KEYTYPES; i++) { if (keys[i] != NULL && key_equal_public(key, keys[i])) { found = 1; break; } } if (!found) fatal("no matching hostkey found"); if (key_sign(keys[i], &signature, &slen, data, dlen) != 0) fatal("key_sign failed"); xfree(data); /* send reply */ buffer_clear(&b); buffer_put_string(&b, signature, slen); if (ssh_msg_send(STDOUT_FILENO, version, &b) == -1) fatal("ssh_msg_send failed"); return (0); }
int main(int argc, char **argv) { int sockfd, len; struct sockaddr_in dest; char buffer[MAXBUF + 1]; SSL_CTX *ctx; SSL *ssl; if (argc != 3) { printf("参数格式错误!正确用法如下:\n\t\t%s IP地址 端口\n\t比如:\t%s 127.0.0.1 80\n此程序用来从某个" "IP 地址的服务器某个端口接收最多 MAXBUF 个字节的消息", argv[0], argv[0]); exit(0); } SSL_library_init(); OpenSSL_add_all_algorithms(); SSL_load_error_strings(); ctx = SSL_CTX_new(SSLv23_client_method()); if (ctx == NULL) { ERR_print_errors_fp(stdout); exit(1); } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("Socket"); exit(errno); } printf("socket created\n"); bzero(&dest, sizeof(dest)); dest.sin_family = AF_INET; dest.sin_port = htons(atoi(argv[2])); if (inet_aton(argv[1], (struct in_addr *) &dest.sin_addr.s_addr) == 0) { perror(argv[1]); exit(errno); } printf("address created\n"); if (connect(sockfd, (struct sockaddr *) &dest, sizeof(dest)) != 0) { perror("Connect "); exit(errno); } printf("server connected\n"); ssl = SSL_new(ctx); SSL_set_fd(ssl, sockfd); if (SSL_connect(ssl) == -1) ERR_print_errors_fp(stderr); else { printf("Connected with %s encryption\n", SSL_get_cipher(ssl)); ShowCerts(ssl); } bzero(buffer, MAXBUF + 1); len = SSL_read(ssl, buffer, MAXBUF); if (len > 0) printf("接收消息成功:'%s',共%d个字节的数据\n", buffer, len); else { printf ("消息接收失败!错误代码是%d,错误信息是'%s'\n", errno, strerror(errno)); goto finish; } bzero(buffer, MAXBUF + 1); strcpy(buffer, "from client->server"); len = SSL_write(ssl, buffer, strlen(buffer)); if (len < 0) printf ("消息'%s'发送失败!错误代码是%d,错误信息是'%s'\n", buffer, errno, strerror(errno)); else printf("消息'%s'发送成功,共发送了%d个字节!\n", buffer, len); finish: SSL_shutdown(ssl); SSL_free(ssl); close(sockfd); SSL_CTX_free(ctx); return 0; }
/** * init module function * return value: -1: error * 0: else */ static int mod_init(void) { LM_INFO("initializing ...\n"); OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); if(!caList) { LM_ERR("caList not set\n"); return 0; } if(!privKey) { LM_ERR("modparam privKey not set\n"); return 0; } if(!authCert) { LM_ERR("param authCert not set\n"); return 0; } if(!verCert) { LM_ERR("verCert not set\n"); return 0; } if(useCrls && (!crlList)) { LM_ERR("useCrls=1 and crlList not set\n"); return 0; } if(!setAuthCertPeriod()) { LM_ERR("initialization failed\n"); return -1; } if(!readPrivKey()) { LM_ERR("initialization failed\n"); return -1; } if(!certUri) { LM_ERR("certUri not set\n"); return -1; } if(!initVerCertWithSlash()) { LM_ERR("initialization failed\n"); return -1; } if(!prepareCertValidation()) { LM_ERR("initialization failed\n"); return -1; } return 0; }
int main(int argc, char** argv) { char *psw, *infile, *dict, *nt, *msgintstring, quiet, isdict, isbrute, *swl_min, *swl_max, *scs, *ics, *base; int c; unsigned long long *count; int wordlength_min = MINWORDLENGTH; int wordlength_max = 0; quiet = 1; psw = NULL; infile = NULL; dict = NULL; nt = NULL; msgintstring = NULL; scs = NULL; ics = NULL; nt = NULL; isdict = 0; isbrute = 0; swl_min = NULL; swl_max = NULL; base = NULL; nthreads = sysconf (_SC_NPROCESSORS_ONLN); nthreads_total = sysconf (_SC_NPROCESSORS_ONLN); while ((c = getopt (argc, argv, "t:d:s:vbm:M:c:")) != -1) switch (c) { case 'b': isbrute = 1; break; case 'M': isbrute = 1; swl_max = optarg; break; case 'm': isbrute = 1; swl_min = optarg; break; case 'c': scs = optarg; break; case 's': ics = optarg; break; case 'd': isdict = 1; dict = optarg; break; case 't': nt = optarg; break; case 'v': quiet = 0; break; case '?': if (optopt == 't' || optopt == 'd' || optopt == 's') { fprintf (stderr, "Option -%c requires an argument.\n", optopt); } default: usage(); } if (!isdict && !isbrute) { fprintf(stderr,"Error: Choose at least one attack type (-d for dictionary attack or -b for brute force attack)\n\n"); usage(); } if (ics != NULL && scs != NULL) { fprintf(stderr,"-c and -s are not compatible flags\n\n"); usage(); } if (optind != argc-1) usage(); else infile = argv[optind]; if (isdict == 1 && dict == NULL) { fprintf(stderr,"Error: No dictionary file specified\n\n"); usage(); } if (swl_min != NULL) { wordlength_min = strtol(swl_min, NULL, 10); if (errno == EINVAL) usage(); if (wordlength_min < MINWORDLENGTH) { wordlength_min = MINWORDLENGTH; printf("\nForcing min word length to %d\n\n",wordlength_min); } } else wordlength_min = DEFAULTMINWORDLENGTH; if (swl_max != NULL) { wordlength_max = strtol(swl_max, NULL, 10); if (errno == EINVAL) usage(); if (wordlength_max > MAXWORDLENGTH) { wordlength_max = MAXWORDLENGTH; printf("\nForcing max word length to %d\n\n",wordlength_max); } } else wordlength_max = DEFAULTMAXWORDLENGTH; if (wordlength_min > wordlength_max) { if (swl_min != NULL && swl_max != NULL) { fprintf(stderr,"Error: Min length is greater than max length\n\n"); usage(); } else if (swl_min != NULL && swl_max == NULL) wordlength_max = wordlength_min; else if (swl_min == NULL && swl_max != NULL) wordlength_min = wordlength_max; } if (isbrute) { if (ics != NULL) { base = ics; } else { if (scs == NULL) scs = "x"; // by default all character sets base = getbase(scs); if (base == NULL) usage(); } } else if (scs != NULL || ics != NULL) { printf("-c and -s flags require -b, -m or -M flags\n"); usage(); } if (nt != NULL) { nthreads = strtol(nt, NULL, 10); if (errno == EINVAL) usage(); } if (!quiet) nthreads_total++; OpenSSL_add_all_algorithms(); pthread_t *thread = (pthread_t *) calloc(nthreads_total,sizeof(pthread_t)); int *thread_ret = (int *) calloc(nthreads_total, sizeof(int)); pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; count = calloc(nthreads, sizeof(unsigned long long)); int i; if (isdict) { // Opening dictionary file FILE *dictfile = fopen(dict,"r"); if (!dictfile) { fprintf(stderr,"Dictionary file not found: %s\n",dict); exit(20); } workerdict *wthread = (workerdict *) calloc(nthreads,sizeof(workerdict)); printf("\nDictionary attack - Starting %d threads\n",nthreads); for (i=0; i<nthreads; i++) { wthread[i].id = i; wthread[i].m = &mutex; wthread[i].dictfile = dictfile; wthread[i].file2crack = infile; wthread[i].quiet = quiet; wthread[i].count = count+i; thread_ret[i] = pthread_create( &thread[i], NULL, work_dict, (void*) &wthread[i]); } if (!quiet) pthread_create(&thread[i], NULL, print_output, (void*) count); for (i=0; i<nthreads_total; i++) { pthread_join(thread[i], NULL); } if (!quiet) sleep(ELAPSEDSECONDS); printf("\nDictionary attack - Exhausted search\n"); } if (isbrute) { workerbrute *wthread = (workerbrute *) calloc(nthreads,sizeof(workerbrute)); printf("\nBrute force attack - Starting %d threads\n",nthreads); printf("\nAlphabet: %s", base); if (strchr(base,' ') != NULL) printf(" <(including blank)>"); printf("\nMin length: %d", wordlength_min); if (swl_min == NULL) printf(" [default]"); printf("\nMax length: %d", wordlength_max); if (swl_max == NULL) printf(" [default]"); printf("\nUse -m and -M flags to modify these values.\n"); for (i=0; i<nthreads; i++) { wthread[i].id = i; wthread[i].wordlength_min = wordlength_min; wthread[i].wordlength = wordlength_max; wthread[i].word = (char *) calloc(wordlength_max, sizeof(char)); wthread[i].base = base; wthread[i].baselength = strlen(base); wthread[i].m = &mutex; wthread[i].file2crack = infile; wthread[i].quiet = quiet; wthread[i].count = count+i; thread_ret[i] = pthread_create( &thread[i], NULL, work_brute, (void*) &wthread[i]); } if (!quiet) pthread_create(&thread[i], NULL, print_output, (void*) count); for (i=0; i<nthreads_total; i++) pthread_join(thread[i], NULL); if (!quiet) sleep(ELAPSEDSECONDS); printf("\nBrute force attack - Exhausted search\n"); } printf("\nNo password found\n\n"); pthread_exit(NULL); exit(0); }
int main(int argc, char **argv) { int r; struct evhttp_uri *http_uri = NULL; const char *url = NULL, *data_file = NULL; const char *crt = "/etc/ssl/certs/ca-certificates.crt"; const char *scheme, *host, *path, *query; char uri[256]; int port; int retries = 0; int timeout = -1; SSL_CTX *ssl_ctx = NULL; SSL *ssl = NULL; struct bufferevent *bev; struct evhttp_connection *evcon = NULL; struct evhttp_request *req; struct evkeyvalq *output_headers; struct evbuffer *output_buffer; int i; int ret = 0; enum { HTTP, HTTPS } type = HTTP; for (i = 1; i < argc; i++) { if (!strcmp("-url", argv[i])) { if (i < argc - 1) { url = argv[i + 1]; } else { syntax(); goto error; } } else if (!strcmp("-crt", argv[i])) { if (i < argc - 1) { crt = argv[i + 1]; } else { syntax(); goto error; } } else if (!strcmp("-ignore-cert", argv[i])) { ignore_cert = 1; } else if (!strcmp("-data", argv[i])) { if (i < argc - 1) { data_file = argv[i + 1]; } else { syntax(); goto error; } } else if (!strcmp("-retries", argv[i])) { if (i < argc - 1) { retries = atoi(argv[i + 1]); } else { syntax(); goto error; } } else if (!strcmp("-timeout", argv[i])) { if (i < argc - 1) { timeout = atoi(argv[i + 1]); } else { syntax(); goto error; } } else if (!strcmp("-help", argv[i])) { syntax(); goto error; } } if (!url) { syntax(); goto error; } #ifdef _WIN32 { WORD wVersionRequested; WSADATA wsaData; int err; wVersionRequested = MAKEWORD(2, 2); err = WSAStartup(wVersionRequested, &wsaData); if (err != 0) { printf("WSAStartup failed with error: %d\n", err); goto error; } } #endif // _WIN32 http_uri = evhttp_uri_parse(url); if (http_uri == NULL) { err("malformed url"); goto error; } scheme = evhttp_uri_get_scheme(http_uri); if (scheme == NULL || (strcasecmp(scheme, "https") != 0 && strcasecmp(scheme, "http") != 0)) { err("url must be http or https"); goto error; } host = evhttp_uri_get_host(http_uri); if (host == NULL) { err("url must have a host"); goto error; } port = evhttp_uri_get_port(http_uri); if (port == -1) { port = (strcasecmp(scheme, "http") == 0) ? 80 : 443; } path = evhttp_uri_get_path(http_uri); if (strlen(path) == 0) { path = "/"; } query = evhttp_uri_get_query(http_uri); if (query == NULL) { snprintf(uri, sizeof(uri) - 1, "%s", path); } else { snprintf(uri, sizeof(uri) - 1, "%s?%s", path, query); } uri[sizeof(uri) - 1] = '\0'; #if OPENSSL_VERSION_NUMBER < 0x10100000L // Initialize OpenSSL SSL_library_init(); ERR_load_crypto_strings(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); #endif /* This isn't strictly necessary... OpenSSL performs RAND_poll * automatically on first use of random number generator. */ r = RAND_poll(); if (r == 0) { err_openssl("RAND_poll"); goto error; } /* Create a new OpenSSL context */ ssl_ctx = SSL_CTX_new(SSLv23_method()); if (!ssl_ctx) { err_openssl("SSL_CTX_new"); goto error; } #ifndef _WIN32 /* TODO: Add certificate loading on Windows as well */ /* Attempt to use the system's trusted root certificates. * (This path is only valid for Debian-based systems.) */ if (1 != SSL_CTX_load_verify_locations(ssl_ctx, crt, NULL)) { err_openssl("SSL_CTX_load_verify_locations"); goto error; } /* Ask OpenSSL to verify the server certificate. Note that this * does NOT include verifying that the hostname is correct. * So, by itself, this means anyone with any legitimate * CA-issued certificate for any website, can impersonate any * other website in the world. This is not good. See "The * Most Dangerous Code in the World" article at * https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html */ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL); /* This is how we solve the problem mentioned in the previous * comment. We "wrap" OpenSSL's validation routine in our * own routine, which also validates the hostname by calling * the code provided by iSECPartners. Note that even though * the "Everything You've Always Wanted to Know About * Certificate Validation With OpenSSL (But Were Afraid to * Ask)" paper from iSECPartners says very explicitly not to * call SSL_CTX_set_cert_verify_callback (at the bottom of * page 2), what we're doing here is safe because our * cert_verify_callback() calls X509_verify_cert(), which is * OpenSSL's built-in routine which would have been called if * we hadn't set the callback. Therefore, we're just * "wrapping" OpenSSL's routine, not replacing it. */ SSL_CTX_set_cert_verify_callback(ssl_ctx, cert_verify_callback, (void *) host); #else // _WIN32 (void)crt; #endif // _WIN32 // Create event base base = event_base_new(); if (!base) { perror("event_base_new()"); goto error; } // Create OpenSSL bufferevent and stack evhttp on top of it ssl = SSL_new(ssl_ctx); if (ssl == NULL) { err_openssl("SSL_new()"); goto error; } #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME // Set hostname for SNI extension SSL_set_tlsext_host_name(ssl, host); #endif if (strcasecmp(scheme, "http") == 0) { bev = bufferevent_socket_new(base, -1, BEV_OPT_CLOSE_ON_FREE); } else { type = HTTPS; bev = bufferevent_openssl_socket_new(base, -1, ssl, BUFFEREVENT_SSL_CONNECTING, BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS); } if (bev == NULL) { fprintf(stderr, "bufferevent_openssl_socket_new() failed\n"); goto error; } bufferevent_openssl_set_allow_dirty_shutdown(bev, 1); // For simplicity, we let DNS resolution block. Everything else should be // asynchronous though. evcon = evhttp_connection_base_bufferevent_new(base, NULL, bev, host, port); if (evcon == NULL) { fprintf(stderr, "evhttp_connection_base_bufferevent_new() failed\n"); goto error; } if (retries > 0) { evhttp_connection_set_retries(evcon, retries); } if (timeout >= 0) { evhttp_connection_set_timeout(evcon, timeout); } // Fire off the request req = evhttp_request_new(http_request_done, bev); if (req == NULL) { fprintf(stderr, "evhttp_request_new() failed\n"); goto error; } output_headers = evhttp_request_get_output_headers(req); evhttp_add_header(output_headers, "Host", host); evhttp_add_header(output_headers, "Connection", "close"); if (data_file) { /* NOTE: In production code, you'd probably want to use * evbuffer_add_file() or evbuffer_add_file_segment(), to * avoid needless copying. */ FILE * f = fopen(data_file, "rb"); char buf[1024]; size_t s; size_t bytes = 0; if (!f) { syntax(); goto error; } output_buffer = evhttp_request_get_output_buffer(req); while ((s = fread(buf, 1, sizeof(buf), f)) > 0) { evbuffer_add(output_buffer, buf, s); bytes += s; } evutil_snprintf(buf, sizeof(buf)-1, "%lu", (unsigned long)bytes); evhttp_add_header(output_headers, "Content-Length", buf); fclose(f); } r = evhttp_make_request(evcon, req, data_file ? EVHTTP_REQ_POST : EVHTTP_REQ_GET, uri); if (r != 0) { fprintf(stderr, "evhttp_make_request() failed\n"); goto error; } event_base_dispatch(base); goto cleanup; error: ret = 1; cleanup: if (evcon) evhttp_connection_free(evcon); if (http_uri) evhttp_uri_free(http_uri); event_base_free(base); if (ssl_ctx) SSL_CTX_free(ssl_ctx); if (type == HTTP && ssl) SSL_free(ssl); #if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_cleanup(); ERR_free_strings(); #ifdef EVENT__HAVE_ERR_REMOVE_THREAD_STATE ERR_remove_thread_state(NULL); #else ERR_remove_state(0); #endif CRYPTO_cleanup_all_ex_data(); sk_SSL_COMP_free(SSL_COMP_get_compression_methods()); #endif /*OPENSSL_VERSION_NUMBER < 0x10100000L */ #ifdef _WIN32 WSACleanup(); #endif return ret; }
static int pk7_verify(X509_STORE *cert_store, PKCS7 *p7, BIO *detached, char *ebuf, int ebufsize) { PKCS7_SIGNER_INFO *si; verify_context vctx; BIO *p7bio=NULL; char readbuf[1024*4]; int res = 1; int i; STACK_OF(PKCS7_SIGNER_INFO) *sk; vctx.err = X509_V_OK; ebuf[0] = 0; OpenSSL_add_all_algorithms(); EVP_add_digest(EVP_md5()); EVP_add_digest(EVP_sha1()); ERR_load_crypto_strings(); ERR_clear_error(); X509_VERIFY_PARAM_set_flags(cert_store->param, X509_V_FLAG_CB_ISSUER_CHECK); X509_STORE_set_verify_cb_func(cert_store, verify_callback); p7bio = PKCS7_dataInit(p7, detached); /* We now have to 'read' from p7bio to calculate digests etc. */ while (BIO_read(p7bio, readbuf, sizeof(readbuf)) > 0) ; /* We can now verify signatures */ sk = PKCS7_get_signer_info(p7); if (sk == NULL) { /* there are no signatures on this data */ res = 0; fz_strlcpy(ebuf, "No signatures", ebufsize); goto exit; } for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sk); i++) { int rc; si = sk_PKCS7_SIGNER_INFO_value(sk, i); rc = PKCS7_dataVerify(cert_store, &vctx.x509_ctx, p7bio,p7, si); if (rc <= 0 || vctx.err != X509_V_OK) { char tbuf[120]; if (rc <= 0) { fz_strlcpy(ebuf, ERR_error_string(ERR_get_error(), tbuf), ebufsize); } else { /* Error while checking the certificate chain */ snprintf(ebuf, ebufsize, "%s(%d): %s", X509_verify_cert_error_string(vctx.err), vctx.err, vctx.certdesc); } res = 0; goto exit; } } exit: X509_STORE_CTX_cleanup(&vctx.x509_ctx); ERR_free_strings(); return res; }
int main(int argc, char **argv) { BIO *in = NULL, *out = NULL, *tbio = NULL; X509 *rcert = NULL; EVP_PKEY *rkey = NULL; CMS_ContentInfo *cms = NULL; int ret = 1; OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); /* Read in recipient certificate and private key */ tbio = BIO_new_file("signer.pem", "r"); if (!tbio) goto err; rcert = PEM_read_bio_X509(tbio, NULL, 0, NULL); BIO_reset(tbio); rkey = PEM_read_bio_PrivateKey(tbio, NULL, 0, NULL); if (!rcert || !rkey) goto err; /* Open S/MIME message to decrypt */ in = BIO_new_file("smencr.txt", "r"); if (!in) goto err; /* Parse message */ cms = SMIME_read_CMS(in, NULL); if (!cms) goto err; out = BIO_new_file("decout.txt", "w"); if (!out) goto err; /* Decrypt S/MIME message */ if (!CMS_decrypt(cms, rkey, rcert, NULL, out, 0)) goto err; ret = 0; err: if (ret) { fprintf(stderr, "Error Decrypting Data\n"); ERR_print_errors_fp(stderr); } if (cms) CMS_ContentInfo_free(cms); if (rcert) X509_free(rcert); if (rkey) EVP_PKEY_free(rkey); if (in) BIO_free(in); if (out) BIO_free(out); if (tbio) BIO_free(tbio); return ret; }
int main(int argc, char **argv) { BIO *in = NULL, *out = NULL, *tbio = NULL; X509 *scert = NULL, *scert2 = NULL; EVP_PKEY *skey = NULL, *skey2 = NULL; CMS_ContentInfo *cms = NULL; int ret = 1; OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); tbio = BIO_new_file("signer.pem", "r"); if (!tbio) goto err; scert = PEM_read_bio_X509(tbio, NULL, 0, NULL); BIO_reset(tbio); skey = PEM_read_bio_PrivateKey(tbio, NULL, 0, NULL); BIO_free(tbio); tbio = BIO_new_file("signer2.pem", "r"); if (!tbio) goto err; scert2 = PEM_read_bio_X509(tbio, NULL, 0, NULL); BIO_reset(tbio); skey2 = PEM_read_bio_PrivateKey(tbio, NULL, 0, NULL); if (!scert2 || !skey2) goto err; in = BIO_new_file("sign.txt", "r"); if (!in) goto err; cms = CMS_sign(NULL, NULL, NULL, in, CMS_STREAM|CMS_PARTIAL); if (!cms) goto err; /* Add each signer in turn */ if (!CMS_add1_signer(cms, scert, skey, NULL, 0)) goto err; if (!CMS_add1_signer(cms, scert2, skey2, NULL, 0)) goto err; out = BIO_new_file("smout.txt", "w"); if (!out) goto err; /* NB: content included and finalized by SMIME_write_CMS */ if (!SMIME_write_CMS(out, cms, in, CMS_STREAM)) goto err; ret = 0; err: if (ret) { fprintf(stderr, "Error Signing Data\n"); ERR_print_errors_fp(stderr); } if (cms) CMS_ContentInfo_free(cms); if (scert) X509_free(scert); if (skey) EVP_PKEY_free(skey); if (scert2) X509_free(scert2); if (skey) EVP_PKEY_free(skey2); if (in) BIO_free(in); if (out) BIO_free(out); if (tbio) BIO_free(tbio); return ret; }
static bool _backend_init(Backend *backend) { OpenSSL_add_all_algorithms(); //listTokens(backend); return true; }
int main() { char dest_url[] = "https://www.hp.com"; BIO *certbio = NULL; BIO *outbio = NULL; X509 *cert = NULL; X509_NAME *certname = NULL; const SSL_METHOD *method; SSL_CTX *ctx; SSL *ssl; int server = 0; int ret, i; EVP_PKEY *pkey = NULL; /* ---------------------------------------------------------- * * These function calls initialize openssl for correct work. * * ---------------------------------------------------------- */ OpenSSL_add_all_algorithms(); ERR_load_BIO_strings(); ERR_load_crypto_strings(); SSL_load_error_strings(); /* ---------------------------------------------------------- * * Create the Input/Output BIO's. * * ---------------------------------------------------------- */ certbio = BIO_new(BIO_s_file()); outbio = BIO_new_fp(stdout, BIO_NOCLOSE); /* ---------------------------------------------------------- * * initialize SSL library and register algorithms * * ---------------------------------------------------------- */ if(SSL_library_init() < 0) BIO_printf(outbio, "Could not initialize the OpenSSL library !\n"); /* ---------------------------------------------------------- * * Set SSLv2 client hello, also announce SSLv3 and TLSv1 * * ---------------------------------------------------------- */ method = SSLv23_client_method(); /* ---------------------------------------------------------- * * Try to create a new SSL context * * ---------------------------------------------------------- */ if ( (ctx = SSL_CTX_new(method)) == NULL) BIO_printf(outbio, "Unable to create a new SSL context structure.\n"); /* ---------------------------------------------------------- * * Disabling SSLv2 will leave v3 and TSLv1 for negotiation * * ---------------------------------------------------------- */ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); /* ---------------------------------------------------------- * * Create new SSL connection state object * * ---------------------------------------------------------- */ ssl = SSL_new(ctx); /* ---------------------------------------------------------- * * Make the underlying TCP socket connection * * ---------------------------------------------------------- */ server = create_socket(dest_url, outbio); if(server != 0) BIO_printf(outbio, "Successfully made the TCP connection to: %s.\n", dest_url); /* ---------------------------------------------------------- * * Attach the SSL session to the socket descriptor * * ---------------------------------------------------------- */ SSL_set_fd(ssl, server); /* ---------------------------------------------------------- * * Try to SSL-connect here, returns 1 for success * * ---------------------------------------------------------- */ if ( SSL_connect(ssl) != 1 ) BIO_printf(outbio, "Error: Could not build a SSL session to: %s.\n", dest_url); else BIO_printf(outbio, "Successfully enabled SSL/TLS session to: %s.\n", dest_url); /* ---------------------------------------------------------- * * Get the remote certificate into the X509 structure * * ---------------------------------------------------------- */ cert = SSL_get_peer_certificate(ssl); if (cert == NULL) BIO_printf(outbio, "Error: Could not get a certificate from: %s.\n", dest_url); else BIO_printf(outbio, "Retrieved the server's certificate from: %s.\n", dest_url); if ((pkey = X509_get_pubkey(cert)) == NULL) BIO_printf(outbio, "Error getting public key from certificate"); if (pkey) { switch (pkey->type) { case EVP_PKEY_RSA: BIO_printf(outbio, "%d bit RSA Key\n\n", EVP_PKEY_bits(pkey)); break; case EVP_PKEY_DSA: BIO_printf(outbio, "%d bit DSA Key\n\n", EVP_PKEY_bits(pkey)); break; default: BIO_printf(outbio, "%d bit non-RSA/DSA Key\n\n", EVP_PKEY_bits(pkey)); break; } } if(!PEM_write_bio_PUBKEY(outbio, pkey)) BIO_printf(outbio, "Error writing public key data in PEM format"); /* ---------------------------------------------------------- * * extract various certificate information * * -----------------------------------------------------------*/ certname = X509_NAME_new(); certname = X509_get_subject_name(cert); /* ---------------------------------------------------------- * * display the cert subject here * * -----------------------------------------------------------*/ BIO_printf(outbio, "Displaying the certificate subject data:\n"); X509_NAME_print_ex(outbio, certname, 0, 0); BIO_printf(outbio, "\n"); /* ---------------------------------------------------------- * * Free the structures we don't need anymore * * -----------------------------------------------------------*/ SSL_free(ssl); close(server); X509_free(cert); SSL_CTX_free(ctx); BIO_printf(outbio, "Finished SSL/TLS connection with server: %s.\n", dest_url); return(0); }
int main(int argc, char * const argv[]) { int err = 0, r, c, long_optind = 0; int action_count = 0; int do_initialize = 0; int do_import_dkek_share = 0; int do_create_dkek_share = 0; int do_wrap_key = 0; int do_unwrap_key = 0; sc_path_t path; sc_file_t *file = NULL; const char *opt_so_pin = NULL; const char *opt_pin = NULL; const char *opt_filename = NULL; char *opt_password = NULL; int opt_retry_counter = 3; int opt_dkek_shares = -1; int opt_key_reference = -1; int opt_password_shares_threshold = -1; int opt_password_shares_total = -1; int opt_force = 0; int opt_iter = 10000000; sc_context_param_t ctx_param; setbuf(stderr, NULL); setbuf(stdout, NULL); while (1) { c = getopt_long(argc, argv, "XC:I:W:U:s:i:fr:wv", options, &long_optind); if (c == -1) break; if (c == '?') util_print_usage_and_die(app_name, options, option_help, NULL); switch (c) { case 'X': do_initialize = 1; action_count++; break; case 'C': do_create_dkek_share = 1; opt_filename = optarg; action_count++; break; case 'I': do_import_dkek_share = 1; opt_filename = optarg; action_count++; break; case 'W': do_wrap_key = 1; opt_filename = optarg; action_count++; break; case 'U': do_unwrap_key = 1; opt_filename = optarg; action_count++; break; case OPT_PASSWORD: opt_password = optarg; break; case OPT_SO_PIN: opt_so_pin = optarg; break; case OPT_PIN: opt_pin = optarg; break; case OPT_RETRY: opt_retry_counter = atol(optarg); break; case OPT_PASSWORD_SHARES_THRESHOLD: opt_password_shares_threshold = atol(optarg); break; case OPT_PASSWORD_SHARES_TOTAL: opt_password_shares_total = atol(optarg); break; case 's': opt_dkek_shares = atol(optarg); break; case 'f': opt_force = 1; break; case 'i': opt_key_reference = atol(optarg); break; case 'r': opt_reader = optarg; break; case 'v': verbose++; break; case 'w': opt_wait = 1; break; } } CRYPTO_malloc_init(); ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); memset(&ctx_param, 0, sizeof(sc_context_param_t)); ctx_param.app_name = app_name; r = sc_context_create(&ctx, &ctx_param); if (r != SC_SUCCESS) { fprintf(stderr, "Failed to establish context: %s\n", sc_strerror(r)); return 1; } /* Only change if not in opensc.conf */ if (verbose > 1 && ctx->debug == 0) { ctx->debug = verbose; sc_ctx_log_to_file(ctx, "stderr"); } err = util_connect_card(ctx, &card, opt_reader, opt_wait, verbose); if (r != SC_SUCCESS) { fprintf(stderr, "Failed to connect to card: %s\n", sc_strerror(r)); goto end; } sc_path_set(&path, SC_PATH_TYPE_DF_NAME, sc_hsm_aid.value, sc_hsm_aid.len, 0, 0); r = sc_select_file(card, &path, &file); if (r != SC_SUCCESS) { fprintf(stderr, "Failed to select application: %s\n", sc_strerror(r)); goto end; } if (do_initialize) { initialize(card, opt_so_pin, opt_pin, opt_retry_counter, opt_dkek_shares); } if (do_create_dkek_share) { create_dkek_share(card, opt_filename, opt_iter, opt_password, opt_password_shares_threshold, opt_password_shares_total); } if (do_import_dkek_share) { import_dkek_share(card, opt_filename, opt_iter, opt_password, opt_password_shares_total); } if (do_wrap_key) { wrap_key(card, opt_key_reference, opt_filename, opt_pin); } if (do_unwrap_key) { unwrap_key(card, opt_key_reference, opt_filename, opt_pin, opt_force); } if (action_count == 0) { print_info(card, file); } end: if (card) { sc_unlock(card); sc_disconnect_card(card); } if (ctx) sc_release_context(ctx); ERR_print_errors_fp(stderr); return err; }
int main (int argc, char **argv) { BIO *in = NULL, *out = NULL, *tbio = NULL, *cont = NULL; X509_STORE *st = NULL; X509 *cacert = NULL; CMS_ContentInfo *cms = NULL; int ret = 1; OpenSSL_add_all_algorithms (); ERR_load_crypto_strings (); /* Set up trusted CA certificate store */ st = X509_STORE_new (); /* Read in CA certificate */ tbio = BIO_new_file ("cacert.pem", "r"); if (!tbio) goto err; cacert = PEM_read_bio_X509 (tbio, NULL, 0, NULL); if (!cacert) goto err; if (!X509_STORE_add_cert (st, cacert)) goto err; /* Open message being verified */ in = BIO_new_file ("smout.txt", "r"); if (!in) goto err; /* parse message */ cms = SMIME_read_CMS (in, &cont); if (!cms) goto err; /* File to output verified content to */ out = BIO_new_file ("smver.txt", "w"); if (!out) goto err; if (!CMS_verify (cms, NULL, st, cont, out, 0)) { fprintf (stderr, "Verification Failure\n"); goto err; } fprintf (stderr, "Verification Successful\n"); ret = 0; err: if (ret) { fprintf (stderr, "Error Verifying Data\n"); ERR_print_errors_fp (stderr); } if (cms) CMS_ContentInfo_free (cms); if (cacert) X509_free (cacert); if (in) BIO_free (in); if (out) BIO_free (out); if (tbio) BIO_free (tbio); return ret; }
void enc_key_init(int method, const char *pass) { if (method <= TABLE || method >= CIPHER_NUM) { LOGE("enc_key_init(): Illegal method"); return; } // Inilitialize cache cache_create(&iv_cache, 256, NULL); #if defined(USE_CRYPTO_OPENSSL) OpenSSL_add_all_algorithms(); #endif uint8_t iv[MAX_IV_LENGTH]; cipher_kt_t *cipher; cipher_kt_t cipher_info; if (method == SALSA20 || method == CHACHA20) { if (sodium_init() == -1) { FATAL("Failed to initialize sodium"); } // Fake cipher cipher = (cipher_kt_t *)&cipher_info; #if defined(USE_CRYPTO_OPENSSL) cipher->key_len = supported_ciphers_key_size[method]; cipher->iv_len = supported_ciphers_iv_size[method]; #endif #if defined(USE_CRYPTO_POLARSSL) cipher->base = NULL; cipher->key_length = supported_ciphers_key_size[method] * 8; cipher->iv_size = supported_ciphers_iv_size[method]; #endif #if defined(USE_CRYPTO_MBEDTLS) // XXX: key_length changed to key_bitlen in mbed TLS 2.0.0 cipher->base = NULL; cipher->key_bitlen = supported_ciphers_key_size[method] * 8; cipher->iv_size = supported_ciphers_iv_size[method]; #endif } else { cipher = (cipher_kt_t *)get_cipher_type(method); } if (cipher == NULL) { do { #if defined(USE_CRYPTO_POLARSSL) && defined(USE_CRYPTO_APPLECC) if (supported_ciphers_applecc[method] != kCCAlgorithmInvalid) { cipher_info.base = NULL; cipher_info.key_length = supported_ciphers_key_size[method] * 8; cipher_info.iv_size = supported_ciphers_iv_size[method]; cipher = (cipher_kt_t *)&cipher_info; break; } #endif #if defined(USE_CRYPTO_MBEDTLS) && defined(USE_CRYPTO_APPLECC) // XXX: key_length changed to key_bitlen in mbed TLS 2.0.0 if (supported_ciphers_applecc[method] != kCCAlgorithmInvalid) { cipher_info.base = NULL; cipher_info.key_bitlen = supported_ciphers_key_size[method] * 8; cipher_info.iv_size = supported_ciphers_iv_size[method]; cipher = (cipher_kt_t *)&cipher_info; break; } #endif LOGE("Cipher %s not found in crypto library", supported_ciphers[method]); FATAL("Cannot initialize cipher"); } while (0); } const digest_type_t *md = get_digest_type("MD5"); if (md == NULL) { FATAL("MD5 Digest not found in crypto library"); } enc_key_len = bytes_to_key(cipher, md, (const uint8_t *)pass, enc_key, iv); if (enc_key_len == 0) { FATAL("Cannot generate key and IV"); } if (method == RC4_MD5) { enc_iv_len = 16; } else { enc_iv_len = cipher_iv_size(cipher); } enc_method = method; }
void initOpenSSL(void) { OpenSSL_add_all_algorithms(); }
void ape_ssl_init() { SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); }
pn_ssl_domain_t *pn_ssl_domain( pn_ssl_mode_t mode ) { if (!ssl_initialized) { ssl_initialized = 1; SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); ssl_ex_data_index = SSL_get_ex_new_index( 0, (void *) "org.apache.qpid.proton.ssl", NULL, NULL, NULL); } pn_ssl_domain_t *domain = (pn_ssl_domain_t *) calloc(1, sizeof(pn_ssl_domain_t)); if (!domain) return NULL; domain->ref_count = 1; domain->mode = mode; // enable all supported protocol versions, then explicitly disable the // known vulnerable ones. This should allow us to use the latest version // of the TLS standard that the installed library supports. switch(mode) { case PN_SSL_MODE_CLIENT: domain->ctx = SSL_CTX_new(SSLv23_client_method()); // and TLSv1+ if (!domain->ctx) { ssl_log_error("Unable to initialize OpenSSL context."); free(domain); return NULL; } break; case PN_SSL_MODE_SERVER: domain->ctx = SSL_CTX_new(SSLv23_server_method()); // and TLSv1+ if (!domain->ctx) { ssl_log_error("Unable to initialize OpenSSL context."); free(domain); return NULL; } break; default: pn_transport_logf(NULL, "Invalid value for pn_ssl_mode_t: %d", mode); free(domain); return NULL; } const long reject_insecure = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; SSL_CTX_set_options(domain->ctx, reject_insecure); #ifdef SSL_OP_NO_COMPRESSION // Mitigate the CRIME vulnerability SSL_CTX_set_options(domain->ctx, SSL_OP_NO_COMPRESSION); #endif // by default, allow anonymous ciphers so certificates are not required 'out of the box' if (!SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_ANONYMOUS )) { ssl_log_error("Failed to set cipher list to %s", CIPHERS_ANONYMOUS); pn_ssl_domain_free(domain); return NULL; } // ditto: by default do not authenticate the peer (can be done by SASL). if (pn_ssl_domain_set_peer_authentication( domain, PN_SSL_ANONYMOUS_PEER, NULL )) { pn_ssl_domain_free(domain); return NULL; } DH *dh = get_dh2048(); if (dh) { SSL_CTX_set_tmp_dh(domain->ctx, dh); DH_free(dh); SSL_CTX_set_options(domain->ctx, SSL_OP_SINGLE_DH_USE); } return domain; }
SSL_CTX *setup_ssl_listen(void) { const SSL_METHOD *method; if (sslctx) goto done; SSL_library_init(); OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); SSL_load_error_strings(); /* RAND_status initializes the random number generator through a variety of platform-dependent methods, then returns 1 if there is enough entropy or 0 otherwise. This seems to be a good platform-independent way of seeding the generator, as well as of refusing to continue without enough entropy. */ if (!RAND_status()) bye("Failed to seed OpenSSL PRNG (RAND_status returned false)."); if (!(method = SSLv23_server_method())) bye("SSLv23_server_method(): %s.", ERR_error_string(ERR_get_error(), NULL)); if (!(sslctx = SSL_CTX_new(method))) bye("SSL_CTX_new(): %s.", ERR_error_string(ERR_get_error(), NULL)); SSL_CTX_set_options(sslctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); /* Secure ciphers list taken from Nsock. */ if (!SSL_CTX_set_cipher_list(sslctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH")) bye("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL)); if (o.sslcert == NULL && o.sslkey == NULL) { X509 *cert; EVP_PKEY *key; char digest_buf[SHA1_STRING_LENGTH + 1]; if (o.verbose) loguser("Generating a temporary %d-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.\n", DEFAULT_KEY_BITS); if (ssl_gen_cert(&cert, &key) == 0) bye("ssl_gen_cert(): %s.", ERR_error_string(ERR_get_error(), NULL)); if (o.verbose) { assert(ssl_cert_fp_str_sha1(cert, digest_buf, sizeof(digest_buf)) != NULL); loguser("SHA-1 fingerprint: %s\n", digest_buf); } if (SSL_CTX_use_certificate(sslctx, cert) != 1) bye("SSL_CTX_use_certificate(): %s.", ERR_error_string(ERR_get_error(), NULL)); if (SSL_CTX_use_PrivateKey(sslctx, key) != 1) bye("SSL_CTX_use_PrivateKey(): %s.", ERR_error_string(ERR_get_error(), NULL)); X509_free(cert); EVP_PKEY_free(key); } else { if (o.sslcert == NULL || o.sslkey == NULL) bye("The --ssl-key and --ssl-cert options must be used together."); if (SSL_CTX_use_certificate_file(sslctx, o.sslcert, SSL_FILETYPE_PEM) != 1) bye("SSL_CTX_use_certificate_file(): %s.", ERR_error_string(ERR_get_error(), NULL)); if (SSL_CTX_use_PrivateKey_file(sslctx, o.sslkey, SSL_FILETYPE_PEM) != 1) bye("SSL_CTX_use_Privatekey_file(): %s.", ERR_error_string(ERR_get_error(), NULL)); } done: return sslctx; }
int sign_repo(struct xbps_handle *xhp, const char *repodir, const char *privkey, const char *signedby) { struct stat st; struct xbps_repo *repo; xbps_dictionary_t pkgd, meta = NULL; xbps_data_t data = NULL, rpubkey = NULL; xbps_object_iterator_t iter = NULL; xbps_object_t obj; RSA *rsa = NULL; unsigned char *sig; unsigned int siglen; uint16_t rpubkeysize, pubkeysize; const char *arch, *pkgver, *rsignedby = NULL; char *binpkg = NULL, *binpkg_sig = NULL, *buf = NULL, *defprivkey = NULL; int binpkg_fd, binpkg_sig_fd, rv = 0; bool flush = false; if (signedby == NULL) { fprintf(stderr, "--signedby unset! cannot sign repository\n"); return -1; } /* * Check that repository index exists and not empty, otherwise bail out. */ repo = xbps_repo_open(xhp, repodir, true); if (repo == NULL) { rv = errno; fprintf(stderr, "%s: cannot read repository data: %s\n", _XBPS_RINDEX, strerror(errno)); goto out; } if (xbps_dictionary_count(repo->idx) == 0) { fprintf(stderr, "%s: invalid repository, existing!\n", _XBPS_RINDEX); rv = EINVAL; goto out; } /* * If privkey not set, default to ~/.ssh/id_rsa. */ if (privkey == NULL) defprivkey = xbps_xasprintf("%s/.ssh/id_rsa", getenv("HOME")); else defprivkey = strdup(privkey); ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); if ((rsa = load_rsa_privkey(defprivkey)) == NULL) { fprintf(stderr, "%s: failed to read the RSA privkey\n", _XBPS_RINDEX); rv = EINVAL; goto out; } /* * Iterate over the idx dictionary and then sign all binary * packages in this repository. */ iter = xbps_dictionary_iterator(repo->idx); assert(iter); while ((obj = xbps_object_iterator_next(iter))) { pkgd = xbps_dictionary_get_keysym(repo->idx, obj); xbps_dictionary_get_cstring_nocopy(pkgd, "architecture", &arch); xbps_dictionary_get_cstring_nocopy(pkgd, "pkgver", &pkgver); binpkg = xbps_xasprintf("%s/%s.%s.xbps", repodir, pkgver, arch); binpkg_sig = xbps_xasprintf("%s.sig", binpkg); /* * Skip pkg if file signature exists */ if ((binpkg_sig_fd = access(binpkg_sig, R_OK)) == 0) { if (xhp->flags & XBPS_FLAG_VERBOSE) fprintf(stderr, "skipping %s, file signature found.\n", pkgver); free(binpkg); free(binpkg_sig); close(binpkg_sig_fd); continue; } /* * Generate pkg file signature. */ if ((binpkg_fd = open(binpkg, O_RDONLY)) == -1) { fprintf(stderr, "cannot read %s: %s\n", binpkg, strerror(errno)); free(binpkg); free(binpkg_sig); continue; } fstat(binpkg_fd, &st); buf = malloc(st.st_size); assert(buf); if (read(binpkg_fd, buf, st.st_size) != st.st_size) { fprintf(stderr, "failed to read %s: %s\n", binpkg, strerror(errno)); close(binpkg_fd); free(buf); free(binpkg); free(binpkg_sig); continue; } close(binpkg_fd); if (!rsa_sign_buf(rsa, buf, st.st_size, &sig, &siglen)) { fprintf(stderr, "failed to sign %s: %s\n", binpkg, strerror(errno)); free(buf); free(binpkg); free(binpkg_sig); continue; } free(buf); free(binpkg); /* * Write pkg file signature. */ binpkg_sig_fd = creat(binpkg_sig, 0644); if (binpkg_sig_fd == -1) { fprintf(stderr, "failed to create %s: %s\n", binpkg_sig, strerror(errno)); free(sig); free(binpkg_sig); continue; } if (write(binpkg_sig_fd, sig, siglen) != (ssize_t)siglen) { fprintf(stderr, "failed to write %s: %s\n", binpkg_sig, strerror(errno)); free(sig); free(binpkg_sig); close(binpkg_sig_fd); continue; } free(sig); free(binpkg_sig); close(binpkg_sig_fd); printf("signed successfully %s\n", pkgver); } xbps_object_iterator_release(iter); /* * Check if repository index-meta contains changes compared to its * current state. */ if ((buf = pubkey_from_privkey(rsa)) == NULL) { rv = EINVAL; goto out; } meta = xbps_dictionary_create(); data = xbps_data_create_data(buf, strlen(buf)); rpubkey = xbps_dictionary_get(repo->idxmeta, "public-key"); if (!xbps_data_equals(rpubkey, data)) flush = true; free(buf); pubkeysize = RSA_size(rsa) * 8; xbps_dictionary_get_uint16(repo->idxmeta, "public-key-size", &rpubkeysize); if (rpubkeysize != pubkeysize) flush = true; xbps_dictionary_get_cstring_nocopy(repo->idxmeta, "signature-by", &rsignedby); if (rsignedby == NULL || strcmp(rsignedby, signedby)) flush = true; if (!flush) goto out; xbps_dictionary_set(meta, "public-key", data); xbps_dictionary_set_uint16(meta, "public-key-size", pubkeysize); xbps_dictionary_set_cstring_nocopy(meta, "signature-by", signedby); xbps_dictionary_set_cstring_nocopy(meta, "signature-type", "rsa"); xbps_object_release(data); data = NULL; if (!repodata_flush(xhp, repodir, repo->idx, meta)) { fprintf(stderr, "failed to write repodata: %s\n", strerror(errno)); goto out; } printf("Signed repository (%u package%s)\n", xbps_dictionary_count(repo->idx), xbps_dictionary_count(repo->idx) == 1 ? "" : "s"); out: if (defprivkey) { free(defprivkey); } if (rsa) { RSA_free(rsa); rsa = NULL; } if (repo) { xbps_repo_close(repo); } return rv ? -1 : 0; }
int main(int argc, char **argv) { program_name = argv[0]; if(!parse_options(argc, argv)) return 1; make_names(); if(show_version) { printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE, VERSION, __DATE__, __TIME__, PROT_CURRENT); printf("Copyright (C) 1998-2010 Ivo Timmermans, Guus Sliepen and others.\n" "See the AUTHORS file for a complete list.\n\n" "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" "and you are welcome to redistribute it under certain conditions;\n" "see the file COPYING for details.\n"); return 0; } if(show_help) { usage(false); return 0; } if(kill_tincd) return !kill_other(kill_tincd); openlogger("tinc", use_logfile?LOGMODE_FILE:LOGMODE_STDERR); g_argv = argv; init_configuration(&config_tree); /* Slllluuuuuuurrrrp! */ RAND_load_file("/dev/urandom", 1024); ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); OpenSSL_add_all_algorithms(); if(generate_keys) { read_server_config(); return !keygen(generate_keys); } if(!read_server_config()) return 1; #ifdef HAVE_LZO if(lzo_init() != LZO_E_OK) { logger(LOG_ERR, "Error initializing LZO compressor!"); return 1; } #endif #ifdef HAVE_MINGW if(WSAStartup(MAKEWORD(2, 2), &wsa_state)) { logger(LOG_ERR, "System call `%s' failed: %s", "WSAStartup", winerror(GetLastError())); return 1; } if(!do_detach || !init_service()) return main2(argc, argv); else return 1; }
int MAIN(int argc, char **argv) { ENGINE *e = NULL; char **args, *infile = NULL, *outfile = NULL; char *passargin = NULL, *passargout = NULL; BIO *in = NULL, *out = NULL; const EVP_CIPHER *cipher = NULL; int informat, outformat; int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0; EVP_PKEY *pkey = NULL; char *passin = NULL, *passout = NULL; int badarg = 0; #ifndef OPENSSL_NO_ENGINE char *engine = NULL; #endif int ret = 1; if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); if (!load_config(bio_err, NULL)) goto end; informat = FORMAT_PEM; outformat = FORMAT_PEM; ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); args = argv + 1; while (!badarg && *args && *args[0] == '-') { if (!strcmp(*args, "-inform")) { if (args[1]) { args++; informat = str2fmt(*args); } else badarg = 1; } else if (!strcmp(*args, "-outform")) { if (args[1]) { args++; outformat = str2fmt(*args); } else badarg = 1; } else if (!strcmp(*args, "-passin")) { if (!args[1]) goto bad; passargin = *(++args); } else if (!strcmp(*args, "-passout")) { if (!args[1]) goto bad; passargout = *(++args); } #ifndef OPENSSL_NO_ENGINE else if (strcmp(*args, "-engine") == 0) { if (!args[1]) goto bad; engine = *(++args); } #endif else if (!strcmp(*args, "-in")) { if (args[1]) { args++; infile = *args; } else badarg = 1; } else if (!strcmp(*args, "-out")) { if (args[1]) { args++; outfile = *args; } else badarg = 1; } else if (strcmp(*args, "-pubin") == 0) { pubin = 1; pubout = 1; pubtext = 1; } else if (strcmp(*args, "-pubout") == 0) pubout = 1; else if (strcmp(*args, "-text_pub") == 0) { pubtext = 1; text = 1; } else if (strcmp(*args, "-text") == 0) text = 1; else if (strcmp(*args, "-noout") == 0) noout = 1; else { cipher = EVP_get_cipherbyname(*args + 1); if (!cipher) { BIO_printf(bio_err, "Unknown cipher %s\n", *args + 1); badarg = 1; } } args++; } if (badarg) { bad: BIO_printf(bio_err, "Usage pkey [options]\n"); BIO_printf(bio_err, "where options are\n"); BIO_printf(bio_err, "-in file input file\n"); BIO_printf(bio_err, "-inform X input format (DER or PEM)\n"); BIO_printf(bio_err, "-passin arg input file pass phrase source\n"); BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); BIO_printf(bio_err, "-out file output file\n"); BIO_printf(bio_err, "-passout arg output file pass phrase source\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); #endif return 1; } #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } if (outfile) { if (!(out = BIO_new_file(outfile, "wb"))) { BIO_printf(bio_err, "Can't open output file %s\n", outfile); goto end; } } else { out = BIO_new_fp(stdout, BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } if (pubin) pkey = load_pubkey(bio_err, infile, informat, 1, passin, e, "Public Key"); else pkey = load_key(bio_err, infile, informat, 1, passin, e, "key"); if (!pkey) goto end; if (!noout) { if (outformat == FORMAT_PEM) { if (pubout) PEM_write_bio_PUBKEY(out, pkey); else PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, passout); } else if (outformat == FORMAT_ASN1) { if (pubout) i2d_PUBKEY_bio(out, pkey); else i2d_PrivateKey_bio(out, pkey); } else { BIO_printf(bio_err, "Bad format specified for key\n"); goto end; } } if (text) { if (pubtext) EVP_PKEY_print_public(out, pkey, 0, NULL); else EVP_PKEY_print_private(out, pkey, 0, NULL); } ret = 0; end: EVP_PKEY_free(pkey); BIO_free_all(out); BIO_free(in); if (passin) OPENSSL_free(passin); if (passout) OPENSSL_free(passout); return ret; }
int main(int argc, char **argv) { int c = 0; char *ptr, *progname = *argv; const char *cmdopts = "hqv", *secret = NULL; ptr = strrchr(progname, '/'); if (ptr != NULL) { progname = ptr+1; } opterr = 0; while ((c = #ifdef HAVE_GETOPT_LONG getopt_long(argc, argv, cmdopts, opts, NULL) #else /* HAVE_GETOPT_LONG */ getopt(argc, argv, cmdopts) #endif /* HAVE_GETOPT_LONG */ ) != -1) { switch (c) { case 'h': show_usage(progname, 0); break; case 'q': verbose = FALSE; quiet = TRUE; break; case 'v': quiet = FALSE; verbose = TRUE; break; case '?': fprintf(stderr, "unknown option: %c\n", (char) optopt); show_usage(progname, 1); break; } } auth_otp_pool = make_sub_pool(NULL); #if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); #endif /* prior to OpenSSL-1.1.x */ ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); secret = generate_secret(auth_otp_pool); if (secret == NULL) { return 1; } if (quiet) { fprintf(stdout, "%s\n", secret); } else { int code; code = generate_code(auth_otp_pool, secret, strlen(secret)); if (code < 0) { fprintf(stderr, "%s: error generating verification code: %s\n", progname, strerror(errno)); destroy_pool(auth_otp_pool); return 1; } fprintf(stdout, "-------------------------------------------------\n"); fprintf(stdout, "Your new secret key is: %s\n\n", secret); fprintf(stdout, "To add this key to your SQL table, you might use:\n\n"); fprintf(stdout, " INSERT INTO auth_otp (secret, counter) VALUES ('%s', 0);\n\n", secret); fprintf(stdout, "Your verification code is: %06d\n", code); fprintf(stdout, "-------------------------------------------------\n"); } ERR_free_strings(); EVP_cleanup(); RAND_cleanup(); destroy_pool(auth_otp_pool); return 0; }
int main(int argc, char **argv) { BIO *in = NULL, *out = NULL, *tbio = NULL; X509 *scert = NULL; EVP_PKEY *skey = NULL; CMS_ContentInfo *cms = NULL; int ret = 1; /* * For simple S/MIME signing use CMS_DETACHED. On OpenSSL 1.0.0 only: for * streaming detached set CMS_DETACHED|CMS_STREAM for streaming * non-detached set CMS_STREAM */ int flags = CMS_DETACHED | CMS_STREAM; OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); /* Read in signer certificate and private key */ tbio = BIO_new_file("signer.pem", "r"); if (!tbio) goto err; scert = PEM_read_bio_X509(tbio, NULL, 0, NULL); BIO_reset(tbio); skey = PEM_read_bio_PrivateKey(tbio, NULL, 0, NULL); if (!scert || !skey) goto err; /* Open content being signed */ in = BIO_new_file("sign.txt", "r"); if (!in) goto err; /* Sign content */ cms = CMS_sign(scert, skey, NULL, in, flags); if (!cms) goto err; out = BIO_new_file("smout.txt", "w"); if (!out) goto err; if (!(flags & CMS_STREAM)) BIO_reset(in); /* Write out S/MIME message */ if (!SMIME_write_CMS(out, cms, in, flags)) goto err; ret = 0; err: if (ret) { fprintf(stderr, "Error Signing Data\n"); ERR_print_errors_fp(stderr); } if (cms) CMS_ContentInfo_free(cms); if (scert) X509_free(scert); EVP_PKEY_free(skey); BIO_free(in); BIO_free(out); BIO_free(tbio); return ret; }
/** Main routine for unbound-control */ int main(int argc, char* argv[]) { int c, ret; int quiet = 0; const char* cfgfile = CONFIGFILE; char* svr = NULL; #ifdef USE_WINSOCK int r; WSADATA wsa_data; #endif #ifdef USE_THREAD_DEBUG /* stop the file output from unbound-control, overwites the servers */ extern int check_locking_order; check_locking_order = 0; #endif /* USE_THREAD_DEBUG */ log_ident_set("unbound-control"); log_init(NULL, 0, NULL); checklock_start(); #ifdef USE_WINSOCK if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) fatal_exit("WSAStartup failed: %s", wsa_strerror(r)); /* use registry config file in preference to compiletime location */ if(!(cfgfile=w_lookup_reg_str("Software\\Unbound", "ConfigFile"))) cfgfile = CONFIGFILE; #endif ERR_load_crypto_strings(); ERR_load_SSL_strings(); OpenSSL_add_all_algorithms(); (void)SSL_library_init(); if(!RAND_status()) { /* try to seed it */ unsigned char buf[256]; unsigned int seed=(unsigned)time(NULL) ^ (unsigned)getpid(); unsigned int v = seed; size_t i; for(i=0; i<256/sizeof(v); i++) { memmove(buf+i*sizeof(v), &v, sizeof(v)); v = v*seed + (unsigned int)i; } RAND_seed(buf, 256); log_warn("no entropy, seeding openssl PRNG with time\n"); } /* parse the options */ while( (c=getopt(argc, argv, "c:s:qh")) != -1) { switch(c) { case 'c': cfgfile = optarg; break; case 's': svr = optarg; break; case 'q': quiet = 1; break; case '?': case 'h': default: usage(); } } argc -= optind; argv += optind; if(argc == 0) usage(); if(argc >= 1 && strcmp(argv[0], "start")==0) { if(execlp("unbound", "unbound", "-c", cfgfile, (char*)NULL) < 0) { fatal_exit("could not exec unbound: %s", strerror(errno)); } } ret = go(cfgfile, svr, quiet, argc, argv); #ifdef USE_WINSOCK WSACleanup(); #endif checklock_stop(); return ret; }
int main(int argc, char *argv[]) { ENGINE *engine; EVP_PKEY *pkey; X509 *cert; FILE *cert_fp; const char *module, *efile, *certfile, *privkey; int ret = 0; if (argc < 4){ printf("Too few arguments\n"); usage(argv); return 1; } certfile = argv[1]; privkey = argv[2]; module = argv[3]; efile = argv[4]; cert_fp = fopen(certfile, "rb"); if (!cert_fp) { fprintf(stderr, "%s:%d Could not open file %s\n", __FILE__, __LINE__, certfile); ret = 1; goto end; } cert = PEM_read_X509(cert_fp, NULL, NULL, NULL); if (!cert) { fprintf(stderr, "%s:%d Could not read certificate file" "(must be PEM format)\n", __FILE__, __LINE__); } if (cert_fp) { fclose(cert_fp); } ret = CONF_modules_load_file(efile, "engines", 0); if (ret <= 0) { fprintf(stderr, "%s:%d cannot load %s\n", __FILE__, __LINE__, efile); display_openssl_errors(__LINE__); exit(1); } ENGINE_add_conf_module(); #if OPENSSL_VERSION_NUMBER>=0x10100000 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ | OPENSSL_INIT_ADD_ALL_DIGESTS \ | OPENSSL_INIT_LOAD_CONFIG, NULL); #else OpenSSL_add_all_algorithms(); OpenSSL_add_all_digests(); ERR_load_crypto_strings(); #endif ERR_clear_error(); ENGINE_load_builtin_engines(); engine = ENGINE_by_id("pkcs11"); if (engine == NULL) { printf("%s:%d Could not get engine\n", __FILE__, __LINE__); display_openssl_errors(__LINE__); ret = 1; goto end; } if (!ENGINE_ctrl_cmd_string(engine, "VERBOSE", NULL, 0)) { display_openssl_errors(__LINE__); exit(1); } if (!ENGINE_ctrl_cmd_string(engine, "MODULE_PATH", module, 0)) { display_openssl_errors(__LINE__); exit(1); } if (!ENGINE_init(engine)) { printf("Could not initialize engine\n"); display_openssl_errors(__LINE__); ret = 1; goto end; } pkey = ENGINE_load_private_key(engine, privkey, 0, 0); if (pkey == NULL) { printf("%s:%d Could not load key\n", __FILE__, __LINE__); display_openssl_errors(__LINE__); ret = 1; goto end; } ret = X509_check_private_key(cert, pkey); if (!ret) { printf("%s:%d Could not check private key\n", __FILE__, __LINE__); display_openssl_errors(__LINE__); ret = 1; goto end; } printf("Key and certificate matched\n"); ret = 0; CONF_modules_unload(1); end: X509_free(cert); EVP_PKEY_free(pkey); ENGINE_finish(engine); return ret; }
int main(int argc, char *argv[]) { TPM_RC rc = 0; int i; /* argc iterator */ char *prc = NULL; /* pointer return code */ const char *inFilename = NULL; const char *outFilename = NULL; FILE *inFile = NULL; FILE *outFile = NULL; UINT32 sizeInBytes; /* hash algorithm mapped to size */ uint32_t pcrmask = 0; /* pcr register mask */ TPML_PCR_SELECTION pcrs; unsigned int pcrCount = 0; TPMU_HA pcr[IMPLEMENTATION_PCR]; /* all the PCRs */ int pr = FALSE; TPMT_HA digest; uint8_t pcrBytes[IMPLEMENTATION_PCR * MAX_DIGEST_SIZE]; UINT16 pcrLength; /* command line defaults */ digest.hashAlg = TPM_ALG_SHA256; ERR_load_crypto_strings (); OpenSSL_add_all_algorithms (); for (i=1 ; (i<argc) && (rc == 0) ; i++) { if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { if (strcmp(argv[i],"sha256") == 0) { digest.hashAlg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha1") == 0) { digest.hashAlg = TPM_ALG_SHA1; } else { printf("Bad parameter for -halg\n"); printUsage(); } } else { printf("Missing parameter for -hi\n"); printUsage(); } } else if (strcmp(argv[i],"-bm") == 0) { i++; if (i < argc) { if (1 != sscanf(argv[i], "%x", &pcrmask)) { printf("Invalid -bm argument '%s'\n", argv[i]); printUsage(); } } else { printf("-bm option needs a value\n"); printUsage(); } } else if (strcmp(argv[i],"-of") == 0) { i++; if (i < argc) { outFilename = argv[i]; } else { printf("-of option needs a value\n"); printUsage(); } } else if (strcmp(argv[i],"-if") == 0) { i++; if (i < argc) { inFilename = argv[i]; } else { printf("-if option needs a value\n"); printUsage(); } } else if (strcmp(argv[i],"-pr") == 0) { pr = TRUE; } else if (strcmp(argv[i],"-h") == 0) { printUsage(); } else if (strcmp(argv[i],"-v") == 0) { verbose = TRUE; TSE_SetProperty(TPM_TRACE_LEVEL, "2"); } else { printf("\n%s is not a valid option\n", argv[i]); printUsage(); } } if (pcrmask == 0) { printf("Missing handle parameter -bm\n"); printUsage(); } if (inFilename == NULL) { printf("Missing handle parameter -if\n"); printUsage(); } /* open the input file */ if (rc == 0) { inFile = fopen(inFilename, "r"); if (inFile == NULL) { printf("Error opening %s for %s, %s\n", inFilename, "r", strerror(errno)); rc = EXIT_FAILURE; } } if (rc == 0) { sizeInBytes = _cpri__GetDigestSize(digest.hashAlg); } /* Table 102 - Definition of TPML_PCR_SELECTION Structure */ if (rc == 0) { pcrs.count = 1; /* hard code one hash algorithm */ /* Table 85 - Definition of TPMS_PCR_SELECTION Structure - pcrSelections */ pcrs.pcrSelections[0].hash = digest.hashAlg; pcrs.pcrSelections[0].sizeofSelect= 3; /* hard code 24 pcrs */ /* TCG always marshals lower PCR first */ pcrs.pcrSelections[0].pcrSelect[0] = (pcrmask >> 0) & 0xff; pcrs.pcrSelections[0].pcrSelect[1] = (pcrmask >> 8) & 0xff; pcrs.pcrSelections[0].pcrSelect[2] = (pcrmask >> 16) & 0xff; }
int zc_socket_ssl(zcSocket *s, char *key_file, char *cert_file, zcSSLCertRequire certreq, zcSSLVer ver, char *cacerts_file, bool isclient) { char *errstr = NULL; int ret; //int err; //int sockstate; if (!isclient && (key_file == NULL || cert_file == NULL)) { ZCERROR("both key and cert files must be specified for server"); goto zc_socket_ssl_fail; } memset(s->server, '\0', sizeof(char) * X509_NAME_MAXLEN); memset(s->issuer, '\0', sizeof(char) * X509_NAME_MAXLEN); s->peer_cert = NULL; s->ssl = NULL; s->ctx = NULL; //s->Socket = NULL; /* Init OpenSSL */ SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_algorithms(); (void) ERR_get_state(); ERR_clear_error(); if ((key_file && !cert_file) || (!key_file && cert_file)) { errstr = "Both the key & certificate files must be specified"; goto zc_socket_ssl_fail; } //SSL_load_error_strings(); //SSLeay_add_ssl_algorithms(); if (s->sslver == ZC_SSL_VER_TLS1) s->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */ else if (ver == ZC_SSL_VER_SSL3) s->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */ else if (ver == ZC_SSL_VER_SSL2) s->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */ else if (ver == ZC_SSL_VER_SSL23) s->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */ //s->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */ if (s->ctx == NULL) { errstr = "SSL_CTX_new error"; goto zc_socket_ssl_fail; } if (certreq != ZC_SSL_CERT_NONE) { if (cacerts_file == NULL) { errstr = "No root certificates specified for verification of other-side certificates."; goto zc_socket_ssl_fail; } else { ret = SSL_CTX_load_verify_locations(s->ctx, cacerts_file, NULL); if (ret != 1) { //_setSSLError(NULL, 0, __FILE__, __LINE__); ZCERROR("load verify locations error: %d", ret); goto zc_socket_ssl_fail; } } } if (key_file) { ret = SSL_CTX_use_PrivateKey_file(s->ctx, key_file, SSL_FILETYPE_PEM); if (ret != 1) { //_setSSLError(NULL, ret, __FILE__, __LINE__); ZCERROR("use privatekey file error:%d", ret); goto zc_socket_ssl_fail; } ret = SSL_CTX_use_certificate_chain_file(s->ctx, cert_file); if (ret != 1) { /* fprintf(stderr, "ret is %d, errcode is %lu, %lu, with file \"%s\"\n", ret, ERR_peek_error(), ERR_peek_last_error(), cert_file); */ if (ERR_peek_last_error() != 0) { //_setSSLError(NULL, ret, __FILE__, __LINE__); ZCERROR("peek last error failed:%d", ret); goto zc_socket_ssl_fail; } } } /* ssl compatibility */ SSL_CTX_set_options(s->ctx, SSL_OP_ALL); int verification_mode = SSL_VERIFY_NONE; if (certreq == ZC_SSL_CERT_OPTIONAL) verification_mode = SSL_VERIFY_PEER; else if (certreq == ZC_SSL_CERT_REQUIRED) verification_mode = (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT); SSL_CTX_set_verify(s->ctx, verification_mode, NULL); /* set verify lvl */ s->ssl = SSL_new(s->ctx); /* New ssl struct */ SSL_set_fd(s->ssl, s->fd); /* Set the socket for SSL */ #ifdef SSL_MODE_AUTO_RETRY SSL_set_mode(s->ssl, SSL_MODE_AUTO_RETRY); #endif /* If the socket is in non-blocking mode or timeout mode, set the BIO * to non-blocking mode (blocking is the default) */ if (!s->blocked) { /* Set both the read and write BIO's to non-blocking mode */ BIO_set_nbio(SSL_get_rbio(s->ssl), 1); BIO_set_nbio(SSL_get_wbio(s->ssl), 1); } if (isclient) { SSL_set_connect_state(s->ssl); }else{ SSL_set_accept_state(s->ssl); } if (isclient) { ret = zc_socket_ssl_handshake(s); if (ret != ZC_OK) { ZCERROR("ssl handshake error: %d", ret); goto zc_socket_ssl_fail; } } return ZC_OK; zc_socket_ssl_fail: if (errstr) { ZCERROR("ssl error: %s\n", errstr); } return -1; }
int main(const int argc, char **argv) { int n_listeners, i, clnt_length, clnt; struct pollfd *polls; LISTENER *lstn; pthread_t thr; pthread_attr_t attr; struct sched_param sp; uid_t user_id; gid_t group_id; FILE *fpid; struct sockaddr_storage clnt_addr; char tmp[MAXBUF]; #ifndef SOL_TCP struct protoent *pe; #endif print_log = 0; (void)umask(077); control_sock = -1; log_facility = -1; logmsg(LOG_NOTICE, "starting..."); signal(SIGHUP, h_shut); signal(SIGINT, h_shut); signal(SIGTERM, h_term); signal(SIGQUIT, h_term); signal(SIGPIPE, SIG_IGN); srandom(getpid()); /* SSL stuff */ SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_algorithms(); l_init(); init_thr_arg(); CRYPTO_set_id_callback(l_id); CRYPTO_set_locking_callback(l_lock); init_timer(); /* prepare regular expressions */ if(regcomp(&HEADER, "^([a-z0-9!#$%&'*+.^_`|~-]+):[ \t]*(.*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&CHUNK_HEAD, "^([0-9a-f]+).*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&RESP_SKIP, "^HTTP/1.1 100.*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&RESP_IGN, "^HTTP/1.[01] (10[1-9]|1[1-9][0-9]|204|30[456]).*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&LOCATION, "(http|https)://([^/]+)(.*)", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&AUTHORIZATION, "Authorization:[ \t]*Basic[ \t]*\"?([^ \t]*)\"?[ \t]*", REG_ICASE | REG_NEWLINE | REG_EXTENDED) ) { logmsg(LOG_ERR, "bad essential Regex - aborted"); exit(1); } #ifndef SOL_TCP /* for systems without the definition */ if((pe = getprotobyname("tcp")) == NULL) { logmsg(LOG_ERR, "missing TCP protocol"); exit(1); } SOL_TCP = pe->p_proto; #endif /* read config */ config_parse(argc, argv); if(log_facility != -1) openlog("pound", LOG_CONS | LOG_NDELAY, LOG_DAEMON); if(ctrl_name != NULL) { struct sockaddr_un ctrl; memset(&ctrl, 0, sizeof(ctrl)); ctrl.sun_family = AF_UNIX; strncpy(ctrl.sun_path, ctrl_name, sizeof(ctrl.sun_path) - 1); (void)unlink(ctrl.sun_path); if((control_sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) { logmsg(LOG_ERR, "Control \"%s\" create: %s", ctrl.sun_path, strerror(errno)); exit(1); } if(bind(control_sock, (struct sockaddr *)&ctrl, (socklen_t)sizeof(ctrl)) < 0) { logmsg(LOG_ERR, "Control \"%s\" bind: %s", ctrl.sun_path, strerror(errno)); exit(1); } listen(control_sock, 512); } /* open listeners */ for(lstn = listeners, n_listeners = 0; lstn; lstn = lstn->next, n_listeners++) { int opt; /* prepare the socket */ if((lstn->sock = socket(lstn->addr.ai_family == AF_INET? PF_INET: PF_INET6, SOCK_STREAM, 0)) < 0) { addr2str(tmp, MAXBUF - 1, &lstn->addr, 0); logmsg(LOG_ERR, "HTTP socket %s create: %s - aborted", tmp, strerror(errno)); exit(1); } opt = 1; setsockopt(lstn->sock, SOL_SOCKET, SO_REUSEADDR, (void *)&opt, sizeof(opt)); if(bind(lstn->sock, lstn->addr.ai_addr, (socklen_t)lstn->addr.ai_addrlen) < 0) { addr2str(tmp, MAXBUF - 1, &lstn->addr, 0); logmsg(LOG_ERR, "HTTP socket bind %s: %s - aborted", tmp, strerror(errno)); exit(1); } listen(lstn->sock, 512); } /* alloc the poll structures */ if((polls = (struct pollfd *)calloc(n_listeners, sizeof(struct pollfd))) == NULL) { logmsg(LOG_ERR, "Out of memory for poll - aborted"); exit(1); } for(lstn = listeners, i = 0; lstn; lstn = lstn->next, i++) polls[i].fd = lstn->sock; /* set uid if necessary */ if(user) { struct passwd *pw; if((pw = getpwnam(user)) == NULL) { logmsg(LOG_ERR, "no such user %s - aborted", user); exit(1); } user_id = pw->pw_uid; } /* set gid if necessary */ if(group) { struct group *gr; if((gr = getgrnam(group)) == NULL) { logmsg(LOG_ERR, "no such group %s - aborted", group); exit(1); } group_id = gr->gr_gid; } /* Turn off verbose messages (if necessary) */ print_log = 0; if(daemonize) { /* daemonize - make ourselves a subprocess. */ switch (fork()) { case 0: if(log_facility != -1) { close(0); close(1); close(2); } break; case -1: logmsg(LOG_ERR, "fork: %s - aborted", strerror(errno)); exit(1); default: exit(0); } #ifdef HAVE_SETSID (void) setsid(); #endif } /* record pid in file */ if((fpid = fopen(pid_name, "wt")) != NULL) { fprintf(fpid, "%d\n", getpid()); fclose(fpid); } else logmsg(LOG_NOTICE, "Create \"%s\": %s", pid_name, strerror(errno)); /* chroot if necessary */ if(root_jail) { if(chroot(root_jail)) { logmsg(LOG_ERR, "chroot: %s - aborted", strerror(errno)); exit(1); } if(chdir("/")) { logmsg(LOG_ERR, "chroot/chdir: %s - aborted", strerror(errno)); exit(1); } } if(group) if(setgid(group_id) || setegid(group_id)) { logmsg(LOG_ERR, "setgid: %s - aborted", strerror(errno)); exit(1); } if(user) if(setuid(user_id) || seteuid(user_id)) { logmsg(LOG_ERR, "setuid: %s - aborted", strerror(errno)); exit(1); } /* split off into monitor and working process if necessary */ for(;;) { #ifdef UPER if((son = fork()) > 0) { int status; (void)wait(&status); if(WIFEXITED(status)) logmsg(LOG_ERR, "MONITOR: worker exited normally %d, restarting...", WEXITSTATUS(status)); else if(WIFSIGNALED(status)) logmsg(LOG_ERR, "MONITOR: worker exited on signal %d, restarting...", WTERMSIG(status)); else logmsg(LOG_ERR, "MONITOR: worker exited (stopped?) %d, restarting...", status); } else if (son == 0) { #endif /* thread stuff */ pthread_attr_init(&attr); pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); #ifdef NEED_STACK /* set new stack size - necessary for OpenBSD/FreeBSD and Linux NPTL */ if(pthread_attr_setstacksize(&attr, 1 << 18)) { logmsg(LOG_ERR, "can't set stack size - aborted"); exit(1); } #endif /* start timer */ if(pthread_create(&thr, &attr, thr_timer, NULL)) { logmsg(LOG_ERR, "create thr_resurect: %s - aborted", strerror(errno)); exit(1); } /* start the controlling thread (if needed) */ if(control_sock >= 0 && pthread_create(&thr, &attr, thr_control, NULL)) { logmsg(LOG_ERR, "create thr_control: %s - aborted", strerror(errno)); exit(1); } /* pause to make sure the service threads were started */ sleep(1); /* create the worker threads */ for(i = 0; i < numthreads; i++) if(pthread_create(&thr, &attr, thr_http, NULL)) { logmsg(LOG_ERR, "create thr_http: %s - aborted", strerror(errno)); exit(1); } /* pause to make sure at least some of the worker threads were started */ sleep(1); /* and start working */ for(;;) { if(shut_down) { logmsg(LOG_NOTICE, "shutting down..."); for(lstn = listeners; lstn; lstn = lstn->next) close(lstn->sock); if(grace > 0) { sleep(grace); logmsg(LOG_NOTICE, "grace period expired - exiting..."); } if(ctrl_name != NULL) (void)unlink(ctrl_name); exit(0); } for(lstn = listeners, i = 0; i < n_listeners; lstn = lstn->next, i++) { polls[i].events = POLLIN | POLLPRI; polls[i].revents = 0; } if(poll(polls, n_listeners, -1) < 0) { logmsg(LOG_WARNING, "poll: %s", strerror(errno)); } else { for(lstn = listeners, i = 0; lstn; lstn = lstn->next, i++) { if(polls[i].revents & (POLLIN | POLLPRI)) { memset(&clnt_addr, 0, sizeof(clnt_addr)); clnt_length = sizeof(clnt_addr); if((clnt = accept(lstn->sock, (struct sockaddr *)&clnt_addr, (socklen_t *)&clnt_length)) < 0) { logmsg(LOG_WARNING, "HTTP accept: %s", strerror(errno)); } else if(((struct sockaddr_in *)&clnt_addr)->sin_family == AF_INET || ((struct sockaddr_in *)&clnt_addr)->sin_family == AF_INET6) { thr_arg arg; if(lstn->disabled) { /* addr2str(tmp, MAXBUF - 1, &clnt_addr, 1); logmsg(LOG_WARNING, "HTTP disabled listener from %s", tmp); */ close(clnt); } arg.sock = clnt; arg.lstn = lstn; if((arg.from_host.ai_addr = (struct sockaddr *)malloc(clnt_length)) == NULL) { logmsg(LOG_WARNING, "HTTP arg address: malloc"); close(clnt); continue; } memcpy(arg.from_host.ai_addr, &clnt_addr, clnt_length); arg.from_host.ai_addrlen = clnt_length; if(((struct sockaddr_in *)&clnt_addr)->sin_family == AF_INET) arg.from_host.ai_family = AF_INET; else arg.from_host.ai_family = AF_INET6; if(put_thr_arg(&arg)) close(clnt); } else { /* may happen on FreeBSD, I am told */ logmsg(LOG_WARNING, "HTTP connection prematurely closed by peer"); close(clnt); } } } } } #ifdef UPER } else { /* failed to spawn son */ logmsg(LOG_ERR, "Can't fork worker (%s) - aborted", strerror(errno)); exit(1); } #endif } }
int MAIN(int argc, char **argv) { ENGINE *e = NULL; char **args, *infile = NULL, *outfile = NULL; char *passargin = NULL, *passargout = NULL; BIO *in = NULL, *out = NULL; int topk8 = 0; int pbe_nid = -1; const EVP_CIPHER *cipher = NULL; int iter = PKCS12_DEFAULT_ITER; int informat, outformat; int p8_broken = PKCS8_OK; int nocrypt = 0; X509_SIG *p8 = NULL; PKCS8_PRIV_KEY_INFO *p8inf = NULL; EVP_PKEY *pkey=NULL; char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL; int badarg = 0; int ret = 1; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); if (!load_config(bio_err, NULL)) goto end; informat=FORMAT_PEM; outformat=FORMAT_PEM; ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); args = argv + 1; while (!badarg && *args && *args[0] == '-') { if (!strcmp(*args,"-v2")) { if (args[1]) { args++; cipher=EVP_get_cipherbyname(*args); if (!cipher) { BIO_printf(bio_err, "Unknown cipher %s\n", *args); badarg = 1; } } else badarg = 1; } else if (!strcmp(*args,"-v1")) { if (args[1]) { args++; pbe_nid=OBJ_txt2nid(*args); if (pbe_nid == NID_undef) { BIO_printf(bio_err, "Unknown PBE algorithm %s\n", *args); badarg = 1; } } else badarg = 1; } else if (!strcmp(*args,"-v2prf")) { if (args[1]) { args++; pbe_nid=OBJ_txt2nid(*args); if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) { BIO_printf(bio_err, "Unknown PRF algorithm %s\n", *args); badarg = 1; } } else badarg = 1; } else if (!strcmp(*args,"-inform")) { if (args[1]) { args++; informat=str2fmt(*args); } else badarg = 1; } else if (!strcmp(*args,"-outform")) { if (args[1]) { args++; outformat=str2fmt(*args); } else badarg = 1; } else if (!strcmp (*args, "-topk8")) topk8 = 1; else if (!strcmp (*args, "-noiter")) iter = 1; else if (!strcmp (*args, "-iter")) { if (!args[1]) goto bad; iter = atoi(*(++args)); if (iter <= 0) goto bad; } else if (!strcmp (*args, "-nocrypt")) nocrypt = 1; else if (!strcmp (*args, "-nooct")) p8_broken = PKCS8_NO_OCTET; else if (!strcmp (*args, "-nsdb")) p8_broken = PKCS8_NS_DB; else if (!strcmp (*args, "-embed")) p8_broken = PKCS8_EMBEDDED_PARAM; else if (!strcmp(*args,"-passin")) { if (!args[1]) goto bad; passargin= *(++args); } else if (!strcmp(*args,"-passout")) { if (!args[1]) goto bad; passargout= *(++args); } #ifndef OPENSSL_NO_ENGINE else if (strcmp(*args,"-engine") == 0) { if (!args[1]) goto bad; engine= *(++args); } #endif else if (!strcmp (*args, "-in")) { if (args[1]) { args++; infile = *args; } else badarg = 1; } else if (!strcmp (*args, "-out")) { if (args[1]) { args++; outfile = *args; } else badarg = 1; } else badarg = 1; args++; } if (badarg) { bad: BIO_printf(bio_err, "Usage pkcs8 [options]\n"); BIO_printf(bio_err, "where options are\n"); BIO_printf(bio_err, "-in file input file\n"); BIO_printf(bio_err, "-inform X input format (DER or PEM)\n"); BIO_printf(bio_err, "-passin arg input file pass phrase source\n"); BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); BIO_printf(bio_err, "-out file output file\n"); BIO_printf(bio_err, "-passout arg output file pass phrase source\n"); BIO_printf(bio_err, "-topk8 output PKCS8 file\n"); BIO_printf(bio_err, "-nooct use (nonstandard) no octet format\n"); BIO_printf(bio_err, "-embed use (nonstandard) embedded DSA parameters format\n"); BIO_printf(bio_err, "-nsdb use (nonstandard) DSA Netscape DB format\n"); BIO_printf(bio_err, "-iter count use count as iteration count\n"); BIO_printf(bio_err, "-noiter use 1 as iteration count\n"); BIO_printf(bio_err, "-nocrypt use or expect unencrypted private key\n"); BIO_printf(bio_err, "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n"); BIO_printf(bio_err, "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); #endif goto end; } #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } if ((pbe_nid == -1) && !cipher) pbe_nid = NID_pbeWithMD5AndDES_CBC; if (infile) { if (!(in = BIO_new_file(infile, "rb"))) { BIO_printf(bio_err, "Can't open input file %s\n", infile); goto end; } } else in = BIO_new_fp (stdin, BIO_NOCLOSE); if (outfile) { if (!(out = BIO_new_file (outfile, "wb"))) { BIO_printf(bio_err, "Can't open output file %s\n", outfile); goto end; } } else { out = BIO_new_fp (stdout, BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } if (topk8) { pkey = load_key(bio_err, infile, informat, 1, passin, e, "key"); if (!pkey) goto end; if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) { BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); goto end; } if (nocrypt) { if (outformat == FORMAT_PEM) PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf); else if (outformat == FORMAT_ASN1) i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf); else { BIO_printf(bio_err, "Bad format specified for key\n"); goto end; } } else { if (passout) p8pass = passout; else { p8pass = pass; if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:"******"Error encrypting key\n"); ERR_print_errors(bio_err); goto end; } app_RAND_write_file(NULL, bio_err); if (outformat == FORMAT_PEM) PEM_write_bio_PKCS8(out, p8); else if (outformat == FORMAT_ASN1) i2d_PKCS8_bio(out, p8); else { BIO_printf(bio_err, "Bad format specified for key\n"); goto end; } } ret = 0; goto end; } if (nocrypt) { if (informat == FORMAT_PEM) p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in,NULL,NULL, NULL); else if (informat == FORMAT_ASN1) p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL); else { BIO_printf(bio_err, "Bad format specified for key\n"); goto end; } } else { if (informat == FORMAT_PEM) p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL); else if (informat == FORMAT_ASN1) p8 = d2i_PKCS8_bio(in, NULL); else { BIO_printf(bio_err, "Bad format specified for key\n"); goto end; } if (!p8) { BIO_printf (bio_err, "Error reading key\n"); ERR_print_errors(bio_err); goto end; } if (passin) p8pass = passin; else { p8pass = pass; EVP_read_pw_string(pass, sizeof pass, "Enter Password:"******"Error decrypting key\n"); ERR_print_errors(bio_err); goto end; } if (!(pkey = EVP_PKCS82PKEY(p8inf))) { BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); goto end; } if (p8inf->broken) { BIO_printf(bio_err, "Warning: broken key encoding: "); switch (p8inf->broken) { case PKCS8_NO_OCTET: BIO_printf(bio_err, "No Octet String in PrivateKey\n"); break; case PKCS8_EMBEDDED_PARAM: BIO_printf(bio_err, "DSA parameters included in PrivateKey\n"); break; case PKCS8_NS_DB: BIO_printf(bio_err, "DSA public key include in PrivateKey\n"); break; case PKCS8_NEG_PRIVKEY: BIO_printf(bio_err, "DSA private key value is negative\n"); break; default: BIO_printf(bio_err, "Unknown broken type\n"); break; } } if (outformat == FORMAT_PEM) PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout); else if (outformat == FORMAT_ASN1) i2d_PrivateKey_bio(out, pkey); else { BIO_printf(bio_err, "Bad format specified for key\n"); goto end; } ret = 0; end: X509_SIG_free(p8); PKCS8_PRIV_KEY_INFO_free(p8inf); EVP_PKEY_free(pkey); BIO_free_all(out); BIO_free(in); if (passin) OPENSSL_free(passin); if (passout) OPENSSL_free(passout); return ret; }