C++ (Cpp) SSL_get_verify_result Examples

Example #1

File: ssl.c Project: N0NB/aprx

int ssl_validate_peer_cert_phase1(struct client_t *c)
{
	X509 *cert;
	
	int rc = SSL_get_verify_result(c->ssl_con->connection);
	
	if (rc != X509_V_OK) {
		/* client gave a certificate, but it's not valid */
		hlog(LOG_DEBUG, "%s/%s: Peer SSL certificate verification error %d: %s",
			c->addr_rem, c->username, rc, X509_verify_cert_error_string(rc));
		c->ssl_con->ssl_err_code = rc;
		return SSL_VALIDATE_CLIENT_CERT_UNVERIFIED;
	}
	
	cert = SSL_get_peer_certificate(c->ssl_con->connection);
	
	if (cert == NULL) {
		/* client did not give a certificate */
		return SSL_VALIDATE_NO_CLIENT_CERT;
	}
	
	X509_free(cert);
	
	return 0;
}

Example #2

File: bio.c Project: davidhoover/kent

int check_cert(SSL *ssl, char *host)
{
X509 *peer;
char peer_CN[256];

int verifyResult = SSL_get_verify_result(ssl);
if (verifyResult != X509_V_OK)
    {
    fprintf(stderr,"Certificate doesn't verify, result=%d\n", verifyResult);
    return FALSE;
    }


/*Check the cert chain. The chain length
is automatically checked by OpenSSL when
we set the verify depth in the ctx */


/*Check the common name*/

peer=SSL_get_peer_certificate(ssl);

X509_NAME_get_text_by_NID( X509_get_subject_name(peer),
 NID_commonName, peer_CN, 256);

if (strcasecmp(peer_CN,host))
    {
    fprintf(stderr,"Common name %s doesn't match host name %s\n",peer_CN,host);
    return FALSE;
    }
    
return TRUE;
}

Example #3

File: SslClient.cpp Project: moxichang/libmo

void SslClient:: CheckCertification(const char *host_)
{
    X509 *peer;
    char peer_CN[256];

    int retval;

    // 校验对方证书
    if( (retval = SSL_get_verify_result(ssl_m)) != X509_V_OK)
    {
        char err_msg[128];
        sprintf(err_msg,"Certificate doesn't verify. Code: %d", retval);

        Throw(err_msg, MException::ME_INVARG);
    }

    // 校验域名与证书中的common name是否相同
    peer = SSL_get_peer_certificate(ssl_m);
    X509_NAME_get_text_by_NID( X509_get_subject_name(peer), NID_commonName, peer_CN, 256);

#ifdef SslClient_DEBUG
    printf("peer: %s\n", peer_CN);
    printf("host: %s\n", host_);
#endif

    // 默认为校验Common Name字段
    if(check_cname_m == true)
    {
        if(strcasecmp(peer_CN, host_))
        {
            Throw("Common name doesn't match hostname", MException::ME_INVARG);
        }
    }
}

Example #4

File: ssl_lib.cpp Project: wrtcoder/ssl-demo

void describeCertificates(SSL* ssl, bool isServer)
{
    // Resumed sessions don't necessarily have chains (not included in session ticket)
    X509 *cert = SSL_get_peer_certificate(ssl);
    if (cert == NULL) {
        fprintf(stderr,"No peer certificates.\n");
    } else {
        fprintf(stderr,"Peer certificates:\n");
        describeCertificate(0, cert);
        X509_free(cert);
        STACK_OF(X509) *certs = SSL_get_peer_cert_chain(ssl); // We don't have to free this apparently
        // Cached sessions may not have a chain
        if (certs != NULL) {
            // On server, chain doesn't include client certificate
            if (isServer) {
                for (int i = 0; i < sk_X509_num(certs); i++) {
                    describeCertificate(i+1, sk_X509_value(certs,i));
                }
            } else {
                for (int i = 1; i < sk_X509_num(certs); i++) {
                    describeCertificate(i, sk_X509_value(certs,i));
                }
            }
        }
        long verify_result = SSL_get_verify_result(ssl);
        if (verify_result == X509_V_OK) {
            fprintf(stderr,"Certificate OK\n");
        } else {
            // See 'man verify(1SSL)' for meanings of the codes
            fprintf(stderr,"Verification error %ld\n", verify_result);
            ERR_print_errors_fp(stderr);
        }
    }
}

Example #5

File: tls_openssl.c Project: apophys/libstrophe

int tls_start(tls_t *tls)
{
    int error;
    int ret;
    long x509_res;

    /* Since we're non-blocking, loop the connect call until it
       succeeds or fails */
    while (1) {
        ret = SSL_connect(tls->ssl);
        error = ret <= 0 ? SSL_get_error(tls->ssl, ret) : 0;

        if (ret == -1 && tls_is_recoverable(error)) {
            /* wait for something to happen on the sock before looping back */
            _tls_sock_wait(tls, error);
            continue;
        }

        /* success or fatal error */
        break;
    }

    x509_res = SSL_get_verify_result(tls->ssl);
    xmpp_debug(tls->ctx, "tls", "Certificate verification %s",
               x509_res == X509_V_OK ? "passed" : "FAILED");

    _tls_set_error(tls, error);
    return ret <= 0 ? 0 : 1;
}

Example #6

File: sslclient.c Project: andros-mendoza/socketsProgramming

int ShowCerts(SSL* ssl)
{   X509 *cert;
    char *line;
    int value;

    cert = SSL_get_peer_certificate(ssl); /* get the server's certificate */
    if ( cert != NULL )
    {
        printf("Server certificates:\n");
        line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
        printf("Subject: %s\n", line);
        free(line);       /* free the malloc'ed string */
        line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
        printf("Issuer: %s\n", line);
        
        if(SSL_get_verify_result(ssl) == X509_V_OK) {
            printf("client verification with SSL_get_verify_result() succeeded.\n");    
            value = 1;            
		} else{
            printf("client verification with SSL_get_verify_result() fail.\n");      
            value = 0;
		}
        
        free(line);       /* free the malloc'ed string */
        X509_free(cert);     /* free the malloc'ed certificate copy */
        return value;
    }
    else
        printf("No certificates.\n");
        
    return 0;
}

Example #7

File: tlsdate-helper.c Project: HorseloverFat/tlsdate

uint32_t
verify_signature (SSL *ssl, const char *hostname)
{
  long ssl_verify_result;
  X509 *certificate;

  certificate = SSL_get_peer_certificate(ssl);
  if (NULL == certificate)
  {
    die ("Getting certificate failed\n");
  }
  // In theory, we verify that the cert is valid
  ssl_verify_result = SSL_get_verify_result(ssl);
  switch (ssl_verify_result)
  {
  case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
  case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
    die ("certificate is self signed\n");
  case X509_V_OK:
    verb ("V: certificate verification passed\n");
    break;
  default:
    die ("certification verification error: %ld\n",
         ssl_verify_result);
  }
 return 0;
}

Example #8

File: ssl.c Project: horazont/luasec

/**
 * Return the verification state of the peer chain.
 */
static int meth_getpeerverification(lua_State *L)
{
  long err;
  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
  if (ssl->state != LSEC_STATE_CONNECTED) {
    lua_pushboolean(L, 0);
    lua_pushstring(L, "closed");
    return 2;
  }
  err = SSL_get_verify_result(ssl->ssl);
  if (err == X509_V_OK) {
    lua_pushboolean(L, 1);
    return 1;
  }
  luaL_getmetatable(L, "SSL:Verify:Registry");
  lua_pushlightuserdata(L, (void*)ssl->ssl);
  lua_gettable(L, -2);
  if (lua_isnil(L, -1))
    lua_pushstring(L, X509_verify_cert_error_string(err));
  else {
    /* Copy the table of errors to avoid modifications */
    lua_newtable(L);
    copy_error_table(L, lua_gettop(L)-1, lua_gettop(L));
  }
  lua_pushboolean(L, 0);
  lua_pushvalue(L, -2);
  return 2;
}

Example #9

File: tls.c Project: ECE492W2014G4/G4Capstone

static inline int tls_check_cert(shout_tls_t *tls)
{
	X509 *cert = SSL_get_peer_certificate(tls->ssl);
	int cert_ok = 0;
	if (!cert)
		return SHOUTERR_TLSBADCERT;

	do {
		if (SSL_get_verify_result(tls->ssl) != X509_V_OK)
			break;

#ifdef XXX_HAVE_X509_check_host
		if (X509_check_host(cert, tls->host, 0, 0, NULL) != 1)
			break;
#else
		if (tls_check_host(cert, tls->host) != SHOUTERR_SUCCESS)
			break;
#endif

		/* ok, all test passed... */
		cert_ok = 1;
	} while (0);

	X509_free(cert);
	return cert_ok ? SHOUTERR_SUCCESS : SHOUTERR_TLSBADCERT;
}

Example #10

File: x509.c Project: PKRoma/libwebsockets

int
lws_tls_peer_cert_info(struct lws *wsi, enum lws_tls_cert_info type,
		       union lws_tls_cert_info_results *buf, size_t len)
{
	int rc = 0;
	X509 *x509;

	wsi = lws_get_network_wsi(wsi);

	x509 = SSL_get_peer_certificate(wsi->tls.ssl);

	if (!x509) {
		lwsl_debug("no peer cert\n");

		return -1;
	}

	switch (type) {
	case LWS_TLS_CERT_INFO_VERIFIED:
		buf->verified = SSL_get_verify_result(wsi->tls.ssl) ==
					X509_V_OK;
		break;
	default:
		rc = lws_tls_openssl_cert_info(x509, type, buf, len);
	}

	X509_free(x509);

	return rc;
}

Example #11

File: ssl_slave.c Project: kymoon/pennmush

/** Called after the SSL connection and initial handshaking is complete. */
void
ssl_connected(struct conn *c)
{
  X509 *peer;
  SSL *ssl;

#if SSL_DEBUG_LEVEL > 0
  errputs(stdout,
          "SSL connection attempt completed. Resolving remote host name.");
  errprintf(stdout, "ssl_slave: ssl error code: %ld\n",
            bufferevent_get_openssl_error(c->remote_bev));
#endif

  bufferevent_set_timeouts(c->remote_bev, NULL, NULL);

  ssl = bufferevent_openssl_get_ssl(c->remote_bev);

  /* Successful accept. Log peer certificate, if any. */
  if ((peer = SSL_get_peer_certificate(ssl))) {
    if (SSL_get_verify_result(ssl) == X509_V_OK) {
      char buf[256];
      /* The client sent a certificate which verified OK */
      X509_NAME_oneline(X509_get_subject_name(peer), buf, 256);
      errprintf(stdout, "SSL client certificate accepted: %s\n", buf);
    }
  }

  c->state = C_HOSTNAME_LOOKUP;
  c->resolver_req =
    evdns_getnameinfo(resolver, &c->remote_addr.addr, 0, address_resolved, c);
}

Example #12

File: mini_ssl.c Project: 4rth4X/puma

void raise_error(SSL* ssl, int result) {
  char buf[512];
  char msg[512];
  const char* err_str;
  int err = errno;
  int ssl_err = SSL_get_error(ssl, result);
  int verify_err = SSL_get_verify_result(ssl);

  if(SSL_ERROR_SYSCALL == ssl_err) {
    snprintf(msg, sizeof(msg), "System error: %s - %d", strerror(err), err);

  } else if(SSL_ERROR_SSL == ssl_err) {
    if(X509_V_OK != verify_err) {
      err_str = X509_verify_cert_error_string(verify_err);
      snprintf(msg, sizeof(msg),
               "OpenSSL certificate verification error: %s - %d",
               err_str, verify_err);

    } else {
      err = ERR_get_error();
      ERR_error_string_n(err, buf, sizeof(buf));
      snprintf(msg, sizeof(msg), "OpenSSL error: %s - %d", buf, err);

    }
  } else {
    snprintf(msg, sizeof(msg), "Unknown OpenSSL error: %d", ssl_err);
  }

  ERR_clear_error();
  rb_raise(eError, "%s", msg);
}

Example #13

File: openssl.c Project: SuryanshSingh/charybdis

int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
{
	X509 *cert;
	int res;

	if (F->ssl == NULL)
		return 0;

	cert = SSL_get_peer_certificate((SSL *) F->ssl);
	if(cert != NULL)
	{
		res = SSL_get_verify_result((SSL *) F->ssl);
		if(
			res == X509_V_OK ||
			res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
			res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
			res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
			res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
		{
			unsigned int certfp_length = RB_SSL_CERTFP_LEN;
			X509_digest(cert, EVP_sha1(), certfp, &certfp_length);
			X509_free(cert);
			return 1;
		}
		X509_free(cert);
	}

	return 0;
}

Example #14

File: ssl_server.c Project: warmlab/study

void *handle_connection(void *arg)
{
	char buf[1024];
	BIO *bio = (BIO *)arg;
	X509 *peer;
	SSL *ssl;

	BIO_get_ssl(bio, &ssl);

	if (BIO_do_handshake(bio) <= 0) {
		printf("Failed handshake.\n");
		ERR_print_errors_fp(stdout);
		return (void *)-1;
	}

	if ((peer = SSL_get_peer_certificate(ssl))) {
		if (SSL_get_verify_result(ssl) == X509_V_OK) {
			/* The client sent a certificate which verified OK */
			printf("The client sent a certificate which verified OK\n");
		} else {
			printf("The client sent a certificate which verified failed\n");
		}
	} else {
		fprintf(stderr, "cannot get peer certificate\n");
	}

	BIO_read(bio, buf, 1024);
	printf("Received: %s\n", buf);
	BIO_puts(bio, "Connection: Sending out Data on initial connection\n");
	printf("Sent out data on connection\n");

	BIO_free_all(bio);

	return (void *)0;
}

Example #15

File: server.c Project: metalriders/sockets

void ShowCerts(SSL* ssl)
{   X509 *cert;
    char *line;

    cert = SSL_get_peer_certificate(ssl); /* Get certificates (if available) */
    if ( cert != NULL )
    {
        printf("Client certificates:\n");
        line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
        printf("Subject: %s\n", line);
        free(line);
        line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
        printf("Issuer: %s\n", line);
     
		if(SSL_get_verify_result(ssl) == X509_V_OK) {
            printf("client verification with SSL_get_verify_result() succeeded.\n");                
		} else{
            printf("client verification with SSL_get_verify_result() fail.\n");      
		}
		
        free(line);
        X509_free(cert);
    }
    else
        printf("No certificates.\n");
}

Example #16

File: openssl.c Project: kamilion/charybdis

int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
	int len = 0;
	X509 *cert;
	int res;

	if (F->ssl == NULL)
		return 0;

	cert = SSL_get_peer_certificate((SSL *) F->ssl);
	if(cert == NULL)
		return 0;

	res = SSL_get_verify_result((SSL *) F->ssl);
	switch(res)
	{
	case X509_V_OK:
	case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
	case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
	case X509_V_ERR_CERT_UNTRUSTED:
		len = make_certfp(cert, certfp, method);

	default:	/* to silence code inspectors */
		break;
	}

	X509_free(cert);
	return len;
}

Example #17

File: secure.cpp Project: darcyg/ucommon

secure::error_t secure::verify(session_t session, const char *peername)
{
    SSL *ssl = (SSL *)session;

    char peer_cn[256];

    if(SSL_get_verify_result(ssl) != X509_V_OK)
        return secure::INVALID_CERTIFICATE;

    if(!peername)
        return secure::OK;

    X509 *peer = SSL_get_peer_certificate(ssl);

    if(!peer)
        return secure::INVALID_PEERNAME;

    X509_NAME_get_text_by_NID(
        X509_get_subject_name(peer),
        NID_commonName, peer_cn, sizeof(peer_cn));
    if(!eq_case(peer_cn, peername))
        return secure::INVALID_PEERNAME;

    return secure::OK;
}

Example #18

File: rdkafka_transport.c Project: wujunjian/librdkafka

/**
 * Verify SSL handshake was valid.
 */
static int rd_kafka_transport_ssl_verify (rd_kafka_transport_t *rktrans) {
	long int rl;
	X509 *cert;

	cert = SSL_get_peer_certificate(rktrans->rktrans_ssl);
	X509_free(cert);
	if (!cert) {
		rd_kafka_broker_fail(rktrans->rktrans_rkb, LOG_ERR,
				     RD_KAFKA_RESP_ERR__SSL,
				     "Broker did not provide a certificate");
		return -1;
	}

	if ((rl = SSL_get_verify_result(rktrans->rktrans_ssl)) != X509_V_OK) {
		rd_kafka_broker_fail(rktrans->rktrans_rkb, LOG_ERR,
				     RD_KAFKA_RESP_ERR__SSL,
				     "Failed to verify broker certificate: %s",
				     X509_verify_cert_error_string(rl));
		return -1;
	}

	rd_rkb_dbg(rktrans->rktrans_rkb, SECURITY, "SSLVERIFY",
		   "Broker SSL certificate verified");
	return 0;
}

Example #19

File: openssl.c Project: Cloudxtreme/ircd-seven

int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
{
	X509 *cert;
	int res;

	if (F->ssl == NULL)
		return 0;

	cert = SSL_get_peer_certificate((SSL *) F->ssl);
	if(cert != NULL)
	{
		res = SSL_get_verify_result((SSL *) F->ssl);
		if(res == X509_V_OK ||
				res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
				res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
				res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
		{
			memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN);
			return 1;
		}
		X509_free(cert);
	}

	return 0;
}

Example #20

static int new_client_session_cb(SSL *ssl, SSL_SESSION *session)
{
    const char *myname = "new_client_session_cb";
    TLS_SESS_STATE *TLScontext;
    VSTRING *session_data;

    /*
     * The cache name (if caching is enabled in tlsmgr(8)) and the cache ID
     * string for this session are stored in the TLScontext. It cannot be
     * null at this point.
     */
    if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0)
	msg_panic("%s: null TLScontext in new session callback", myname);

    /*
     * We only get here if the cache_type is not empty. This callback is not
     * set unless caching is enabled and the cache_type is stored in the
     * server SSL context.
     */
    if (TLScontext->cache_type == 0)
	msg_panic("%s: null session cache type in new session callback",
		  myname);

    if (TLScontext->log_mask & TLS_LOG_CACHE)
	/* serverid already contains namaddrport information */
	msg_info("save session %s to %s cache",
		 TLScontext->serverid, TLScontext->cache_type);

#if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L)

    /*
     * Ugly Hack: OpenSSL before 0.9.6a does not store the verify result in
     * sessions for the client side. We modify the session directly which is
     * version specific, but this bug is version specific, too.
     * 
     * READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before beta1 have this
     * bug, it has been fixed during development of 0.9.6a. The development
     * version of 0.9.7 can have this bug, too. It has been fixed on
     * 2000/11/29.
     */
    session->verify_result = SSL_get_verify_result(TLScontext->con);
#endif

    /*
     * Passivate and save the session object. Errors are non-fatal, since
     * caching is only an optimization.
     */
    if ((session_data = tls_session_passivate(session)) != 0) {
	tls_mgr_update(TLScontext->cache_type, TLScontext->serverid,
		       STR(session_data), LEN(session_data));
	vstring_free(session_data);
    }

    /*
     * Clean up.
     */
    SSL_SESSION_free(session);			/* 200502 */

    return (1);
}

Example #21

File: nsd-control.c Project: jaredmcneill/netbsd-src

/** setup SSL on the connection */
static SSL*
setup_ssl(SSL_CTX* ctx, int fd)
{
	SSL* ssl;
	X509* x;
	int r;

	if(!ctx) return NULL;
	ssl = SSL_new(ctx);
	if(!ssl)
		ssl_err("could not SSL_new");
	SSL_set_connect_state(ssl);
	(void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
	if(!SSL_set_fd(ssl, fd))
		ssl_err("could not SSL_set_fd");
	while(1) {
		ERR_clear_error();
		if( (r=SSL_do_handshake(ssl)) == 1)
			break;
		r = SSL_get_error(ssl, r);
		if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE)
			ssl_err("SSL handshake failed");
		/* wants to be called again */
	}

	/* check authenticity of server */
	if(SSL_get_verify_result(ssl) != X509_V_OK)
		ssl_err("SSL verification failed");
	x = SSL_get_peer_certificate(ssl);
	if(!x)
		ssl_err("Server presented no peer certificate");
	X509_free(x);
	return ssl;
}

Example #22

File: tls.c Project: SiteView/UDT-Core-Interface

/**
 * Verify peer certificate of a TLS connection
 *
 * @param tc      TLS Connection
 * @param cn      Returned common name
 * @param cn_size Size of cn string
 *
 * @return 0 if success, otherwise errorcode
 */
int tls_verify_cert(struct tls_conn *tc, char *cn, size_t cn_size)
{
	X509 *peer;

	if (!tc || !cn || !cn_size)
		return EINVAL;

	/* Check the cert chain. The chain length
	   is automatically checked by OpenSSL when
	   we set the verify depth in the ctx */

	peer = SSL_get_peer_certificate(tc->ssl);
	if (!peer) {
		DEBUG_WARNING("Unable to get peer certificate\n");
		return EPROTO;
	}

	/* Get the common name */
	X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
				  NID_commonName, cn, (int)cn_size);

	/* todo get valid start/end date */


	if (SSL_get_verify_result(tc->ssl) != X509_V_OK) {
		DEBUG_WARNING("Certificate doesn't verify\n");
		return EPROTO;
	}

	return 0;
}

Example #23

File: SslConnection.C Project: LifeGo/wt

void SslConnection::handleHandshake(const asio_error_code& error)
{
  SSL* ssl = 0;
#if BOOST_VERSION >= 104700
  ssl = socket_.native_handle();
#else //BOOST_VERSION < 104700
  if(socket_.impl())
    ssl = socket_.impl()->ssl;
#endif //BOOST_VERSION >= 104700

  if (!error) {
    Connection::start();
    // ssl handle must be registered after calling start(), since start()
    // resets the structs
    registerSslHandle(ssl);
  } else {
    long sslState = SSL_get_verify_result(ssl);
    if (sslState != X509_V_OK) {
      LOG_INFO("OpenSSL error: " 
	       << X509_verify_cert_error_string(sslState));
    }

    LOG_INFO("SSL handshake error: " << error.message());
    ConnectionManager_.stop(shared_from_this());
  }
}

Example #24

File: sslcls.c Project: dest-unreach/socat2

long sycSSL_get_verify_result(SSL *ssl) {
   long result;
   Debug1("SSL_get_verify_result(%p)", ssl);
   result = SSL_get_verify_result(ssl);
   Debug1("SSL_get_verify_result() -> %lx", result);
   return result;
}

Example #25

File: tls.cpp Project: 151706061/DVTK-1

long TLS_SOCKET_CLASS::postConnectionCheck(SSL* ssl_ptr)

//  DESCRIPTION     : Performs checks after the connection is made to insure all is well.
//  PRECONDITIONS   :
//  POSTCONDITIONS  :
//  EXCEPTIONS      : 
//  NOTES           : 
//<<===========================================================================
{
	long result;

	if (checkRemoteCertificateM)
	{
		X509* cert_ptr;

		// No error will be generated by the OpenSSL library during the connection if the client 
		// does not send a certificate, even if one was requested.  We check here to make sure the 
		// certificate was sent if we required it.  If it was sent, OpenSSL will have verified it, 
		// so we don't need to do that here.  

		// Another thing that can be checked is to make sure that the certificate is for the node 
		// we think we are talking to, since the library will validate any certificate that is 
		// signed by a trusted Certificate Authority.  DVT does not perform this check since a 
		// failure here is not a connectivity problem but just a matter of getting the correct 
		// certificate installed on the unit under test.

		// To fully meet the IHE requirements, the certificate should be checked to make sure the 
		// sender is on a list of authorized nodes.  This is where that check would be performed.  
		// DVT does not support this functionality.

		// get the peer's certificate
		cert_ptr = SSL_get_peer_certificate(ssl_ptr);
		if (cert_ptr == NULL)
		{
			if (loggerM_ptr)
			{
				loggerM_ptr->text(LOG_ERROR, 1, "Secure Socket - Error peer certificate was not received");
			}

			return X509_V_ERR_APPLICATION_VERIFICATION;
		}
 
		X509_free(cert_ptr);

		// get the result of the OpenSSL verification
		result = SSL_get_verify_result(ssl_ptr);
		if (result != X509_V_OK)
		{
			openSslError("in post connection check");
		}

		return result;
	}
	else
	{
		// not checking remote certificates, nothing to do here
		return X509_V_OK;
	}
}

Example #26

File: as_tls.c Project: aerospike/aerospike-client-c

static void
log_verify_details(as_socket* sock)
{
	long vr = SSL_get_verify_result(sock->ssl);
	if (vr != X509_V_OK) {
		as_log_info("TLS verify result: %s", X509_verify_cert_error_string(vr));
	}
}

Example #27

File: tlsopensslbase.cpp Project: ForNeVeR/cthulhu-bot

  bool OpenSSLBase::handshake()
  {

    doTLSOperation( TLSHandshake );

    if( !m_secure )
      return true;

    int res = SSL_get_verify_result( m_ssl );
    if( res != X509_V_OK )
      m_certInfo.status = CertInvalid;
    else
      m_certInfo.status = CertOk;

    X509* peer = SSL_get_peer_certificate( m_ssl );
    if( peer )
    {
      char peer_CN[256];
      X509_NAME_get_text_by_NID( X509_get_issuer_name( peer ), NID_commonName, peer_CN, sizeof( peer_CN ) );
      m_certInfo.issuer = peer_CN;
      X509_NAME_get_text_by_NID( X509_get_subject_name( peer ), NID_commonName, peer_CN, sizeof( peer_CN ) );
      m_certInfo.server = peer_CN;
      m_certInfo.date_from = openSSLTime2UnixTime( (char*) (peer->cert_info->validity->notBefore->data) );
      m_certInfo.date_to = openSSLTime2UnixTime( (char*) (peer->cert_info->validity->notAfter->data) );
      std::string p( peer_CN );
      std::transform( p.begin(), p.end(), p.begin(), tolower );
      if( p != m_server )
        m_certInfo.status |= CertWrongPeer;

      if( ASN1_UTCTIME_cmp_time_t( X509_get_notBefore( peer ), time( 0 ) ) != -1 )
        m_certInfo.status |= CertNotActive;

      if( ASN1_UTCTIME_cmp_time_t( X509_get_notAfter( peer ), time( 0 ) ) != 1 )
        m_certInfo.status |= CertExpired;
    }
    else
    {
      m_certInfo.status = CertInvalid;
    }

    const char* tmp;
    tmp = SSL_get_cipher_name( m_ssl );
    if( tmp )
      m_certInfo.cipher = tmp;

    tmp = SSL_get_cipher_version( m_ssl );
    if( tmp )
      m_certInfo.protocol = tmp;

    tmp = SSL_COMP_get_name( SSL_get_current_compression( m_ssl ) );
    if( tmp )
      m_certInfo.compression = tmp;

    m_valid = true;

    m_handler->handleHandshakeResult( this, true, m_certInfo );
    return true;
  }

Example #28

File: bio.c Project: NEXUS1000/Linux-learning

int main() 
{
    SSL_load_error_strings();
    ERR_load_BIO_strings();
    OpenSSL_add_all_algorithms();
    
    SSL_CTX *ctx = SSL_CTX_new(SSLv23_client_method());
    if (ctx == NULL) {
        printf("SSL_CTX_new err func:%s\n reaseon:%s", ERR_func_error_string(ERR_get_error()),
               ERR_reason_error_string(ERR_get_error()));
        exit(1);
    }

    //加载可信任证书库
    if (0 == SSL_CTX_load_verify_locations(ctx, "./push_cer.pem", NULL)) {
        printf("err func:%s\n reaseon:%s", ERR_func_error_string(ERR_get_error()),
               ERR_reason_error_string(ERR_get_error()));
        ERR_print_errors_fp(stdout);
        exit(1);
    }

    //set BIO
    BIO *bio = BIO_new_ssl_connect(ctx);
    if (bio == NULL) {
        printf("err func:%s\n", ERR_func_error_string(ERR_get_error()));
        ERR_print_errors_fp(stdout);
        exit(1);
    }

    SSL *ssl;
    BIO_get_ssl(bio, &ssl);
    SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);

    //open safe connect
    BIO_set_conn_hostname(bio, "gateway.sandbox.push.apple.com:2195");

    //verify connect ok
    if (BIO_do_connect(bio) <= 0) {
        ERR_print_errors_fp(stdout);
        exit(1);
    }

    if (SSL_get_verify_result(ssl) != X509_V_OK) {
        printf("SSL_get_verify_result not success\n");
    }

    char buf[MAXBUF];
    char *json = "{\"aps\":{\"badge\":123}}";
    sendPayload(bio, token, json, strlen(json));
    int ret = BIO_read(bio, buf, MAXBUF);
    if (ret <= 0) {
        printf("BIO_read return 0\n");
    }

    SSL_CTX_free(ctx);
    BIO_free_all(bio);
    return 0;
}

Example #29

File: openssl.c Project: 1100101/inadyn

int ssl_open(http_t *client, char *msg)
{
	char buf[256];
	const char *sn;
	X509 *cert;

	if (!client->ssl_enabled)
		return tcp_init(&client->tcp, msg);

	tcp_set_port(&client->tcp, HTTPS_DEFAULT_PORT);
	DO(tcp_init(&client->tcp, msg));

	logit(LOG_INFO, "%s, initiating HTTPS ...", msg);
	client->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
	if (!client->ssl_ctx)
		return RC_HTTPS_OUT_OF_MEMORY;

	/* POODLE, only allow TLSv1.x or later */
	SSL_CTX_set_options(client->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION);

	SSL_CTX_set_verify(client->ssl_ctx, SSL_VERIFY_PEER, verify_callback);
	SSL_CTX_set_verify_depth(client->ssl_ctx, 150);

	/* Try to figure out location of trusted CA certs on system */
	if (ssl_set_ca_location(client))
		return RC_HTTPS_NO_TRUSTED_CA_STORE;

	client->ssl = SSL_new(client->ssl_ctx);
	if (!client->ssl)
		return RC_HTTPS_OUT_OF_MEMORY;

	/* SSL SNI support: tell the servername we want to speak to */
	http_get_remote_name(client, &sn);
	if (!SSL_set_tlsext_host_name(client->ssl, sn))
		return RC_HTTPS_SNI_ERROR;

	SSL_set_fd(client->ssl, client->tcp.ip.socket);
	if (-1 == SSL_connect(client->ssl))
		return RC_HTTPS_FAILED_CONNECT;

	logit(LOG_INFO, "SSL connection using %s", SSL_get_cipher(client->ssl));

	cert = SSL_get_peer_certificate(client->ssl);
	if (!cert)
		return RC_HTTPS_FAILED_GETTING_CERT;

	if (SSL_get_verify_result(client->ssl) == X509_V_OK)
		logit(LOG_DEBUG, "Certificate OK");

	X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
	logit(LOG_INFO, "SSL server cert subject: %s", buf);
	X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf));
	logit(LOG_INFO, "SSL server cert issuer: %s", buf);

	X509_free(cert);

	return 0;
}

Example #30

File: OpenSSLContext.cpp Project: smuralireddy/swift

boost::shared_ptr<CertificateVerificationError> OpenSSLContext::getPeerCertificateVerificationError() const {
	int verifyResult = SSL_get_verify_result(handle_);
	if (verifyResult != X509_V_OK) {
		return boost::make_shared<CertificateVerificationError>(getVerificationErrorTypeForResult(verifyResult));
	}
	else {
		return boost::shared_ptr<CertificateVerificationError>();
	}
}