static X509 *
getcert(void)
{
/* Dummy code to make a quick-and-dirty valid certificate with
OpenSSL. Don't copy this code into your own program! It does a
number of things in a stupid and insecure way. */
X509 *x509 = NULL;
X509_NAME *name = NULL;
EVP_PKEY *key = getkey();
int nid;
time_t now = time(NULL);
tt_assert(key);
x509 = X509_new();
tt_assert(x509);
tt_assert(0 != X509_set_version(x509, 2));
tt_assert(0 != ASN1_INTEGER_set(X509_get_serialNumber(x509),
(long)now));
name = X509_NAME_new();
tt_assert(name);
nid = OBJ_txt2nid("commonName");
tt_assert(NID_undef != nid);
tt_assert(0 != X509_NAME_add_entry_by_NID(
name, nid, MBSTRING_ASC, (unsigned char*)"example.com",
-1, -1, 0));
X509_set_subject_name(x509, name);
X509_set_issuer_name(x509, name);
X509_time_adj(X509_get_notBefore(x509), 0, &now);
now += 3600;
X509_time_adj(X509_get_notAfter(x509), 0, &now);
X509_set_pubkey(x509, key);
tt_assert(0 != X509_sign(x509, key, EVP_sha1()));
return x509;
end:
X509_free(x509);
return NULL;
}
static VALUE
ossl_x509crl_set_last_update(VALUE self, VALUE time)
{
X509_CRL *crl;
time_t sec;
sec = time_to_time_t(time);
GetX509CRL(self, crl);
if (!X509_time_adj(crl->crl->lastUpdate, 0, &sec)) {
ossl_raise(eX509CRLError, NULL);
}
return time;
}
static VALUE
ossl_x509crl_set_next_update(VALUE self, VALUE time)
{
X509_CRL *crl;
time_t sec;
sec = time_to_time_t(time);
GetX509CRL(self, crl);
/* This must be some thinko in OpenSSL */
if (!(crl->crl->nextUpdate = X509_time_adj(crl->crl->nextUpdate, 0, &sec))){
ossl_raise(eX509CRLError, NULL);
}
return time;
}
DVT_STATUS CERTIFICATE_CLASS::generateFiles(LOG_CLASS* logger_ptr,
const char* signerCredentialsFile_ptr,
const char* credentialsPassword_ptr,
const char* keyPassword_ptr,
const char* keyFile_ptr,
const char* certificateFile_ptr)
// DESCRIPTION : Generate a certificate and key files from this class.
// PRECONDITIONS :
// POSTCONDITIONS :
// EXCEPTIONS :
// NOTES : If signerCredentialsFile_ptr is NULL, a self signed
// : certificate will be generated.
// :
// : Returns: MSG_OK, MSG_LIB_NOT_EXIST, MSG_FILE_NOT_EXIST,
// : MSG_ERROR, MSG_INVALID_PASSWORD
//<<===========================================================================
{
DVT_STATUS ret = MSG_ERROR;
unsigned long err;
OPENSSL_CLASS* openSsl_ptr;
BIO* caBio_ptr = NULL;
EVP_PKEY* caPrivateKey_ptr = NULL;
X509* caCertificate_ptr = NULL;
EVP_PKEY* key_ptr = NULL;
X509* cert_ptr = NULL;
X509_NAME* name_ptr;
time_t effectiveTime;
time_t expirationTime;
EVP_PKEY* tmpKey_ptr;
const EVP_MD *digest_ptr;
BIO* pkBio_ptr = NULL;
const EVP_CIPHER *cipher_ptr;
BIO* certBio_ptr = NULL;
// check for the existence of the OpenSSL DLLs
openSsl_ptr = OPENSSL_CLASS::getInstance();
if (openSsl_ptr == NULL)
{
return MSG_LIB_NOT_EXIST;
}
// clear the error queue
ERR_clear_error();
if (signerCredentialsFile_ptr != NULL)
{
// open the credentials file
caBio_ptr = BIO_new(BIO_s_file_internal());
if (caBio_ptr == NULL)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "setting up to read CA credentials file");
goto end;
}
if (BIO_read_filename(caBio_ptr, signerCredentialsFile_ptr) <= 0)
{
err = ERR_peek_error();
if ((ERR_GET_LIB(err) == ERR_LIB_SYS) && (ERR_GET_REASON(err) == ERROR_FILE_NOT_FOUND))
{
// file does not exist
ERR_clear_error(); // eat any errors
ret = MSG_FILE_NOT_EXIST;
}
else
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "opening CA credentials file for reading");
}
goto end;
}
// read the certificate authority's private key
caPrivateKey_ptr = PEM_read_bio_PrivateKey(caBio_ptr, NULL, NULL, (void*)credentialsPassword_ptr);
if (caPrivateKey_ptr == NULL)
{
err = ERR_peek_error();
if ((ERR_GET_LIB(err) == ERR_LIB_EVP) && (ERR_GET_REASON(err) == EVP_R_BAD_DECRYPT))
{
// bad password
ERR_clear_error(); // eat any errors
ret = MSG_INVALID_PASSWORD;
}
else
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "reading private key from CA credentials file");
}
goto end;
}
// read the certificate authority's certificate
caCertificate_ptr = PEM_read_bio_X509(caBio_ptr, NULL, NULL, (void*)credentialsPassword_ptr);
if (caCertificate_ptr == NULL)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "reading CA certificate from CA credentials file");
goto end;
}
}
// generate the new private/public key pair
if (signatureAlgorithmM.compare("RSA") == 0)
{
// RSA key
RSA* rsa_key;
rsa_key = RSA_generate_key(signatureKeyLengthM, RSA_3, NULL, 0);
if (rsa_key == NULL)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "generating RSA key");
goto end;
}
key_ptr = EVP_PKEY_new();
if (key_ptr == NULL)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "creating RSA key");
RSA_free(rsa_key);
goto end;
}
EVP_PKEY_assign_RSA(key_ptr, rsa_key);
}
else
{
// DSA key
DSA* dsa_key;
dsa_key = DSA_generate_parameters(signatureKeyLengthM, NULL, 0, NULL, NULL, NULL, 0);
if (dsa_key == NULL)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "generating DSA parameters");
goto end;
}
if (DSA_generate_key(dsa_key) == 0)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "generating DSA key");
DSA_free(dsa_key);
goto end;
}
key_ptr = EVP_PKEY_new();
if (key_ptr == NULL)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "creating DSA key");
DSA_free(dsa_key);
goto end;
}
EVP_PKEY_assign_DSA(key_ptr, dsa_key);
}
// create the certificate
cert_ptr = X509_new();
if (cert_ptr == NULL)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "creating certificate object");
goto end;
}
// version
if (X509_set_version(cert_ptr, (versionM - 1)) != 1)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "setting certificate version");
goto end;
}
// subject
name_ptr = openSsl_ptr->onelineName2Name(subjectM.c_str());
if (name_ptr == NULL)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "parsing owner name");
goto end;
}
if (X509_set_subject_name(cert_ptr, name_ptr) != 1)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "setting owner name in certificate");
goto end;
}
// issuer
if (signerCredentialsFile_ptr != NULL)
{
// CA signed
name_ptr = X509_get_subject_name(caCertificate_ptr);
if (name_ptr == NULL)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "getting name from CA certificate");
goto end;
}
if (X509_set_issuer_name(cert_ptr, name_ptr) != 1)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "setting issuer name in certificate");
goto end;
}
}
else
{
// self signed
name_ptr = X509_NAME_dup(name_ptr); // duplicate the name so it can be used again
if (name_ptr == NULL)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "duplicating owner name");
goto end;
}
if (X509_set_issuer_name(cert_ptr, name_ptr) != 1)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "setting issuer name in certificate");
goto end;
}
}
// public key
if (X509_set_pubkey(cert_ptr, key_ptr) != 1)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "setting public key in certificate");
goto end;
}
// valid dates
effectiveTime = mktime(&effectiveDateM);
expirationTime = mktime(&expirationDateM);
if ((X509_time_adj(X509_get_notBefore(cert_ptr), 0, &effectiveTime) == NULL) ||
(X509_time_adj(X509_get_notAfter(cert_ptr), 0, &expirationTime) == NULL))
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "setting valid dates in certificate");
goto end;
}
// serial number, use the current time_t
ASN1_INTEGER_set(X509_get_serialNumber(cert_ptr), (unsigned)time(NULL));
// sign the certificate
if (signerCredentialsFile_ptr != NULL)
{
// CA signed
tmpKey_ptr = caPrivateKey_ptr;
}
else
{
// self signed
tmpKey_ptr = key_ptr;
}
if (EVP_PKEY_type(tmpKey_ptr->type) == EVP_PKEY_RSA)
{
digest_ptr = EVP_sha1();
}
else if (EVP_PKEY_type(tmpKey_ptr->type) == EVP_PKEY_DSA)
{
digest_ptr = EVP_dss1();
}
else
{
if (logger_ptr)
{
logger_ptr->text(LOG_ERROR, 1, "Unsupported key type in CA private key");
}
goto end;
}
if (!X509_sign(cert_ptr, tmpKey_ptr, digest_ptr))
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "signing certificate");
goto end;
}
// write out the private key
// open the private key file
pkBio_ptr = BIO_new(BIO_s_file_internal());
if (pkBio_ptr == NULL)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "setting up to write private key file");
goto end;
}
if (BIO_write_filename(pkBio_ptr, (void *)keyFile_ptr) <= 0)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "opening to write private key file");
goto end;
}
if ((keyPassword_ptr != NULL) && (strlen(keyPassword_ptr) > 0))
{
// we have a password, use 3DES to encrypt the key
cipher_ptr = EVP_des_ede3_cbc();
}
else
{
// there is no password, don't encrypt the key
cipher_ptr = NULL;
}
// write out the private key
if (PEM_write_bio_PKCS8PrivateKey(pkBio_ptr, key_ptr, cipher_ptr,
NULL, 0, NULL, (void *)keyPassword_ptr) != 1)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "writing private key");
goto end;
}
// write the certificate file
// open the certificate file
certBio_ptr = BIO_new(BIO_s_file_internal());
if (certBio_ptr == NULL)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "setting up to write certificate file");
goto end;
}
if (BIO_write_filename(certBio_ptr, (void *)certificateFile_ptr) <= 0)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "opening to write certificate file");
goto end;
}
// write the new certificate
if (PEM_write_bio_X509(certBio_ptr, cert_ptr) != 1)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "writing certificate");
goto end;
}
// write the new certificate into the credential file
if (PEM_write_bio_X509(pkBio_ptr, cert_ptr) != 1)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "writing certificate");
goto end;
}
if (signerCredentialsFile_ptr != NULL)
{
// write the CA certificate
if (PEM_write_bio_X509(certBio_ptr, caCertificate_ptr) != 1)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "writing CA certificate");
goto end;
}
// loop reading certificates from the CA credentials file and writing them to the certificate file
X509_free(caCertificate_ptr);
while ((caCertificate_ptr = PEM_read_bio_X509(caBio_ptr, NULL, NULL, (void*)credentialsPassword_ptr)) != NULL)
{
// write the certificate
if (PEM_write_bio_X509(certBio_ptr, caCertificate_ptr) != 1)
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "writing certificate chain");
goto end;
}
X509_free(caCertificate_ptr);
}
// check the error
err = ERR_peek_error();
if ((ERR_GET_LIB(err) == ERR_LIB_PEM) && (ERR_GET_REASON(err) == PEM_R_NO_START_LINE))
{
// end of data - this is normal
ERR_clear_error();
}
else
{
openSsl_ptr->printError(logger_ptr, LOG_ERROR, "reading certificates from CA credentials file");
goto end;
}
}
ret = MSG_OK;
end:
if (certBio_ptr != NULL) BIO_free(certBio_ptr);
if (pkBio_ptr != NULL) BIO_free(pkBio_ptr);
if (cert_ptr != NULL) X509_free(cert_ptr);
if (key_ptr != NULL) EVP_PKEY_free(key_ptr);
if (caCertificate_ptr != NULL) X509_free(caCertificate_ptr);
if (caPrivateKey_ptr != NULL) EVP_PKEY_free(caPrivateKey_ptr);
if (caBio_ptr != NULL) BIO_free(caBio_ptr);
return ret;
}
/** Generate and sign an X509 certificate with the public key <b>rsa</b>,
* signed by the private key <b>rsa_sign</b>. The commonName of the
* certificate will be <b>cname</b>; the commonName of the issuer will be
* <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b> seconds
* starting from now. Return a certificate on success, NULL on
* failure.
*/
static X509 *
tor_tls_create_certificate(crypto_pk_env_t *rsa,
crypto_pk_env_t *rsa_sign,
const char *cname,
const char *cname_sign,
unsigned int cert_lifetime)
{
time_t start_time, end_time;
EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
X509 *x509 = NULL;
X509_NAME *name = NULL, *name_issuer=NULL;
tor_tls_init();
start_time = time(NULL);
tor_assert(rsa);
tor_assert(cname);
tor_assert(rsa_sign);
tor_assert(cname_sign);
if (!(sign_pkey = _crypto_pk_env_get_evp_pkey(rsa_sign,1)))
goto error;
if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,0)))
goto error;
if (!(x509 = X509_new()))
goto error;
if (!(X509_set_version(x509, 2)))
goto error;
if (!(ASN1_INTEGER_set(X509_get_serialNumber(x509), (long)start_time)))
goto error;
if (!(name = tor_x509_name_new(cname)))
goto error;
if (!(X509_set_subject_name(x509, name)))
goto error;
if (!(name_issuer = tor_x509_name_new(cname_sign)))
goto error;
if (!(X509_set_issuer_name(x509, name_issuer)))
goto error;
if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time))
goto error;
end_time = start_time + cert_lifetime;
if (!X509_time_adj(X509_get_notAfter(x509),0,&end_time))
goto error;
if (!X509_set_pubkey(x509, pkey))
goto error;
if (!X509_sign(x509, sign_pkey, EVP_sha1()))
goto error;
goto done;
error:
if (x509) {
X509_free(x509);
x509 = NULL;
}
done:
tls_log_errors(NULL, LOG_WARN, "generating certificate");
if (sign_pkey)
EVP_PKEY_free(sign_pkey);
if (pkey)
EVP_PKEY_free(pkey);
if (name)
X509_NAME_free(name);
if (name_issuer)
X509_NAME_free(name_issuer);
return x509;
}
void ssl_client_init()
{
/*
* This is twisted. We can generate the required keys by calling RSA_generate_key,
* however we cannot put the private part and the public part in the two containers.
* For that we need to save each part to a file and then load each part from
* the respective file.
*/
RSA *key = NULL;
key = RSA_generate_key(1024, 17, NULL, NULL);
if (!key)
{
correctly_initialized = false;
return;
}
char name_template_private[] = "/tmp/tls_test/mnopqrXXXXXX";
char name_template_public[] = "/tmp/tls_test/stuvwxXXXXXX";
int private_key_file = 0;
FILE *private_key_stream = NULL;
int ret = 0;
private_key_file = mkstemp(name_template_private);
if (private_key_file < 0)
{
correctly_initialized = false;
return;
}
private_key_stream = fdopen(private_key_file, "w+");
if (!private_key_stream)
{
correctly_initialized = false;
return;
}
ret = PEM_write_RSAPrivateKey(private_key_stream, key, NULL, NULL, 0, 0, NULL);
if (ret == 0)
{
correctly_initialized = false;
return;
}
fseek(private_key_stream, 0L, SEEK_SET);
PRIVKEY = PEM_read_RSAPrivateKey(private_key_stream, (RSA **)NULL, NULL, NULL);
if (!PRIVKEY)
{
correctly_initialized = false;
return;
}
fclose(private_key_stream);
int public_key_file = 0;
FILE *public_key_stream = NULL;
public_key_file = mkstemp(name_template_public);
if (public_key_file < 0)
{
correctly_initialized = false;
return;
}
public_key_stream = fdopen(public_key_file, "w+");
if (!public_key_stream)
{
correctly_initialized = false;
return;
}
ret = PEM_write_RSAPublicKey(public_key_stream, key);
if (ret == 0)
{
correctly_initialized = false;
return;
}
fseek(public_key_stream, 0L, SEEK_SET);
PUBKEY = PEM_read_RSAPublicKey(public_key_stream, (RSA **)NULL, NULL, NULL);
if (!PUBKEY)
{
correctly_initialized = false;
return;
}
fclose(public_key_stream);
RSA_free(key);
SSLCLIENTCONTEXT = SSL_CTX_new(SSLv23_client_method());
if (SSLCLIENTCONTEXT == NULL)
{
Log(LOG_LEVEL_ERR, "SSL_CTX_new: %s",
ERR_reason_error_string(ERR_get_error()));
goto err1;
}
/* Use only TLS v1 or later.
TODO option for SSL_OP_NO_TLSv{1,1_1} */
SSL_CTX_set_options(SSLCLIENTCONTEXT,
SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
/* Never bother with retransmissions, SSL_write() should
* always either write the whole amount or fail. */
SSL_CTX_set_mode(SSLCLIENTCONTEXT, SSL_MODE_AUTO_RETRY);
/*
* Create cert into memory and load it into SSL context.
*/
if (PRIVKEY == NULL || PUBKEY == NULL)
{
correctly_initialized = false;
return;
}
/* Generate self-signed cert valid from now to 50 years later. */
{
X509 *x509 = X509_new();
X509_gmtime_adj(X509_get_notBefore(x509), 0);
X509_time_adj(X509_get_notAfter(x509), 60*60*24*365*50, NULL);
EVP_PKEY *pkey = EVP_PKEY_new();
EVP_PKEY_set1_RSA(pkey, PRIVKEY);
X509_NAME *name = X509_get_subject_name(x509);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
(const char *) "",
-1, -1, 0);
X509_set_issuer_name(x509, name);
X509_set_pubkey(x509, pkey);
const EVP_MD *md = EVP_get_digestbyname("sha384");
if (md == NULL)
{
correctly_initialized = false;
return;
}
ret = X509_sign(x509, pkey, md);
EVP_PKEY_free(pkey);
SSLCLIENTCERT = x509;
if (ret <= 0)
{
Log(LOG_LEVEL_ERR,
"Couldn't sign the public key for the TLS handshake: %s",
ERR_reason_error_string(ERR_get_error()));
goto err3;
}
}
/* Log(LOG_LEVEL_ERR, "generate cert from priv key: %s", */
/* ERR_reason_error_string(ERR_get_error())); */
SSL_CTX_use_certificate(SSLCLIENTCONTEXT, SSLCLIENTCERT);
ret = SSL_CTX_use_RSAPrivateKey(SSLCLIENTCONTEXT, PRIVKEY);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Failed to use RSA private key: %s",
ERR_reason_error_string(ERR_get_error()));
goto err3;
}
/* Verify cert consistency. */
ret = SSL_CTX_check_private_key(SSLCLIENTCONTEXT);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Inconsistent key and TLS cert: %s",
ERR_reason_error_string(ERR_get_error()));
goto err3;
}
/* Set options to always request a certificate from the peer, either we
* are client or server. */
SSL_CTX_set_verify(SSLCLIENTCONTEXT, SSL_VERIFY_PEER, NULL);
/* Always accept that certificate, we do proper checking after TLS
* connection is established since OpenSSL can't pass a connection
* specific pointer to the callback (so we would have to lock). */
SSL_CTX_set_cert_verify_callback(SSLCLIENTCONTEXT, TLSVerifyCallback, NULL);
correctly_initialized = true;
return;
err3:
X509_free(SSLCLIENTCERT);
SSLCLIENTCERT = NULL;
SSL_CTX_free(SSLCLIENTCONTEXT);
SSLCLIENTCONTEXT = NULL;
err1:
correctly_initialized = false;
return;
}
/**
* @warning Make sure you've called CryptoInitialize() first!
*/
bool ServerTLSInitialize()
{
int ret;
/* OpenSSL is needed for our new protocol over TLS. */
SSL_library_init();
SSL_load_error_strings();
assert(SSLSERVERCONTEXT == NULL);
SSLSERVERCONTEXT = SSL_CTX_new(SSLv23_server_method());
if (SSLSERVERCONTEXT == NULL)
{
Log(LOG_LEVEL_ERR, "SSL_CTX_new: %s",
ERR_reason_error_string(ERR_get_error()));
goto err1;
}
/* Use only TLS v1 or later.
TODO option for SSL_OP_NO_TLSv{1,1_1} */
SSL_CTX_set_options(SSLSERVERCONTEXT,
SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
/*
* CFEngine is not a web server so we don't need many ciphers. We only
* allow a safe but very common subset by default, extensible via
* "allowciphers" in body server control. By default allow:
* AES256-GCM-SHA384: most high-grade RSA-based cipher from TLSv1.2
* AES256-SHA: most backwards compatible but high-grade, from SSLv3
*/
const char *cipher_list = SV.allowciphers;
if (cipher_list == NULL)
cipher_list ="AES256-GCM-SHA384:AES256-SHA";
ret = SSL_CTX_set_cipher_list(SSLSERVERCONTEXT, cipher_list);
if (ret != 1)
{
Log(LOG_LEVEL_ERR,
"No valid ciphers in cipher list: %s",
cipher_list);
}
/* Never bother with retransmissions, SSL_write() should
* always either write the whole amount or fail. */
SSL_CTX_set_mode(SSLSERVERCONTEXT, SSL_MODE_AUTO_RETRY);
/*
* Create cert into memory and load it into SSL context.
*/
if (PRIVKEY == NULL || PUBKEY == NULL)
{
Log(LOG_LEVEL_ERR,
"No public/private key pair is loaded, create one with cf-key");
goto err2;
}
assert(SSLSERVERCERT == NULL);
/* Generate self-signed cert valid from now to 50 years later. */
{
X509 *x509 = X509_new();
X509_gmtime_adj(X509_get_notBefore(x509), 0);
X509_time_adj(X509_get_notAfter(x509), 60*60*24*365*50, NULL);
EVP_PKEY *pkey = EVP_PKEY_new();
EVP_PKEY_set1_RSA(pkey, PRIVKEY);
X509_NAME *name = X509_get_subject_name(x509);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
(const char *) "",
-1, -1, 0);
X509_set_issuer_name(x509, name);
X509_set_pubkey(x509, pkey);
const EVP_MD *md = EVP_get_digestbyname("sha384");
if (md == NULL)
{
Log(LOG_LEVEL_ERR, "Uknown digest algorithm %s",
"sha384");
return false;
}
ret = X509_sign(x509, pkey, md);
EVP_PKEY_free(pkey);
SSLSERVERCERT = x509;
if (ret <= 0)
{
Log(LOG_LEVEL_ERR,
"Couldn't sign the public key for the TLS handshake: %s",
ERR_reason_error_string(ERR_get_error()));
goto err3;
}
}
SSL_CTX_use_certificate(SSLSERVERCONTEXT, SSLSERVERCERT);
ret = SSL_CTX_use_RSAPrivateKey(SSLSERVERCONTEXT, PRIVKEY);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Failed to use RSA private key: %s",
ERR_reason_error_string(ERR_get_error()));
goto err3;
}
/* Verify cert consistency. */
ret = SSL_CTX_check_private_key(SSLSERVERCONTEXT);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Inconsistent key and TLS cert: %s",
ERR_reason_error_string(ERR_get_error()));
goto err3;
}
/* Set options to always request a certificate from the peer, either we
* are client or server. */
SSL_CTX_set_verify(SSLSERVERCONTEXT, SSL_VERIFY_PEER, NULL);
/* Always accept that certificate, we do proper checking after TLS
* connection is established since OpenSSL can't pass a connection
* specific pointer to the callback (so we would have to lock). */
SSL_CTX_set_cert_verify_callback(SSLSERVERCONTEXT, TLSVerifyCallback, NULL);
return true;
err3:
X509_free(SSLSERVERCERT);
SSLSERVERCERT = NULL;
err2:
SSL_CTX_free(SSLSERVERCONTEXT);
SSLSERVERCONTEXT = NULL;
err1:
return false;
}
