gnutls_session
initialize_tls_session (int sd, char* CN)
{
int ret;
gnutls_session session;
gnutls_init (&session, GNUTLS_SERVER);
gnutls_set_default_priority (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
gnutls_dh_set_prime_bits (session, DH_BITS);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr) GINT_TO_POINTER(sd));
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
quorum_log(LOG_WARNING,"handshake failed");
return NULL;
}
if (verify_certificate(session,CN) < 0) {
return NULL;
}
return session;
}
gnutls_session
initialize_tls_session (int sd)
{
int ret;
gnutls_session session;
const int cert_type_priority[2] = { GNUTLS_CRT_X509,0};
gnutls_init (&session, GNUTLS_CLIENT);
gnutls_set_default_priority (session);
gnutls_certificate_type_set_priority (session, cert_type_priority);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr) GINT_TO_POINTER(sd));
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fprintf (stderr, "*** Handshake failed\n");
gnutls_perror (ret);
return NULL;
}
verify_certificate(session);
return session;
}
static void real_start_verification(HevImpathyTLSVerifier *self)
{
HevImpathyTLSVerifierPrivate *priv =
HEV_IMPATHY_TLS_VERIFIER_GET_PRIVATE(self);
gnutls_x509_crt_t first_cert = 0, last_cert = 0;
gint idx = 0;
gboolean res = FALSE;
gint num_certs = 0;
TpTLSCertificateRejectReason reason =
TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__);
/* check if the certificate matches the hostname first. */
first_cert = g_ptr_array_index(priv->cert_chain, 0);
if(0 == gnutls_x509_crt_check_hostname(first_cert, priv->hostname))
{
gchar *certified_hostname = NULL;
reason = TP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH;
certified_hostname =
(gchar *)hev_impathy_get_x509_certificate_hostname(first_cert);
tp_asv_set_string(priv->details,
"expected-hostname", priv->hostname);
tp_asv_set_string(priv->details,
"certificate-hostname", certified_hostname);
g_free(certified_hostname);
goto out;
}
num_certs = priv->cert_chain->len;
if(0 < priv->trusted_ca_list->len)
{
/* if the last certificate is self-signed, and we have a list of
* trusted CAs, ignore it, as we want to check the chain against our
* trusted CAs list first.
* if we have only one certificate in the chain, don't ignore it though,
* as it's the CA certificate itself.
*/
last_cert = g_ptr_array_index(priv->cert_chain, num_certs - 1);
if((0<gnutls_x509_crt_check_issuer(last_cert, last_cert)) &&
(1<num_certs))
num_certs --;
}
for (idx = 1; idx < num_certs; idx++)
{
res = verify_certificate(self,
g_ptr_array_index(priv->cert_chain, idx-1),
g_ptr_array_index(priv->cert_chain, idx), &reason);
if(!res)
{
abort_verification(self, reason);
return;
}
}
res = verify_last_certificate(self,
g_ptr_array_index(priv->cert_chain,
num_certs - 1), &reason);
out:
if(!res)
{
abort_verification(self, reason);
return;
}
complete_verification(self);
}
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int i, rv;
const char *user = NULL;
char *password;
unsigned int slot_num = 0;
int is_a_screen_saver = 0;
struct configuration_st *configuration;
int pkcs11_pam_fail = PAM_AUTHINFO_UNAVAIL;
pkcs11_handle_t *ph;
cert_object_t *chosen_cert = NULL;
cert_object_t **cert_list;
int ncert;
unsigned char random_value[128];
unsigned char *signature;
unsigned long signature_length;
/* enough space to hold an issuer DN */
char env_temp[256] = "";
char **issuer, **serial;
const char *login_token_name = NULL;
pam_prompt(pamh, PAM_TEXT_INFO , NULL, _("Smartcard authentication starts"));
/* first of all check whether debugging should be enabled */
for (i = 0; i < argc; i++)
if (strcmp("debug", argv[i]) == 0) {
set_debug_level(1);
}
/* call configure routines */
configuration = pk_configure(argc,argv);
if (!configuration ) {
ERR("Error setting configuration parameters");
return PAM_AUTHINFO_UNAVAIL;
}
/* Either slot_description or slot_num, but not both, needs to be used */
if ((configuration->slot_description != NULL && configuration->slot_num != -1) || (configuration->slot_description == NULL && configuration->slot_num == -1)) {
ERR("Error setting configuration parameters");
return PAM_AUTHINFO_UNAVAIL;
}
/* fail if we are using a remote server
* local login: DISPLAY=:0
* XDMCP login: DISPLAY=host:0 */
{
char *display = getenv("DISPLAY");
if (display)
{
if (strncmp(display, "localhost:", 10) != 0 && (display[0] != ':')
&& (display[0] != '\0')) {
ERR1("Remote login (from %s) is not (yet) supported", display);
pam_syslog(pamh, LOG_ERR,
"Remote login (from %s) is not (yet) supported", display);
return PAM_AUTHINFO_UNAVAIL;
}
}
}
#ifdef ENABLE_NLS
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, "/usr/share/locale");
textdomain(PACKAGE);
#endif
/* init openssl */
rv = crypto_init(&configuration->policy);
if (rv != 0) {
ERR("Failed to initialize crypto");
if (!configuration->quiet)
pam_syslog(pamh,LOG_ERR, "Failed to initialize crypto");
return PAM_AUTHINFO_UNAVAIL;
}
/*
* card_only means:
* 1) always get the userid from the certificate.
* 2) don't prompt for the user name if the card is present.
* 3) if the token is present, then we must use the cardAuth mechanism.
*
* wait_for_card means:
* 1) nothing if card_only isn't set
* 2) if logged in, block in pam conversation until the token used for login
* is inserted
* 3) if not logged in, block until a token that could be used for logging in
* is inserted
* right now, logged in means PKC11_LOGIN_TOKEN_NAME is set,
* but we could something else later (like set some per-user state in
* a pam session module keyed off uid)
*/
if (configuration->card_only) {
char *service;
if (configuration->screen_savers) {
DBG("Is it a screen saver?");
pam_get_item(pamh, PAM_SERVICE, &service);
for (i=0; configuration->screen_savers[i]; i++) {
if (strcmp(configuration->screen_savers[i], service) == 0) {
is_a_screen_saver = 1;
break;
}
}
}
pkcs11_pam_fail = PAM_CRED_INSUFFICIENT;
/* look to see if username is already set */
pam_get_item(pamh, PAM_USER, &user);
if (user) {
DBG1("explicit username = [%s]", user);
}
} else {
rv = pam_get_item(pamh, PAM_USER, &user);
if (rv != PAM_SUCCESS || user == NULL || user[0] == '\0') {
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("Please insert your %s or enter your username."),
_(configuration->token_type));
/* get user name */
rv = pam_get_user(pamh, &user, NULL);
if (rv != PAM_SUCCESS) {
pam_syslog(pamh, LOG_ERR,
"pam_get_user() failed %s", pam_strerror(pamh, rv));
return PAM_USER_UNKNOWN;
}
}
DBG1("username = [%s]", user);
}
login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
/* if we are using a screen saver, and we didn't log in using the smart card
* drop to the next pam module. */
if (is_a_screen_saver && !login_token_name) {
return PAM_IGNORE;
}
/* load pkcs #11 module */
DBG("loading pkcs #11 module...");
rv = load_pkcs11_module(configuration->pkcs11_modulepath, &ph);
if (rv != 0) {
ERR2("load_pkcs11_module() failed loading %s: %s",
configuration->pkcs11_modulepath, get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "load_pkcs11_module() failed loading %s: %s",
configuration->pkcs11_modulepath, get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2302: PKCS#11 module failed loading"));
sleep(configuration->err_display_time);
}
return PAM_AUTHINFO_UNAVAIL;
}
/* initialise pkcs #11 module */
DBG("initialising pkcs #11 module...");
rv = init_pkcs11_module(ph,configuration->support_threads);
if (rv != 0) {
release_pkcs11_module(ph);
ERR1("init_pkcs11_module() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "init_pkcs11_module() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2304: PKCS#11 module could not be initialized"));
sleep(configuration->err_display_time);
}
return PAM_AUTHINFO_UNAVAIL;
}
/* open pkcs #11 session */
if (configuration->slot_description != NULL) {
rv = find_slot_by_slotlabel_and_tokenlabel(ph,
configuration->slot_description, login_token_name, &slot_num);
} else if (configuration->slot_num != -1) {
rv = find_slot_by_number_and_label(ph, configuration->slot_num,
login_token_name, &slot_num);
}
if (rv != 0) {
ERR("no suitable token available");
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "no suitable token available");
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2306: No suitable token available"));
sleep(configuration->err_display_time);
}
if (!configuration->card_only) {
release_pkcs11_module(ph);
return PAM_AUTHINFO_UNAVAIL;
}
/* we must have a smart card, either because we've configured it as such,
* or because we used one to log in */
if (login_token_name || configuration->wait_for_card) {
if (login_token_name) {
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("Please insert your smart card called \"%.32s\"."),
login_token_name);
} else {
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("Please insert your smart card."));
}
if (configuration->slot_description != NULL) {
rv = wait_for_token_by_slotlabel(ph, configuration->slot_description,
login_token_name, &slot_num);
} else if (configuration->slot_num != -1) {
rv = wait_for_token(ph, configuration->slot_num,
login_token_name, &slot_num);
}
if (rv != 0) {
release_pkcs11_module(ph);
return pkcs11_pam_fail;
}
} else if (user) {
if (!configuration->quiet) {
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2308: No smartcard found"));
sleep(configuration->err_display_time);
}
/* we have a user and no smart card, go to the next pam module */
release_pkcs11_module(ph);
return PAM_AUTHINFO_UNAVAIL;
} else {
/* we haven't prompted for the user yet, get the user and see if
* the smart card has been inserted in the mean time */
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("Please insert your %s or enter your username."),
_(configuration->token_type));
rv = pam_get_user(pamh, &user, NULL);
/* check one last time for the smart card before bouncing to the next
* module */
if (configuration->slot_description != NULL) {
rv = find_slot_by_slotlabel(ph, configuration->slot_description,
&slot_num);
} else if (configuration->slot_num != -1) {
rv = find_slot_by_number(ph, configuration->slot_num, &slot_num);
}
if (rv != 0) {
/* user gave us a user id and no smart card go to next module */
if (!configuration->quiet) {
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2310: No smartcard found"));
sleep(configuration->err_display_time);
}
release_pkcs11_module(ph);
return PAM_AUTHINFO_UNAVAIL;
}
}
} else {
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("%s found."), _(configuration->token_type));
}
rv = open_pkcs11_session(ph, slot_num);
if (rv != 0) {
ERR1("open_pkcs11_session() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "open_pkcs11_session() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2312: open PKCS#11 session failed"));
sleep(configuration->err_display_time);
}
release_pkcs11_module(ph);
return pkcs11_pam_fail;
}
rv = get_slot_login_required(ph);
if (rv == -1) {
ERR1("get_slot_login_required() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "get_slot_login_required() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2314: Slot login failed"));
sleep(configuration->err_display_time);
}
release_pkcs11_module(ph);
return pkcs11_pam_fail;
} else if (rv) {
/* get password */
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("Welcome %.32s!"), get_slot_tokenlabel(ph));
/* no CKF_PROTECTED_AUTHENTICATION_PATH */
rv = get_slot_protected_authentication_path(ph);
if ((-1 == rv) || (0 == rv))
{
char password_prompt[128];
snprintf(password_prompt, sizeof(password_prompt), _("%s PIN: "), _(configuration->token_type));
if (configuration->use_first_pass) {
rv = pam_get_pwd(pamh, &password, NULL, PAM_AUTHTOK, 0);
} else if (configuration->try_first_pass) {
rv = pam_get_pwd(pamh, &password, password_prompt, PAM_AUTHTOK,
PAM_AUTHTOK);
} else {
rv = pam_get_pwd(pamh, &password, password_prompt, 0, PAM_AUTHTOK);
}
if (rv != PAM_SUCCESS) {
if (!configuration->quiet) {
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2316: password could not be read"));
sleep(configuration->err_display_time);
}
release_pkcs11_module(ph);
pam_syslog(pamh, LOG_ERR,
"pam_get_pwd() failed: %s", pam_strerror(pamh, rv));
return pkcs11_pam_fail;
}
#ifdef DEBUG_SHOW_PASSWORD
DBG1("password = [%s]", password);
#endif
/* check password length */
if (!configuration->nullok && strlen(password) == 0) {
release_pkcs11_module(ph);
memset(password, 0, strlen(password));
free(password);
pam_syslog(pamh, LOG_ERR,
"password length is zero but the 'nullok' argument was not defined.");
if (!configuration->quiet) {
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2318: Empty smartcard PIN not allowed."));
sleep(configuration->err_display_time);
}
return PAM_AUTH_ERR;
}
}
else
{
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("Enter your %s PIN on the pinpad"), _(configuration->token_type));
/* use pin pad */
password = NULL;
}
/* call pkcs#11 login to ensure that the user is the real owner of the card
* we need to do thise before get_certificate_list because some tokens
* can not read their certificates until the token is authenticated */
rv = pkcs11_login(ph, password);
/* erase and free in-memory password data asap */
if (password)
{
memset(password, 0, strlen(password));
free(password);
}
if (rv != 0) {
ERR1("open_pkcs11_login() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "open_pkcs11_login() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2320: Wrong smartcard PIN"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
}
}
cert_list = get_certificate_list(ph, &ncert);
if (rv<0) {
ERR1("get_certificate_list() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "get_certificate_list() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2322: No certificate found"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
}
/* load mapper modules */
load_mappers(configuration->ctx);
/* find a valid and matching certificates */
for (i = 0; i < ncert; i++) {
X509 *x509 = (X509 *)get_X509_certificate(cert_list[i]);
if (!x509 ) continue; /* sanity check */
DBG1("verifying the certificate #%d", i + 1);
if (!configuration->quiet) {
pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("verifying certificate"));
}
/* verify certificate (date, signature, CRL, ...) */
rv = verify_certificate(x509,&configuration->policy);
if (rv < 0) {
ERR1("verify_certificate() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR,
"verify_certificate() failed: %s", get_error());
switch (rv) {
case -2: // X509_V_ERR_CERT_HAS_EXPIRED:
pam_prompt(pamh, PAM_ERROR_MSG , NULL,
_("Error 2324: Certificate has expired"));
break;
case -3: // X509_V_ERR_CERT_NOT_YET_VALID:
pam_prompt(pamh, PAM_ERROR_MSG , NULL,
_("Error 2326: Certificate not yet valid"));
break;
case -4: // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
pam_prompt(pamh, PAM_ERROR_MSG , NULL,
_("Error 2328: Certificate signature invalid"));
break;
default:
pam_prompt(pamh, PAM_ERROR_MSG , NULL,
_("Error 2330: Certificate invalid"));
break;
}
sleep(configuration->err_display_time);
}
continue; /* try next certificate */
} else if (rv != 1) {
ERR1("verify_certificate() failed: %s", get_error());
continue; /* try next certificate */
}
/* CA and CRL verified, now check/find user */
if ( is_spaced_str(user) ) {
/*
if provided user is null or empty extract and set user
name from certificate
*/
DBG("Empty login: try to deduce from certificate");
user=find_user(x509);
if (!user) {
ERR2("find_user() failed: %s on cert #%d", get_error(),i+1);
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR,
"find_user() failed: %s on cert #%d",get_error(),i+1);
continue; /* try on next certificate */
} else {
DBG1("certificate is valid and matches user %s",user);
/* try to set up PAM user entry with evaluated value */
rv = pam_set_item(pamh, PAM_USER,(const void *)user);
if (rv != PAM_SUCCESS) {
ERR1("pam_set_item() failed %s", pam_strerror(pamh, rv));
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR,
"pam_set_item() failed %s", pam_strerror(pamh, rv));
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2332: setting PAM userentry failed"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
}
chosen_cert = cert_list[i];
break; /* end loop, as find user success */
}
} else {
/* User provided:
check whether the certificate matches the user */
rv = match_user(x509, user);
if (rv < 0) { /* match error; abort and return */
ERR1("match_user() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "match_user() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2334: No matching user"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
} else if (rv == 0) { /* match didn't success */
DBG("certificate is valid but does not match the user");
continue; /* try next certificate */
} else { /* match success */
DBG("certificate is valid and matches the user");
chosen_cert = cert_list[i];
break;
}
} /* if is_spaced string */
} /* for (i=0; i<ncerts; i++) */
/* now myCert points to our found certificate or null if no user found */
if (!chosen_cert) {
ERR("no valid certificate which meets all requirements found");
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR,
"no valid certificate which meets all requirements found");
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2336: No matching certificate found"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
}
/* if signature check is enforced, generate random data, sign and verify */
if (configuration->policy.signature_policy) {
pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));
#ifdef notdef
rv = get_private_key(ph);
if (rv != 0) {
ERR1("get_private_key() failed: %s", get_error());
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR,
"get_private_key() failed: %s", get_error());
goto auth_failed_nopw;
}
#endif
/* read random value */
rv = get_random_value(random_value, sizeof(random_value));
if (rv != 0) {
ERR1("get_random_value() failed: %s", get_error());
if (!configuration->quiet){
pam_syslog(pamh, LOG_ERR, "get_random_value() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2338: Getting random value failed"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
}
/* sign random value */
signature = NULL;
rv = sign_value(ph, chosen_cert, random_value, sizeof(random_value),
&signature, &signature_length);
if (rv != 0) {
ERR1("sign_value() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "sign_value() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2340: Signing failed"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
}
/* verify the signature */
DBG("verifying signature...");
rv = verify_signature((X509 *)get_X509_certificate(chosen_cert),
random_value, sizeof(random_value), signature, signature_length);
if (signature != NULL) {
free(signature);
}
if (rv != 0) {
close_pkcs11_session(ph);
release_pkcs11_module(ph);
ERR1("verify_signature() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "verify_signature() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2342: Verifying signature failed"));
sleep(configuration->err_display_time);
}
return PAM_AUTH_ERR;
}
} else {
DBG("Skipping signature check");
}
/*
* fill in the environment variables.
*/
snprintf(env_temp, sizeof(env_temp) - 1,
"PKCS11_LOGIN_TOKEN_NAME=%.*s",
(int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_TOKEN_NAME=")),
get_slot_tokenlabel(ph));
rv = pam_putenv(pamh, env_temp);
if (rv != PAM_SUCCESS) {
ERR1("could not put token name in environment: %s",
pam_strerror(pamh, rv));
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR, "could not put token name in environment: %s",
pam_strerror(pamh, rv));
}
issuer = cert_info((X509 *)get_X509_certificate(chosen_cert), CERT_ISSUER,
ALGORITHM_NULL);
if (issuer) {
snprintf(env_temp, sizeof(env_temp) - 1,
"PKCS11_LOGIN_CERT_ISSUER=%.*s",
(int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_ISSUER=")),
issuer[0]);
rv = pam_putenv(pamh, env_temp);
} else {
ERR("couldn't get certificate issuer.");
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR, "couldn't get certificate issuer.");
}
if (rv != PAM_SUCCESS) {
ERR1("could not put cert issuer in environment: %s",
pam_strerror(pamh, rv));
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR, "could not put cert issuer in environment: %s",
pam_strerror(pamh, rv));
}
serial = cert_info((X509 *)get_X509_certificate(chosen_cert), CERT_SERIAL,
ALGORITHM_NULL);
if (serial) {
snprintf(env_temp, sizeof(env_temp) - 1,
"PKCS11_LOGIN_CERT_SERIAL=%.*s",
(int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_SERIAL=")),
serial[0]);
rv = pam_putenv(pamh, env_temp);
} else {
ERR("couldn't get certificate serial number.");
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR, "couldn't get certificate serial number.");
}
if (rv != PAM_SUCCESS) {
ERR1("could not put cert serial in environment: %s",
pam_strerror(pamh, rv));
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR, "could not put cert serial in environment: %s",
pam_strerror(pamh, rv));
}
/* unload mapper modules */
unload_mappers();
/* close pkcs #11 session */
rv = close_pkcs11_session(ph);
if (rv != 0) {
release_pkcs11_module(ph);
ERR1("close_pkcs11_session() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "close_pkcs11_module() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, ("Error 2344: Closing PKCS#11 session failed"));
sleep(configuration->err_display_time);
}
return pkcs11_pam_fail;
}
/* release pkcs #11 module */
DBG("releasing pkcs #11 module...");
release_pkcs11_module(ph);
DBG("authentication succeeded");
return PAM_SUCCESS;
/* quick and dirty fail exit point */
memset(password, 0, strlen(password));
free(password); /* erase and free in-memory password data */
auth_failed_nopw:
unload_mappers();
close_pkcs11_session(ph);
release_pkcs11_module(ph);
return pkcs11_pam_fail;
}
void TLSClient::connect (const std::string& host, const std::string& port)
{
_host = host;
_port = port;
// Store the TLSClient instance, so that the verification callback can access
// it during the handshake below and call the verifcation method.
gnutls_session_set_ptr (_session, (void*) this);
// use IPv4 or IPv6, does not matter.
struct addrinfo hints {};
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_PASSIVE; // use my IP
struct addrinfo* res;
int ret = ::getaddrinfo (host.c_str (), port.c_str (), &hints, &res);
if (ret != 0)
throw std::string (::gai_strerror (ret));
// Try them all, stop on success.
struct addrinfo* p;
for (p = res; p != NULL; p = p->ai_next)
{
if ((_socket = ::socket (p->ai_family, p->ai_socktype, p->ai_protocol)) == -1)
continue;
// When a socket is closed, it remains unavailable for a while (netstat -an).
// Setting SO_REUSEADDR allows this program to assume control of a closed,
// but unavailable socket.
int on = 1;
if (::setsockopt (_socket,
SOL_SOCKET,
SO_REUSEADDR,
(const void*) &on,
sizeof (on)) == -1)
throw std::string (::strerror (errno));
if (::connect (_socket, p->ai_addr, p->ai_addrlen) == -1)
continue;
break;
}
free (res);
if (p == NULL)
throw format (STRING_CMD_SYNC_CONNECT, host, port);
#if GNUTLS_VERSION_NUMBER >= 0x030109
gnutls_transport_set_int (_session, _socket);
#else
gnutls_transport_set_ptr (_session, (gnutls_transport_ptr_t) (intptr_t) _socket);
#endif
// Perform the TLS handshake
do
{
ret = gnutls_handshake (_session);
}
while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
throw format (STRING_CMD_SYNC_HANDSHAKE, gnutls_strerror (ret));
#if GNUTLS_VERSION_NUMBER < 0x02090a
// The automatic verification for the server certificate with
// gnutls_certificate_set_verify_function does only work with gnutls
// >=2.9.10. So with older versions we should call the verify function
// manually after the gnutls handshake.
ret = verify_certificate ();
if (ret < 0)
{
if (_debug)
std::cout << "c: ERROR Certificate verification failed.\n";
throw format (STRING_TLS_INIT_FAIL, gnutls_strerror (ret));
}
#endif
if (_debug)
{
#if GNUTLS_VERSION_NUMBER >= 0x03010a
char* desc = gnutls_session_get_desc (_session);
std::cout << "c: INFO Handshake was completed: " << desc << "\n";
gnutls_free (desc);
#else
std::cout << "c: INFO Handshake was completed.\n";
#endif
}
}
int main(int argc, const char **argv) {
int i, rv;
pkcs11_handle_t *ph;
struct configuration_st *configuration;
unsigned int slot_num = 0;
cert_object_t **certs;
int cert_count;
/* first of all check whether debugging should be enabled */
for (i = 0; i < argc; i++)
if (strcmp("debug", argv[i]) == 0) {
set_debug_level(1);
}
/* call configure routines */
configuration = pk_configure(argc - 1, argv + 1);
if (!configuration ) {
ERR("Error setting configuration parameters");
return 1;
}
if ((configuration->slot_description != NULL && configuration->slot_num != -1) || (configuration->slot_description == NULL && configuration->slot_num == -1)) {
ERR("Error setting configuration parameters");
return 1;
}
/* init openssl */
rv = crypto_init(&configuration->policy);
if (rv != 0) {
DBG1("crypto_init() failed: %s", get_error());
return 1;
}
/* load pkcs #11 module */
DBG("loading pkcs #11 module...");
rv = load_pkcs11_module(configuration->pkcs11_modulepath, &ph);
if (rv != 0) {
ERR2("load_pkcs11_module(%s) failed: %s", configuration->pkcs11_modulepath,
get_error());
return 1;
}
/* initialise pkcs #11 module */
DBG("initialising pkcs #11 module...");
rv = init_pkcs11_module(ph,configuration->support_threads);
if (rv != 0) {
release_pkcs11_module(ph);
DBG1("init_pkcs11_module() failed: %s", get_error());
return 1;
}
/* open pkcs #11 session */
if (configuration->slot_description != NULL) {
rv = find_slot_by_slotlabel(ph, configuration->slot_description, &slot_num);
} else {
rv = find_slot_by_number(ph, configuration->slot_num, &slot_num);
}
if (rv != 0) {
release_pkcs11_module(ph);
DBG("no token available");
return 1;
}
rv = open_pkcs11_session(ph, slot_num);
if (rv != 0) {
release_pkcs11_module(ph);
ERR1("open_pkcs11_session() failed: %s", get_error());
return 1;
}
/* not really needed, but.... */
rv = pkcs11_pass_login(ph,configuration->nullok);
if (rv != 0) {
ERR1("pkcs11_pass_login() failed: %s", get_error());
return 2;
}
/* get certificate list (cert space is owned by ph) */
certs = get_certificate_list(ph, &cert_count);
if (certs == NULL) {
close_pkcs11_session(ph);
release_pkcs11_module(ph);
ERR1("get_certificates() failed: %s", get_error());
return 3;
}
/* load mapper modules */
load_mappers(configuration->ctx);
/* find valid certificates and look for contents */
DBG1("Found '%d' certificate(s)", cert_count);
for (i = 0; i < cert_count; i++) {
X509 *x509 = get_X509_certificate(certs[i]);
if (x509 != NULL) {
DBG1("verifying the certificate #%d", i + 1);
/* verify certificate (date, signature, CRL, ...) */
rv = verify_certificate(x509, &configuration->policy);
if (rv < 0) {
close_pkcs11_session(ph);
release_pkcs11_module(ph);
unload_mappers();
ERR1("verify_certificate() failed: %s", get_error());
return 1;
} else if (rv != 1) {
ERR1("verify_certificate() failed: %s", get_error());
continue;
}
DBG1("Inspecting certificate #%d",i+1);
inspect_certificate(x509);
}
}
/* unload mappers */
unload_mappers();
/* close pkcs #11 session */
rv = close_pkcs11_session(ph);
if (rv != 0) {
release_pkcs11_module(ph);
ERR1("close_pkcs11_session() failed: %s", get_error());
return 1;
}
/* release pkcs #11 module */
DBG("releasing pkcs #11 module...");
release_pkcs11_module(ph);
DBG("Process completed");
return 0;
}
int main(int argc, const char **argv) {
int i, rv;
char *user = NULL;
pkcs11_handle_t *ph;
struct configuration_st *configuration;
cert_object_t **certs;
int cert_count;
unsigned int slot_num = 0;
/* first of all check whether debugging should be enabled */
for (i = 0; i < argc; i++)
if (strcmp("debug", argv[i]) == 0) {
set_debug_level(1);
}
/* call configure routines */
configuration = pk_configure(argc - 1, argv + 1);
if (!configuration ) {
DBG("Error setting configuration parameters");
return 1;
}
if ((configuration->slot_description != NULL && configuration->slot_num != -1) || (configuration->slot_description == NULL && configuration->slot_num == -1)) {
ERR("Error setting configuration parameters");
return 1;
}
/* init openssl */
rv = crypto_init(&configuration->policy);
if (rv != 0) {
DBG("Couldn't initialize crypto module ");
return 1;
}
/* load pkcs #11 module */
DBG("loading pkcs #11 module...");
rv = load_pkcs11_module(configuration->pkcs11_modulepath, &ph);
if (rv != 0) {
DBG1("load_pkcs11_module() failed: %s", get_error());
return 1;
}
/* initialise pkcs #11 module */
DBG("initialising pkcs #11 module...");
rv = init_pkcs11_module(ph,configuration->support_threads);
if (rv != 0) {
release_pkcs11_module(ph);
DBG1("init_pkcs11_module() failed: %s", get_error());
return 1;
}
/* open pkcs #11 session */
if (configuration->slot_description != NULL) {
rv = find_slot_by_slotlabel(ph,configuration->slot_description, &slot_num);
} else {
rv = find_slot_by_number(ph,configuration->slot_num, &slot_num);
}
if (rv != 0) {
release_pkcs11_module(ph);
DBG("no token available");
return 1;
}
rv = open_pkcs11_session(ph, slot_num);
if (rv != 0) {
release_pkcs11_module(ph);
DBG1("open_pkcs11_session() failed: %s", get_error());
return 1;
}
#ifdef HAVE_NSS
/* not really needed, but... */
rv = pkcs11_pass_login(ph,configuration->nullok);
if (rv != 0) {
DBG1("pkcs11_pass_login() failed: %s", get_error());
return 2;
}
#endif
/* get certificate list */
certs = get_certificate_list(ph, &cert_count);
if (certs == NULL) {
close_pkcs11_session(ph);
release_pkcs11_module(ph);
DBG1("get_certificate_list() failed: %s", get_error());
return 3;
}
/* load mapper modules */
load_mappers(configuration->ctx);
/* find a valid and matching certificates */
DBG1("Found '%d' certificate(s)", cert_count);
for (i = 0; i < cert_count; i++) {
X509 *x509 = get_X509_certificate(certs[i]);
if (x509 != NULL) {
DBG1("verifying the certificate #%d", i + 1);
/* verify certificate (date, signature, CRL, ...) */
rv = verify_certificate(x509,&configuration->policy);
if (rv < 0) {
close_pkcs11_session(ph);
release_pkcs11_module(ph);
unload_mappers();
DBG1("verify_certificate() failed: %s", get_error());
return 1;
} else if (rv != 1) {
DBG1("verify_certificate() failed: %s", get_error());
continue;
}
DBG("Trying to deduce login from certificate");
user=find_user(x509);
if (!user) {
DBG2("find_user() failed for certificate #%d: %s", i + 1, get_error());
continue; /* with next certificate */
} else {
DBG1("Certificate is valid and maps to user %s",user);
printf("%s\n",user);
break;
}
}
}
unload_mappers(); /* no longer needed */
/* close pkcs #11 session */
rv = close_pkcs11_session(ph);
if (rv != 0) {
release_pkcs11_module(ph);
DBG1("close_pkcs11_session() failed: %s", get_error());
return 1;
}
/* release pkcs #11 module */
DBG("releasing pkcs #11 module...");
release_pkcs11_module(ph);
DBG("Process completed");
return (!user)? 1:0;
}
static CURLcode
schannel_connect_step2(struct connectdata *conn, int sockindex)
{
int i;
ssize_t nread = -1, written = -1;
struct SessionHandle *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
SecBuffer outbuf[2];
SecBufferDesc outbuf_desc;
SecBuffer inbuf[2];
SecBufferDesc inbuf_desc;
SECURITY_STATUS sspi_status = SEC_E_OK;
TCHAR *host_name;
CURLcode code;
bool doread;
doread = (connssl->connecting_state != ssl_connect_2_writing) ? TRUE : FALSE;
infof(data, "schannel: SSL/TLS connection with %s port %hu (step 2/3)\n",
conn->host.name, conn->remote_port);
/* buffer to store previously received and encrypted data */
if(connssl->encdata_buffer == NULL) {
connssl->encdata_offset = 0;
connssl->encdata_length = CURL_SCHANNEL_BUFFER_INIT_SIZE;
connssl->encdata_buffer = malloc(connssl->encdata_length);
if(connssl->encdata_buffer == NULL) {
failf(data, "schannel: unable to allocate memory");
return CURLE_OUT_OF_MEMORY;
}
}
/* if we need a bigger buffer to read a full message, increase buffer now */
if(connssl->encdata_length - connssl->encdata_offset <
CURL_SCHANNEL_BUFFER_FREE_SIZE) {
/* increase internal encrypted data buffer */
connssl->encdata_length *= CURL_SCHANNEL_BUFFER_STEP_FACTOR;
connssl->encdata_buffer = realloc(connssl->encdata_buffer,
connssl->encdata_length);
if(connssl->encdata_buffer == NULL) {
failf(data, "schannel: unable to re-allocate memory");
return CURLE_OUT_OF_MEMORY;
}
}
for(;;) {
if(doread) {
/* read encrypted handshake data from socket */
code = Curl_read_plain(conn->sock[sockindex],
(char *) (connssl->encdata_buffer + connssl->encdata_offset),
connssl->encdata_length - connssl->encdata_offset,
&nread);
if(code == CURLE_AGAIN) {
if(connssl->connecting_state != ssl_connect_2_writing)
connssl->connecting_state = ssl_connect_2_reading;
infof(data, "schannel: failed to receive handshake, "
"need more data\n");
return CURLE_OK;
}
else if((code != CURLE_OK) || (nread == 0)) {
failf(data, "schannel: failed to receive handshake, "
"SSL/TLS connection failed");
return CURLE_SSL_CONNECT_ERROR;
}
/* increase encrypted data buffer offset */
connssl->encdata_offset += nread;
}
infof(data, "schannel: encrypted data buffer: offset %zu length %zu\n",
connssl->encdata_offset, connssl->encdata_length);
/* setup input buffers */
InitSecBuffer(&inbuf[0], SECBUFFER_TOKEN, malloc(connssl->encdata_offset),
curlx_uztoul(connssl->encdata_offset));
InitSecBuffer(&inbuf[1], SECBUFFER_EMPTY, NULL, 0);
InitSecBufferDesc(&inbuf_desc, inbuf, 2);
/* setup output buffers */
InitSecBuffer(&outbuf[0], SECBUFFER_TOKEN, NULL, 0);
InitSecBuffer(&outbuf[1], SECBUFFER_ALERT, NULL, 0);
InitSecBufferDesc(&outbuf_desc, outbuf, 2);
if(inbuf[0].pvBuffer == NULL) {
failf(data, "schannel: unable to allocate memory");
return CURLE_OUT_OF_MEMORY;
}
/* copy received handshake data into input buffer */
memcpy(inbuf[0].pvBuffer, connssl->encdata_buffer,
connssl->encdata_offset);
host_name = Curl_convert_UTF8_to_tchar(conn->host.name);
if(!host_name)
return CURLE_OUT_OF_MEMORY;
/* http://msdn.microsoft.com/en-us/library/windows/desktop/aa375924.aspx */
sspi_status = s_pSecFn->InitializeSecurityContext(
&connssl->cred->cred_handle, &connssl->ctxt->ctxt_handle,
host_name, connssl->req_flags, 0, 0, &inbuf_desc, 0, NULL,
&outbuf_desc, &connssl->ret_flags, &connssl->ctxt->time_stamp);
Curl_unicodefree(host_name);
/* free buffer for received handshake data */
Curl_safefree(inbuf[0].pvBuffer);
/* check if the handshake was incomplete */
if(sspi_status == SEC_E_INCOMPLETE_MESSAGE) {
connssl->connecting_state = ssl_connect_2_reading;
infof(data, "schannel: received incomplete message, need more data\n");
return CURLE_OK;
}
/* check if the handshake needs to be continued */
if(sspi_status == SEC_I_CONTINUE_NEEDED || sspi_status == SEC_E_OK) {
for(i = 0; i < 2; i++) {
/* search for handshake tokens that need to be send */
if(outbuf[i].BufferType == SECBUFFER_TOKEN && outbuf[i].cbBuffer > 0) {
infof(data, "schannel: sending next handshake data: "
"sending %lu bytes...\n", outbuf[i].cbBuffer);
/* send handshake token to server */
code = Curl_write_plain(conn, conn->sock[sockindex],
outbuf[i].pvBuffer, outbuf[i].cbBuffer,
&written);
if((code != CURLE_OK) || (outbuf[i].cbBuffer != (size_t)written)) {
failf(data, "schannel: failed to send next handshake data: "
"sent %zd of %lu bytes", written, outbuf[i].cbBuffer);
return CURLE_SSL_CONNECT_ERROR;
}
}
/* free obsolete buffer */
if(outbuf[i].pvBuffer != NULL) {
s_pSecFn->FreeContextBuffer(outbuf[i].pvBuffer);
}
}
}
else {
if(sspi_status == SEC_E_WRONG_PRINCIPAL)
failf(data, "schannel: SNI or certificate check failed: %s",
Curl_sspi_strerror(conn, sspi_status));
else
failf(data, "schannel: next InitializeSecurityContext failed: %s",
Curl_sspi_strerror(conn, sspi_status));
return CURLE_SSL_CONNECT_ERROR;
}
/* check if there was additional remaining encrypted data */
if(inbuf[1].BufferType == SECBUFFER_EXTRA && inbuf[1].cbBuffer > 0) {
infof(data, "schannel: encrypted data length: %lu\n", inbuf[1].cbBuffer);
/*
There are two cases where we could be getting extra data here:
1) If we're renegotiating a connection and the handshake is already
complete (from the server perspective), it can encrypted app data
(not handshake data) in an extra buffer at this point.
2) (sspi_status == SEC_I_CONTINUE_NEEDED) We are negotiating a
connection and this extra data is part of the handshake.
We should process the data immediately; waiting for the socket to
be ready may fail since the server is done sending handshake data.
*/
/* check if the remaining data is less than the total amount
and therefore begins after the already processed data */
if(connssl->encdata_offset > inbuf[1].cbBuffer) {
memmove(connssl->encdata_buffer,
(connssl->encdata_buffer + connssl->encdata_offset) -
inbuf[1].cbBuffer, inbuf[1].cbBuffer);
connssl->encdata_offset = inbuf[1].cbBuffer;
if(sspi_status == SEC_I_CONTINUE_NEEDED) {
doread = FALSE;
continue;
}
}
}
else {
connssl->encdata_offset = 0;
}
break;
}
/* check if the handshake needs to be continued */
if(sspi_status == SEC_I_CONTINUE_NEEDED) {
connssl->connecting_state = ssl_connect_2_reading;
return CURLE_OK;
}
/* check if the handshake is complete */
if(sspi_status == SEC_E_OK) {
connssl->connecting_state = ssl_connect_3;
infof(data, "schannel: SSL/TLS handshake complete\n");
}
#ifdef _WIN32_WCE
/* Windows CE doesn't do any server certificate validation.
We have to do it manually. */
if(data->set.ssl.verifypeer)
return verify_certificate(conn, sockindex);
#endif
return CURLE_OK;
}
static int esp_tls_low_level_conn(const char *hostname, int hostlen, int port, const esp_tls_cfg_t *cfg, esp_tls_t *tls)
{
if (!tls) {
ESP_LOGE(TAG, "empty esp_tls parameter");
return -1;
}
/* These states are used to keep a tab on connection progress in case of non-blocking connect,
and in case of blocking connect these cases will get executed one after the other */
switch (tls->conn_state) {
case ESP_TLS_INIT:
;
int sockfd;
int ret = esp_tcp_connect(hostname, hostlen, port, &sockfd, cfg);
if (ret < 0) {
return -1;
}
tls->sockfd = sockfd;
if (!cfg) {
tls->read = tcp_read;
tls->write = tcp_write;
ESP_LOGD(TAG, "non-tls connection established");
return 1;
}
if (cfg->non_block) {
FD_ZERO(&tls->rset);
FD_SET(tls->sockfd, &tls->rset);
tls->wset = tls->rset;
}
tls->conn_state = ESP_TLS_CONNECTING;
/* falls through */
case ESP_TLS_CONNECTING:
if (cfg->non_block) {
ESP_LOGD(TAG, "connecting...");
struct timeval tv;
ms_to_timeval(cfg->timeout_ms, &tv);
/* In case of non-blocking I/O, we use the select() API to check whether
connection has been estbalished or not*/
if (select(tls->sockfd + 1, &tls->rset, &tls->wset, NULL,
cfg->timeout_ms ? &tv : NULL) == 0) {
ESP_LOGD(TAG, "select() timed out");
return 0;
}
if (FD_ISSET(tls->sockfd, &tls->rset) || FD_ISSET(tls->sockfd, &tls->wset)) {
int error;
unsigned int len = sizeof(error);
/* pending error check */
if (getsockopt(tls->sockfd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
ESP_LOGD(TAG, "Non blocking connect failed");
tls->conn_state = ESP_TLS_FAIL;
return -1;
}
}
}
/* By now, the connection has been established */
ret = create_ssl_handle(tls, hostname, hostlen, cfg);
if (ret != 0) {
ESP_LOGD(TAG, "create_ssl_handshake failed");
tls->conn_state = ESP_TLS_FAIL;
return -1;
}
tls->read = tls_read;
tls->write = tls_write;
tls->conn_state = ESP_TLS_HANDSHAKE;
/* falls through */
case ESP_TLS_HANDSHAKE:
ESP_LOGD(TAG, "handshake in progress...");
ret = mbedtls_ssl_handshake(&tls->ssl);
if (ret == 0) {
tls->conn_state = ESP_TLS_DONE;
return 1;
} else {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
ESP_LOGE(TAG, "mbedtls_ssl_handshake returned -0x%x", -ret);
if (cfg->cacert_pem_buf != NULL || cfg->use_global_ca_store == true) {
/* This is to check whether handshake failed due to invalid certificate*/
verify_certificate(tls);
}
tls->conn_state = ESP_TLS_FAIL;
return -1;
}
/* Irrespective of blocking or non-blocking I/O, we return on getting MBEDTLS_ERR_SSL_WANT_READ
or MBEDTLS_ERR_SSL_WANT_WRITE during handshake */
return 0;
}
break;
case ESP_TLS_FAIL:
ESP_LOGE(TAG, "failed to open a new connection");;
break;
default:
ESP_LOGE(TAG, "invalid esp-tls state");
break;
}
return -1;
}
int main(int argc, const char *argv[])
{
int cert_fd, issuer_fd;
int nwrites;
s_certificate cert, issuer;
if (argc != 2 && argc != 3) {
print_usage(argv[0]);
exit(EXIT_FAILURE);
}
ecc_init();
/* for critically secure code, you would need a better seed */
srand(time(NULL));
memset(&cert, 0, sizeof(cert));
memset(&issuer, 0, sizeof(cert));
/* open the new file */
cert_fd = open(argv[1], O_WRONLY | O_CREAT, S_IRUSR|S_IWUSR);
if (cert_fd == -1) {
fprintf(stderr, "unable to open %s\n", argv[1]);
perror("open");
exit(EXIT_FAILURE);
}
/* generate the certificate */
generate_certificate(&cert);
if (argc == 3) {
int nreads = 0;
/* open the issuer certificate */
issuer_fd = open(argv[2], O_RDONLY);
if (issuer_fd == -1) {
fprintf(stderr, "unable to open %s\n", argv[2]);
perror("open");
goto cleanup;
}
nreads = read(issuer_fd, &issuer, sizeof(issuer));
if (nreads != sizeof(issuer)) {
fprintf(stderr, "'%s' does not contain a valid certificate\n", argv[2]);
perror("read");
goto cleanup;
}
/* sign the new certificate */
sign_certificate(&issuer, &cert);
if (verify_certificate(&issuer.pub_cert, &cert.pub_cert)) {
fprintf(stderr, "unable to verify generated signature\n");
goto cleanup;
}
close(issuer_fd);
}
/* store the certificate */
nwrites = write(cert_fd, &cert, sizeof(cert));
if (nwrites != sizeof(cert)) {
fprintf(stderr, "unable to write the certificate\n");
perror("write");
goto cleanup;
}
close(cert_fd);
return 0;
cleanup:
unlink(argv[2]);
close(cert_fd);
exit(EXIT_FAILURE);
}
int
tls_server_start(uschar *require_ciphers, uschar *require_mac,
uschar *require_kx, uschar *require_proto)
{
int rc;
const char *error;
uschar *expciphers = NULL;
uschar *expmac = NULL;
uschar *expkx = NULL;
uschar *expproto = NULL;
/* Check for previous activation */
if (tls_active >= 0)
{
tls_error("STARTTLS received after TLS started", NULL, "");
smtp_printf("554 Already in TLS\r\n");
return FAIL;
}
/* Initialize the library. If it fails, it will already have logged the error
and sent an SMTP response. */
DEBUG(D_tls) debug_printf("initializing GnuTLS as a server\n");
rc = tls_init(NULL, tls_certificate, tls_privatekey, tls_verify_certificates,
tls_crl);
if (rc != OK) return rc;
if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers) ||
!expand_check(require_mac, US"gnutls_require_mac", &expmac) ||
!expand_check(require_kx, US"gnutls_require_kx", &expkx) ||
!expand_check(require_proto, US"gnutls_require_proto", &expproto))
return FAIL;
/* If this is a host for which certificate verification is mandatory or
optional, set up appropriately. */
tls_certificate_verified = FALSE;
verify_requirement = VERIFY_NONE;
if (verify_check_host(&tls_verify_hosts) == OK)
verify_requirement = VERIFY_REQUIRED;
else if (verify_check_host(&tls_try_verify_hosts) == OK)
verify_requirement = VERIFY_OPTIONAL;
/* Prepare for new connection */
tls_session = tls_session_init(GNUTLS_SERVER, expciphers, expmac, expkx,
expproto);
if (tls_session == NULL)
return tls_error(US"tls_session_init", NULL,
gnutls_strerror(GNUTLS_E_MEMORY_ERROR));
/* Set context and tell client to go ahead, except in the case of TLS startup
on connection, where outputting anything now upsets the clients and tends to
make them disconnect. We need to have an explicit fflush() here, to force out
the response. Other smtp_printf() calls do not need it, because in non-TLS
mode, the fflush() happens when smtp_getc() is called. */
if (!tls_on_connect)
{
smtp_printf("220 TLS go ahead\r\n");
fflush(smtp_out);
}
/* Now negotiate the TLS session. We put our own timer on it, since it seems
that the GnuTLS library doesn't. */
gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr)fileno(smtp_in),
(gnutls_transport_ptr)fileno(smtp_out));
sigalrm_seen = FALSE;
if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
rc = gnutls_handshake(tls_session);
alarm(0);
if (rc < 0)
{
tls_error(US"gnutls_handshake", NULL,
sigalrm_seen ? "timed out" : gnutls_strerror(rc));
/* It seems that, except in the case of a timeout, we have to close the
connection right here; otherwise if the other end is running OpenSSL it hangs
until the server times out. */
if (!sigalrm_seen)
{
(void)fclose(smtp_out);
(void)fclose(smtp_in);
}
return FAIL;
}
DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
if (verify_requirement != VERIFY_NONE &&
!verify_certificate(tls_session, &error))
{
tls_error(US"certificate verification failed", NULL, error);
return FAIL;
}
construct_cipher_name(tls_session);
/* TLS has been set up. Adjust the input functions to read via TLS,
and initialize appropriately. */
ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
ssl_xfer_eof = ssl_xfer_error = 0;
receive_getc = tls_getc;
receive_ungetc = tls_ungetc;
receive_feof = tls_feof;
receive_ferror = tls_ferror;
receive_smtp_buffered = tls_smtp_buffered;
tls_active = fileno(smtp_out);
return OK;
}
int
tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
uschar *certificate, uschar *privatekey, uschar *verify_certs,
uschar *verify_crl, uschar *require_ciphers, uschar *require_mac,
uschar *require_kx, uschar *require_proto, int timeout)
{
const gnutls_datum *server_certs;
uschar *expciphers = NULL;
uschar *expmac = NULL;
uschar *expkx = NULL;
uschar *expproto = NULL;
const char *error;
unsigned int server_certs_size;
int rc;
DEBUG(D_tls) debug_printf("initializing GnuTLS as a client\n");
verify_requirement = (verify_certs == NULL)? VERIFY_NONE : VERIFY_REQUIRED;
rc = tls_init(host, certificate, privatekey, verify_certs, verify_crl);
if (rc != OK) return rc;
if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers) ||
!expand_check(require_mac, US"gnutls_require_mac", &expmac) ||
!expand_check(require_kx, US"gnutls_require_kx", &expkx) ||
!expand_check(require_proto, US"gnutls_require_proto", &expproto))
return FAIL;
tls_session = tls_session_init(GNUTLS_CLIENT, expciphers, expmac, expkx,
expproto);
if (tls_session == NULL)
return tls_error(US "tls_session_init", host,
gnutls_strerror(GNUTLS_E_MEMORY_ERROR));
gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)fd);
/* There doesn't seem to be a built-in timeout on connection. */
sigalrm_seen = FALSE;
alarm(timeout);
rc = gnutls_handshake(tls_session);
alarm(0);
if (rc < 0)
return tls_error(US "gnutls_handshake", host,
sigalrm_seen ? "timed out" : gnutls_strerror(rc));
server_certs = gnutls_certificate_get_peers(tls_session, &server_certs_size);
if (server_certs != NULL)
{
uschar buff[1024];
gnutls_x509_crt gcert;
gnutls_x509_crt_init(&gcert);
tls_peerdn = US"unknown";
if (gnutls_x509_crt_import(gcert, server_certs, GNUTLS_X509_FMT_DER) == 0)
{
size_t bufsize = sizeof(buff);
if (gnutls_x509_crt_get_dn(gcert, CS buff, &bufsize) >= 0)
tls_peerdn = string_copy_malloc(buff);
}
}
/* Should we also verify the hostname here? */
if (verify_requirement != VERIFY_NONE &&
!verify_certificate(tls_session, &error))
return tls_error(US"certificate verification failed", host, error);
construct_cipher_name(tls_session); /* Sets tls_cipher */
tls_active = fd;
return OK;
}
void TLSTransaction::init (TLSServer& server)
{
int ret = gnutls_init (&_session, GNUTLS_SERVER);
if (ret < 0)
throw format ("TLS server init error. {1}", gnutls_strerror (ret));
ret = gnutls_priority_set (_session, server._priorities);
if (ret < 0)
throw format ("Error initializing TLS. {1}", gnutls_strerror (ret));
// Apply the x509 credentials to the current session.
ret = gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, server._credentials);
if (ret < 0)
throw format ("TLS credentials error. {1}", gnutls_strerror (ret));
// Store the TLSTransaction instance, so that the verification callback can
// access it during the handshake below and call the verifcation method.
gnutls_session_set_ptr (_session, (void*) this);
// Require client certificate.
gnutls_certificate_server_set_request (_session, GNUTLS_CERT_REQUIRE);
/*
// Set maximum compatibility mode. This is only suggested on public
// webservers that need to trade security for compatibility
gnutls_session_enable_compatibility_mode (_session);
*/
struct sockaddr_in sa_cli = {0};
socklen_t client_len = sizeof sa_cli;
do
{
_socket = accept (server._socket, (struct sockaddr *) &sa_cli, &client_len);
}
while (errno == EINTR);
if (_socket < 0)
throw std::string (::strerror (errno));
// Obtain client info.
char topbuf[512];
_address = inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf));
_port = ntohs (sa_cli.sin_port);
if (_debug)
std::cout << "s: INFO connection from "
<< _address
<< " port "
<< _port
<< "\n";
#if GNUTLS_VERSION_NUMBER >= 0x030109
gnutls_transport_set_int (_session, _socket);
#else
gnutls_transport_set_ptr (_session, (gnutls_transport_ptr_t) (intptr_t) _socket);
#endif
// Perform the TLS handshake
do
{
ret = gnutls_handshake (_session);
}
while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
throw std::string ("Handshake has failed (") + gnutls_strerror (ret) + ")";
#if GNUTLS_VERSION_NUMBER < 0x02090a
// The automatic verification for the server certificate with
// gnutls_certificate_set_verify_function does only work with gnutls
// >=2.9.10. So with older versions we should call the verify function
// manually after the gnutls handshake.
ret = verify_certificate ();
if (ret < 0)
{
if (_debug)
std::cout << "s: ERROR Certificate verification failed.\n";
throw std::string ("Error initializing TLS.");
}
#endif
if (_debug)
{
#if GNUTLS_VERSION_NUMBER >= 0x03010a
char* desc = gnutls_session_get_desc (_session);
std::cout << "s: INFO Handshake was completed: " << desc << "\n";
gnutls_free (desc);
#else
std::cout << "s: INFO Handshake was completed.\n";
#endif
}
}
