BOOL winpr_CleanupSSL(DWORD flags)
{
if (flags & WINPR_SSL_CLEANUP_GLOBAL)
{
if (!g_winpr_openssl_initialized_by_winpr)
{
WLog_WARN(TAG, "ssl was not initialized by winpr");
return FALSE;
}
g_winpr_openssl_initialized_by_winpr = FALSE;
#ifdef WINPR_OPENSSL_LOCKING_REQUIRED
_winpr_openssl_cleanup_locking();
#endif
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
EVP_cleanup();
#endif
#ifdef WINPR_OPENSSL_LOCKING_REQUIRED
flags |= WINPR_SSL_CLEANUP_THREAD;
#endif
}
#ifdef WINPR_OPENSSL_LOCKING_REQUIRED
if (flags & WINPR_SSL_CLEANUP_THREAD)
{
#if (OPENSSL_VERSION_NUMBER < 0x10000000L) || defined(LIBRESSL_VERSION_NUMBER)
ERR_remove_state(0);
#else
ERR_remove_thread_state(NULL);
#endif
}
#endif
return TRUE;
}
void OpenSSL::ClassDestroy() {
MS_TRACE();
MS_DEBUG("unloading openssl");
// FAQ: https://www.openssl.org/support/faq.html#PROG13
// Thread-local cleanup functions.
ERR_remove_thread_state(nullptr);
// Application-global cleanup functions that are aware of usage (and
// therefore thread-safe).
ENGINE_cleanup();
// "Brutal" (thread-unsafe) Application-global cleanup functions.
ERR_free_strings();
EVP_cleanup(); // Removes all ciphers and digests.
CRYPTO_cleanup_all_ex_data();
// https://bugs.launchpad.net/percona-server/+bug/1341067.
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
// Free mutexes.
for (int i=0; i<OpenSSL::numMutexes; i++) {
int err = pthread_mutex_destroy(&OpenSSL::mutexes[i]);
if (err)
MS_ERROR("pthread_mutex_destroy() failed with return code %d\n", err);
}
if (OpenSSL::mutexes)
delete[] OpenSSL::mutexes;
// Reset callbacks.
CRYPTO_THREADID_set_callback(nullptr);
CRYPTO_set_locking_callback(nullptr);
CRYPTO_set_dynlock_create_callback(nullptr);
CRYPTO_set_dynlock_lock_callback(nullptr);
CRYPTO_set_dynlock_destroy_callback(nullptr);
}
void OpenSSLSession::Stop()
{
if(!m_bStarted)
{
return;
}
if(m_ConnectionCtx)
{
SSL_CTX_free(m_ConnectionCtx);
m_ConnectionCtx = 0;
}
ERR_remove_state(0);
ENGINE_cleanup();
CONF_modules_unload(1);
ERR_free_strings();
EVP_cleanup();
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
CRYPTO_cleanup_all_ex_data();
m_bStarted = false;
}
/**
* Stop SSL support library
* @return TRUE, or FALSE if an error has occured.
*/
int stop_ssl() {
#ifdef HAVE_OPENSSL
if ( ssl_initilized ) {
ssl_initilized=FALSE;
ERR_free_strings();
return (ssl_thread_stop() && ssl_entropy_stop());
} else {
return TRUE;
}
#else
return FALSE;
#endif
}
void
tls_deinit(void)
{
if (tls_initialised) {
tls_compat_cleanup();
tls_config_free(tls_config_default);
tls_config_default = NULL;
#ifdef USE_LIBSSL_INTERNALS
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
BIO_sock_cleanup();
ERR_clear_error();
ERR_remove_thread_state(NULL);
ERR_free_strings();
#else
OPENSSL_cleanup();
#endif
tls_initialised = 0;
}
}
UtlBoolean OsEncryption::openSslError(void)
{
#if defined(OSENCRYPTION)
unsigned long err = ERR_get_error();
if (err != 0)
{
ERR_load_crypto_strings();
ERR_load_ERR_strings();
char errbuff[256];
errbuff[0] = 0;
ERR_error_string_n(err, errbuff, sizeof(errbuff));
osPrintf("OpenSLL ERROR:\n\tlib:%s\n\tfunction:%s\n\treason:%s\n",
ERR_lib_error_string(err),
ERR_func_error_string(err),
ERR_reason_error_string(err));
ERR_free_strings();
return TRUE;
}
#endif
return FALSE;
}
/**
* @brief Deinitialize the signing subsystem
*
* @param none
*
* @returns Nothing
*/
void sign_deinit(void) {
if (rsa) {
RSA_free(rsa);
rsa = NULL;
}
if (crypto_initialized) {
/* (From: https://wiki.openssl.org/index.php/Libcrypto_API) */
/* Removes all digests and ciphers */
EVP_cleanup();
/**
* if you omit the next, a small leak may be left when you make use
* of the BIO (low level API) for e.g. base64 transformations
*/
CRYPTO_cleanup_all_ex_data();
/* Remove error strings */
ERR_free_strings();
crypto_initialized = false;
}
}
/* Global cleanup */
void Curl_SSL_cleanup(void)
{
#ifdef USE_SSLEAY
if(init_ssl) {
/* only cleanup if we did a previous init */
/* Free the SSL error strings */
ERR_free_strings();
/* EVP_cleanup() removes all ciphers and digests from the
table. */
EVP_cleanup();
#ifdef HAVE_ENGINE_cleanup
ENGINE_cleanup();
#endif
init_ssl=0; /* not inited any more */
}
#else
/* SSL disabled, do nothing */
#endif
}
/*
* the various processing hooks
*/
static apr_status_t ssl_cleanup_pre_config(void *data)
{
/*
* Try to kill the internals of the SSL library.
*/
/* Corresponds to OPENSSL_load_builtin_modules():
* XXX: borrowed from apps.h, but why not CONF_modules_free()
* which also invokes CONF_modules_finish()?
*/
CONF_modules_unload(1);
/* Corresponds to SSL_library_init: */
EVP_cleanup();
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_cleanup();
#endif
ERR_remove_state(0);
/* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only
* actually loaded the error strings once per process due to static
* variable abuse in OpenSSL. */
#if (OPENSSL_VERSION_NUMBER >= 0x00090805f)
ERR_free_strings();
#endif
/* Also don't call CRYPTO_cleanup_all_ex_data here; any registered
* ex_data indices may have been cached in static variables in
* OpenSSL; removing them may cause havoc. Notably, with OpenSSL
* versions >= 0.9.8f, COMP_CTX cleanups would not be run, which
* could result in a per-connection memory leak (!). */
/*
* TODO: determine somewhere we can safely shove out diagnostics
* (when enabled) at this late stage in the game:
* CRYPTO_mem_leaks_fp(stderr);
*/
return APR_SUCCESS;
}
bool_t CC_CALL _cckit_destroy_http_request(cckit_http_t **h)
{
if (h == NULL || *h == NULL) {
return FALSE;
}
#ifdef CC_OPENSSL_HTTPS
if ((*h)->address->scheme == CC_SCHEME_HTTPS) {
if ((*h)->ssl) {
SSL_shutdown((*h)->ssl);
SSL_free((*h)->ssl);
SSL_CTX_free((*h)->ssl_ctx);
}
/*SSL*/
if(cc_atomic_dec_ref(_SSL_init_refcount)) {
ERR_free_strings();
}
}
#endif
if ((*h)->response) {
_cckit_destroy_http_response(&(*h)->response);
}
if ((*h)->address) {
cc_destroy_url(&(*h)->address);
}
if ((*h)->sock_event) {
cckit_data_buffer_pop((cckit_data_buffer_t**)&(*h)->sock_event->args[2]);
cckit_tcp_close((*h)->sock_event);
(*h)->sock_event = NULL;
}
cc_free((*h));
*h = NULL;
return TRUE;
}
/*
Release SSL and free resources
Will be automatically executed by
mysql_server_end() function
SYNOPSIS
my_ssl_end()
void
RETURN VALUES
void
*/
void ma_tls_end()
{
if (ma_tls_initialized)
{
int i;
pthread_mutex_lock(&LOCK_openssl_config);
CRYPTO_set_locking_callback(NULL);
CRYPTO_set_id_callback(NULL);
for (i=0; i < CRYPTO_num_locks(); i++)
pthread_mutex_destroy(&LOCK_crypto[i]);
ma_free((gptr)LOCK_crypto);
LOCK_crypto= NULL;
if (SSL_context)
{
SSL_CTX_free(SSL_context);
SSL_context= NULL;
}
if (mariadb_deinitialize_ssl)
{
ERR_remove_state(0);
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
CONF_modules_free();
CONF_modules_unload(1);
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
}
ma_tls_initialized= FALSE;
pthread_mutex_unlock(&LOCK_openssl_config);
pthread_mutex_destroy(&LOCK_openssl_config);
}
return;
}
static ret_t
_free (cherokee_cryptor_libssl_t *cryp)
{
/* DH Parameters
*/
if (dh_param_512 != NULL) {
DH_free (dh_param_512);
dh_param_512 = NULL;
}
if (dh_param_1024 != NULL) {
DH_free (dh_param_1024);
dh_param_1024 = NULL;
}
if (dh_param_2048 != NULL) {
DH_free (dh_param_2048);
dh_param_2048 = NULL;
}
if (dh_param_4096 != NULL) {
DH_free (dh_param_4096);
dh_param_4096 = NULL;
}
/* Free loaded error strings
*/
ERR_free_strings();
/* Free all ciphers and digests
*/
EVP_cleanup();
cherokee_cryptor_free_base (CRYPTOR(cryp));
return ret_ok;
}
LWS_VISIBLE void
lws_ssl_destroy(struct lws_vhost *vhost)
{
if (!lws_check_opt(vhost->context->options,
LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
return;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
if (vhost->ssl_ctx)
SSL_CTX_free(vhost->ssl_ctx);
if (!vhost->user_supplied_ssl_ctx && vhost->ssl_client_ctx)
SSL_CTX_free(vhost->ssl_client_ctx);
#if (OPENSSL_VERSION_NUMBER < 0x10100006L)
#if (OPENSSL_VERSION_NUMBER < 0x01000000) || defined(USE_WOLFSSL)
ERR_remove_state(0);
#else
#if (OPENSSL_VERSION_NUMBER >= 0x10100005L) && \
!defined(LIBRESSL_VERSION_NUMBER) && \
!defined(OPENSSL_IS_BORINGSSL)
ERR_remove_thread_state();
#else
ERR_remove_thread_state(NULL);
#endif
#endif
ERR_free_strings();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
#endif
#endif
#endif
}
bool __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, void* lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
module = hinstDLL;
DisableThreadLibraryCalls(hinstDLL);
#ifndef USE_CURL
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
#else
curl_global_init(CURL_GLOBAL_ALL);
#endif
break;
case DLL_PROCESS_DETACH:
#ifndef USE_CURL
ERR_free_strings();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
#else
curl_global_cleanup();
#endif
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return true;
}
void
lws_ssl_context_destroy(struct lws_context *context)
{
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#if (OPENSSL_VERSION_NUMBER < 0x01000000) || defined(USE_WOLFSSL)
ERR_remove_state(0);
#else
#if (OPENSSL_VERSION_NUMBER >= 0x10100005L) && \
!defined(LIBRESSL_VERSION_NUMBER) && \
!defined(OPENSSL_IS_BORINGSSL)
ERR_remove_thread_state();
#else
ERR_remove_thread_state(NULL);
#endif
#endif
ERR_free_strings();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
#endif
#endif
}
void
tor_cleanup (void)
{
if (!initialized) {
return;
}
EVP_cleanup();
ERR_remove_state(0);
ERR_free_strings();
ENGINE_cleanup();
CONF_modules_unload(1);
CRYPTO_cleanup_all_ex_data();
// cleanup multithreading
for (size_t i = 0; i < locks.length; i++) {
uv_mutex_destroy(&locks.item[i]);
}
free(locks.item);
locks.length = 0;
}
int
main(int argc, char **argv)
{
int i;
sigset_t set;
#if ENABLE_MPEGTS
uint32_t adapter_mask = 0;
#endif
int log_level = LOG_INFO;
int log_options = TVHLOG_OPT_MILLIS | TVHLOG_OPT_STDERR | TVHLOG_OPT_SYSLOG;
const char *log_debug = NULL, *log_trace = NULL;
gid_t gid = -1;
uid_t uid = -1;
char buf[512];
FILE *pidfile = NULL;
extern int dvb_bouquets_parse;
main_tid = pthread_self();
/* Setup global mutexes */
pthread_mutex_init(&fork_lock, NULL);
pthread_mutex_init(&global_lock, NULL);
pthread_mutex_init(&tasklet_lock, NULL);
pthread_mutex_init(&atomic_lock, NULL);
pthread_cond_init(>imer_cond, NULL);
pthread_cond_init(&tasklet_cond, NULL);
TAILQ_INIT(&tasklets);
/* Defaults */
tvheadend_webui_port = 9981;
tvheadend_webroot = NULL;
tvheadend_htsp_port = 9982;
tvheadend_htsp_port_extra = 0;
time(&dispatch_clock);
/* Command line options */
int opt_help = 0,
opt_version = 0,
opt_fork = 0,
opt_firstrun = 0,
opt_stderr = 0,
opt_syslog = 0,
opt_nosyslog = 0,
opt_uidebug = 0,
opt_abort = 0,
opt_noacl = 0,
opt_fileline = 0,
opt_threadid = 0,
opt_libav = 0,
opt_ipv6 = 0,
opt_satip_rtsp = 0,
#if ENABLE_TSFILE
opt_tsfile_tuner = 0,
#endif
opt_dump = 0,
opt_xspf = 0,
opt_dbus = 0,
opt_dbus_session = 0,
opt_nobackup = 0,
opt_nobat = 0;
const char *opt_config = NULL,
*opt_user = NULL,
*opt_group = NULL,
*opt_logpath = NULL,
*opt_log_debug = NULL,
*opt_log_trace = NULL,
*opt_pidpath = "/var/run/tvheadend.pid",
#if ENABLE_LINUXDVB
*opt_dvb_adapters = NULL,
#endif
*opt_bindaddr = NULL,
*opt_subscribe = NULL,
*opt_user_agent = NULL;
str_list_t opt_satip_xml = { .max = 10, .num = 0, .str = calloc(10, sizeof(char*)) };
str_list_t opt_tsfile = { .max = 10, .num = 0, .str = calloc(10, sizeof(char*)) };
cmdline_opt_t cmdline_opts[] = {
{ 0, NULL, N_("Generic Options"), OPT_BOOL, NULL },
{ 'h', "help", N_("Show this page"), OPT_BOOL, &opt_help },
{ 'v', "version", N_("Show version information"),OPT_BOOL, &opt_version },
{ 0, NULL, N_("Service Configuration"), OPT_BOOL, NULL },
{ 'c', "config", N_("Alternate config path"), OPT_STR, &opt_config },
{ 'B', "nobackup", N_("Don't backup config tree at upgrade"), OPT_BOOL, &opt_nobackup },
{ 'f', "fork", N_("Fork and run as daemon"), OPT_BOOL, &opt_fork },
{ 'u', "user", N_("Run as user"), OPT_STR, &opt_user },
{ 'g', "group", N_("Run as group"), OPT_STR, &opt_group },
{ 'p', "pid", N_("Alternate pid path"), OPT_STR, &opt_pidpath },
{ 'C', "firstrun", N_("If no user account exists then create one with\n"
"no username and no password. Use with care as\n"
"it will allow world-wide administrative access\n"
"to your Tvheadend installation until you edit/create\n"
"access-control from within the Tvheadend UI"),
OPT_BOOL, &opt_firstrun },
#if ENABLE_DBUS_1
{ 'U', "dbus", N_("Enable DBus"),
OPT_BOOL, &opt_dbus },
{ 'e', "dbus_session", N_("DBus - use the session message bus instead system one"),
OPT_BOOL, &opt_dbus_session },
#endif
#if ENABLE_LINUXDVB
{ 'a', "adapters", N_("Only use specified DVB adapters (comma separated)"),
OPT_STR, &opt_dvb_adapters },
#endif
#if ENABLE_SATIP_SERVER
{ 0, "satip_rtsp", N_("SAT>IP RTSP port number for server\n"
"(default: -1 = disable, 0 = webconfig, standard port is 554)"),
OPT_INT, &opt_satip_rtsp },
#endif
#if ENABLE_SATIP_CLIENT
{ 0, "satip_xml", N_("URL with the SAT>IP server XML location"),
OPT_STR_LIST, &opt_satip_xml },
#endif
{ 0, NULL, N_("Server Connectivity"), OPT_BOOL, NULL },
{ '6', "ipv6", N_("Listen on IPv6"), OPT_BOOL, &opt_ipv6 },
{ 'b', "bindaddr", N_("Specify bind address"), OPT_STR, &opt_bindaddr},
{ 0, "http_port", N_("Specify alternative http port"),
OPT_INT, &tvheadend_webui_port },
{ 0, "http_root", N_("Specify alternative http webroot"),
OPT_STR, &tvheadend_webroot },
{ 0, "htsp_port", N_("Specify alternative htsp port"),
OPT_INT, &tvheadend_htsp_port },
{ 0, "htsp_port2", N_("Specify extra htsp port"),
OPT_INT, &tvheadend_htsp_port_extra },
{ 0, "useragent", N_("Specify User-Agent header for the http client"),
OPT_STR, &opt_user_agent },
{ 0, "xspf", N_("Use XSPF playlist instead of M3U"),
OPT_BOOL, &opt_xspf },
{ 0, NULL, N_("Debug Options"), OPT_BOOL, NULL },
{ 'd', "stderr", N_("Enable debug on stderr"), OPT_BOOL, &opt_stderr },
{ 's', "syslog", N_("Enable debug to syslog"), OPT_BOOL, &opt_syslog },
{ 'S', "nosyslog", N_("Disable syslog (all msgs)"), OPT_BOOL, &opt_nosyslog },
{ 'l', "logfile", N_("Enable debug to file"), OPT_STR, &opt_logpath },
{ 0, "debug", N_("Enable debug subsystems"), OPT_STR, &opt_log_debug },
#if ENABLE_TRACE
{ 0, "trace", N_("Enable trace subsystems"), OPT_STR, &opt_log_trace },
#endif
{ 0, "fileline", N_("Add file and line numbers to debug"), OPT_BOOL, &opt_fileline },
{ 0, "threadid", N_("Add the thread ID to debug"), OPT_BOOL, &opt_threadid },
#if ENABLE_LIBAV
{ 0, "libav", N_("More verbose libav log"), OPT_BOOL, &opt_libav },
#endif
{ 0, "uidebug", N_("Enable webUI debug (non-minified JS)"), OPT_BOOL, &opt_uidebug },
{ 'A', "abort", N_("Immediately abort"), OPT_BOOL, &opt_abort },
{ 'D', "dump", N_("Enable coredumps for daemon"), OPT_BOOL, &opt_dump },
{ 0, "noacl", N_("Disable all access control checks"),
OPT_BOOL, &opt_noacl },
{ 0, "nobat", N_("Disable DVB bouquets"),
OPT_BOOL, &opt_nobat },
{ 'j', "join", N_("Subscribe to a service permanently"),
OPT_STR, &opt_subscribe },
#if ENABLE_TSFILE || ENABLE_TSDEBUG
{ 0, NULL, N_("Testing options"), OPT_BOOL, NULL },
{ 0, "tsfile_tuners", N_("Number of tsfile tuners"), OPT_INT, &opt_tsfile_tuner },
{ 0, "tsfile", N_("tsfile input (mux file)"), OPT_STR_LIST, &opt_tsfile },
#endif
#if ENABLE_TSDEBUG
{ 0, "tsdebug", N_("Output directory for tsdebug"), OPT_STR, &tvheadend_tsdebug },
#endif
};
/* Get current directory */
tvheadend_cwd0 = dirname(tvh_strdupa(argv[0]));
tvheadend_cwd = dirname(tvh_strdupa(tvheadend_cwd0));
/* Set locale */
setlocale(LC_ALL, "");
setlocale(LC_NUMERIC, "C");
/* make sure the timezone is set */
tzset();
/* Process command line */
for (i = 1; i < argc; i++) {
/* Find option */
cmdline_opt_t *opt
= cmdline_opt_find(cmdline_opts, ARRAY_SIZE(cmdline_opts), argv[i]);
if (!opt)
show_usage(argv[0], cmdline_opts, ARRAY_SIZE(cmdline_opts),
_("invalid option specified [%s]"), argv[i]);
/* Process */
if (opt->type == OPT_BOOL)
*((int*)opt->param) = 1;
else if (++i == argc)
show_usage(argv[0], cmdline_opts, ARRAY_SIZE(cmdline_opts),
_("option %s requires a value"), opt->lopt);
else if (opt->type == OPT_INT)
*((int*)opt->param) = atoi(argv[i]);
else if (opt->type == OPT_STR_LIST) {
str_list_t *strl = opt->param;
if (strl->num < strl->max)
strl->str[strl->num++] = argv[i];
}
else
*((char**)opt->param) = argv[i];
/* Stop processing */
if (opt_help)
show_usage(argv[0], cmdline_opts, ARRAY_SIZE(cmdline_opts), NULL);
if (opt_version)
show_version(argv[0]);
}
/* Additional cmdline processing */
if (opt_nobat)
dvb_bouquets_parse = 0;
#if ENABLE_LINUXDVB
if (!opt_dvb_adapters) {
adapter_mask = ~0;
} else {
char *p, *e;
char *r = NULL;
char *dvb_adapters = strdup(opt_dvb_adapters);
adapter_mask = 0x0;
p = strtok_r(dvb_adapters, ",", &r);
while (p) {
int a = strtol(p, &e, 10);
if (*e != 0 || a < 0 || a > 31) {
fprintf(stderr, _("Invalid adapter number '%s'\n"), p);
free(dvb_adapters);
return 1;
}
adapter_mask |= (1 << a);
p = strtok_r(NULL, ",", &r);
}
free(dvb_adapters);
if (!adapter_mask) {
fprintf(stderr, "%s", _("No adapters specified!\n"));
return 1;
}
}
#endif
if (tvheadend_webroot) {
char *tmp;
if (*tvheadend_webroot == '/')
tmp = strdup(tvheadend_webroot);
else {
tmp = malloc(strlen(tvheadend_webroot)+2);
*tmp = '/';
strcpy(tmp+1, tvheadend_webroot);
}
if (tmp[strlen(tmp)-1] == '/')
tmp[strlen(tmp)-1] = '\0';
tvheadend_webroot = tmp;
}
tvheadend_webui_debug = opt_uidebug;
/* Setup logging */
if (isatty(2))
log_options |= TVHLOG_OPT_DECORATE;
if (opt_stderr || opt_syslog || opt_logpath) {
if (!opt_log_trace && !opt_log_debug)
log_debug = "all";
log_level = LOG_DEBUG;
if (opt_stderr)
log_options |= TVHLOG_OPT_DBG_STDERR;
if (opt_syslog)
log_options |= TVHLOG_OPT_DBG_SYSLOG;
if (opt_logpath)
log_options |= TVHLOG_OPT_DBG_FILE;
}
if (opt_nosyslog)
log_options &= ~(TVHLOG_OPT_SYSLOG|TVHLOG_OPT_DBG_SYSLOG);
if (opt_fileline)
log_options |= TVHLOG_OPT_FILELINE;
if (opt_threadid)
log_options |= TVHLOG_OPT_THREAD;
if (opt_libav)
log_options |= TVHLOG_OPT_LIBAV;
if (opt_log_trace) {
log_level = LOG_TRACE;
log_trace = opt_log_trace;
}
if (opt_log_debug)
log_debug = opt_log_debug;
tvhlog_init(log_level, log_options, opt_logpath);
tvhlog_set_debug(log_debug);
tvhlog_set_trace(log_trace);
tvhinfo("main", "Log started");
signal(SIGPIPE, handle_sigpipe); // will be redundant later
signal(SIGILL, handle_sigill); // see handler..
/* Set priviledges */
if(opt_fork || opt_group || opt_user) {
const char *homedir;
struct group *grp = getgrnam(opt_group ?: "video");
struct passwd *pw = opt_user ? getpwnam(opt_user) : NULL;
if(grp != NULL) {
gid = grp->gr_gid;
} else {
gid = 1;
}
if (pw != NULL) {
if (getuid() != pw->pw_uid) {
gid_t glist[16];
int gnum;
gnum = get_user_groups(pw, glist, ARRAY_SIZE(glist));
if (gnum > 0 && setgroups(gnum, glist)) {
char buf[256] = "";
int i;
for (i = 0; i < gnum; i++)
snprintf(buf + strlen(buf), sizeof(buf) - 1 - strlen(buf),
",%d", glist[i]);
tvhlog(LOG_ALERT, "START",
"setgroups(%s) failed, do you have permission?", buf+1);
return 1;
}
}
uid = pw->pw_uid;
homedir = pw->pw_dir;
setenv("HOME", homedir, 1);
} else {
uid = 1;
}
}
uuid_init();
config_boot(opt_config, gid, uid);
tcp_server_preinit(opt_ipv6);
http_server_init(opt_bindaddr); // bind to ports only
htsp_init(opt_bindaddr); // bind to ports only
satip_server_init(opt_satip_rtsp); // bind to ports only
if (opt_fork)
pidfile = tvh_fopen(opt_pidpath, "w+");
if (gid != -1 && (getgid() != gid) && setgid(gid)) {
tvhlog(LOG_ALERT, "START",
"setgid(%d) failed, do you have permission?", gid);
return 1;
}
if (uid != -1 && (getuid() != uid) && setuid(uid)) {
tvhlog(LOG_ALERT, "START",
"setuid(%d) failed, do you have permission?", uid);
return 1;
}
/* Daemonise */
if(opt_fork) {
if(daemon(0, 0)) {
exit(2);
}
if(pidfile != NULL) {
fprintf(pidfile, "%d\n", getpid());
fclose(pidfile);
}
/* Make dumpable */
if (opt_dump) {
#ifdef PLATFORM_LINUX
if (chdir("/tmp"))
tvhwarn("START", "failed to change cwd to /tmp");
prctl(PR_SET_DUMPABLE, 1);
#else
tvhwarn("START", "Coredumps not implemented on your platform");
#endif
}
umask(0);
}
tvheadend_running = 1;
/* Start log thread (must be done post fork) */
tvhlog_start();
/* Alter logging */
if (opt_fork)
tvhlog_options &= ~TVHLOG_OPT_STDERR;
if (!isatty(2))
tvhlog_options &= ~TVHLOG_OPT_DECORATE;
/* Initialise clock */
pthread_mutex_lock(&global_lock);
time(&dispatch_clock);
/* Signal handling */
sigfillset(&set);
sigprocmask(SIG_BLOCK, &set, NULL);
trap_init(argv[0]);
/* SSL library init */
OPENSSL_config(NULL);
SSL_load_error_strings();
SSL_library_init();
/* Initialise configuration */
notify_init();
idnode_init();
spawn_init();
config_init(opt_nobackup == 0);
/**
* Initialize subsystems
*/
epg_in_load = 1;
tvhthread_create(&tasklet_tid, NULL, tasklet_thread, NULL);
dbus_server_init(opt_dbus, opt_dbus_session);
intlconv_init();
api_init();
fsmonitor_init();
libav_init();
tvhtime_init();
profile_init();
imagecache_init();
http_client_init(opt_user_agent);
esfilter_init();
bouquet_init();
service_init();
dvb_init();
#if ENABLE_MPEGTS
mpegts_init(adapter_mask, &opt_satip_xml, &opt_tsfile, opt_tsfile_tuner);
#endif
channel_init();
bouquet_service_resolve();
subscription_init();
dvr_config_init();
access_init(opt_firstrun, opt_noacl);
#if ENABLE_TIMESHIFT
timeshift_init();
#endif
tcp_server_init();
webui_init(opt_xspf);
#if ENABLE_UPNP
upnp_server_init(opt_bindaddr);
#endif
service_mapper_init();
descrambler_init();
epggrab_init();
epg_init();
dvr_init();
dbus_server_start();
http_server_register();
satip_server_register();
htsp_register();
if(opt_subscribe != NULL)
subscription_dummy_join(opt_subscribe, 1);
avahi_init();
bonjour_init();
epg_updated(); // cleanup now all prev ref's should have been created
epg_in_load = 0;
pthread_mutex_unlock(&global_lock);
/**
* Wait for SIGTERM / SIGINT, but only in this thread
*/
sigemptyset(&set);
sigaddset(&set, SIGTERM);
sigaddset(&set, SIGINT);
signal(SIGTERM, doexit);
signal(SIGINT, doexit);
pthread_sigmask(SIG_UNBLOCK, &set, NULL);
tvhlog(LOG_NOTICE, "START", "HTS Tvheadend version %s started, "
"running as PID:%d UID:%d GID:%d, CWD:%s CNF:%s",
tvheadend_version,
getpid(), getuid(), getgid(), getcwd(buf, sizeof(buf)),
hts_settings_get_root());
if(opt_abort)
abort();
mainloop();
#if ENABLE_DBUS_1
tvhftrace("main", dbus_server_done);
#endif
#if ENABLE_UPNP
tvhftrace("main", upnp_server_done);
#endif
tvhftrace("main", satip_server_done);
tvhftrace("main", htsp_done);
tvhftrace("main", http_server_done);
tvhftrace("main", webui_done);
tvhftrace("main", fsmonitor_done);
tvhftrace("main", http_client_done);
tvhftrace("main", tcp_server_done);
// Note: the locking is obviously a bit redundant, but without
// we need to disable the gtimer_arm call in epg_save()
pthread_mutex_lock(&global_lock);
tvhftrace("main", epg_save);
#if ENABLE_TIMESHIFT
tvhftrace("main", timeshift_term);
#endif
pthread_mutex_unlock(&global_lock);
tvhftrace("main", epggrab_done);
#if ENABLE_MPEGTS
tvhftrace("main", mpegts_done);
#endif
tvhftrace("main", descrambler_done);
tvhftrace("main", service_mapper_done);
tvhftrace("main", service_done);
tvhftrace("main", channel_done);
tvhftrace("main", bouquet_done);
tvhftrace("main", dvr_done);
tvhftrace("main", subscription_done);
tvhftrace("main", access_done);
tvhftrace("main", epg_done);
tvhftrace("main", avahi_done);
tvhftrace("main", bonjour_done);
tvhftrace("main", imagecache_done);
tvhftrace("main", lang_code_done);
tvhftrace("main", api_done);
tvhtrace("main", "tasklet enter");
pthread_cond_signal(&tasklet_cond);
pthread_join(tasklet_tid, NULL);
tvhtrace("main", "tasklet thread end");
tasklet_flush();
tvhtrace("main", "tasklet leave");
tvhftrace("main", hts_settings_done);
tvhftrace("main", dvb_done);
tvhftrace("main", lang_str_done);
tvhftrace("main", esfilter_done);
tvhftrace("main", profile_done);
tvhftrace("main", intlconv_done);
tvhftrace("main", urlparse_done);
tvhftrace("main", idnode_done);
tvhftrace("main", notify_done);
tvhftrace("main", spawn_done);
tvhlog(LOG_NOTICE, "STOP", "Exiting HTS Tvheadend");
tvhlog_end();
tvhftrace("main", config_done);
if(opt_fork)
unlink(opt_pidpath);
#if ENABLE_TSFILE
free(opt_tsfile.str);
#endif
free(opt_satip_xml.str);
/* OpenSSL - welcome to the "cleanup" hell */
ENGINE_cleanup();
RAND_cleanup();
CRYPTO_cleanup_all_ex_data();
EVP_cleanup();
CONF_modules_free();
#ifndef OPENSSL_NO_COMP
COMP_zlib_cleanup();
#endif
ERR_remove_state(0);
ERR_free_strings();
#ifndef OPENSSL_NO_COMP
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
#endif
/* end of OpenSSL cleanup code */
#if ENABLE_DBUS_1
extern void dbus_shutdown(void);
if (opt_dbus) dbus_shutdown();
#endif
return 0;
}
/**
*
*/
void
tvh_str_set(char **strp, const char *src)
{
free(*strp);
*strp = src ? strdup(src) : NULL;
}
/**
*
*/
int
tvh_str_update(char **strp, const char *src)
{
if(src == NULL)
return 0;
free(*strp);
*strp = strdup(src);
return 1;
}
/**
*
*/
void
scopedunlock(pthread_mutex_t **mtxp)
{
pthread_mutex_unlock(*mtxp);
}
/*
* OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
* OpenSSL[http://www.openssl.org/] library.
*
* = Examples
*
* All examples assume you have loaded OpenSSL with:
*
* require 'openssl'
*
* These examples build atop each other. For example the key created in the
* next is used in throughout these examples.
*
* == Keys
*
* === Creating a Key
*
* This example creates a 2048 bit RSA keypair and writes it to the current
* directory.
*
* key = OpenSSL::PKey::RSA.new 2048
*
* open 'private_key.pem', 'w' do |io| io.write key.to_pem end
* open 'public_key.pem', 'w' do |io| io.write key.public_key.to_pem end
*
* === Exporting a Key
*
* Keys saved to disk without encryption are not secure as anyone who gets
* ahold of the key may use it unless it is encrypted. In order to securely
* export a key you may export it with a pass phrase.
*
* cipher = OpenSSL::Cipher.new 'AES-128-CBC'
* pass_phrase = 'my secure pass phrase goes here'
*
* key_secure = key.export cipher, pass_phrase
*
* open 'private.secure.pem', 'w' do |io|
* io.write key_secure
* end
*
* OpenSSL::Cipher.ciphers returns a list of available ciphers.
*
* === Loading a Key
*
* A key can also be loaded from a file.
*
* key2 = OpenSSL::PKey::RSA.new File.read 'private_key.pem'
* key2.public? # => true
*
* or
*
* key3 = OpenSSL::PKey::RSA.new File.read 'public_key.pem'
* key3.private? # => false
*
* === Loading an Encrypted Key
*
* OpenSSL will prompt you for your pass phrase when loading an encrypted key.
* If you will not be able to type in the pass phrase you may provide it when
* loading the key:
*
* key4_pem = File.read 'private.secure.pem'
* key4 = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
*
* == RSA Encryption
*
* RSA provides encryption and decryption using the public and private keys.
* You can use a variety of padding methods depending upon the intended use of
* encrypted data.
*
* === Encryption & Decryption
*
* Asymmetric public/private key encryption is slow and victim to attack in
* cases where it is used without padding or directly to encrypt larger chunks
* of data. Typical use cases for RSA encryption involve "wrapping" a symmetric
* key with the public key of the recipient who would "unwrap" that symmetric
* key again using their private key.
* The following illustrates a simplified example of such a key transport
* scheme. It shouldn't be used in practice, though, standardized protocols
* should always be preferred.
*
* wrapped_key = key.public_encrypt key
*
* A symmetric key encrypted with the public key can only be decrypted with
* the corresponding private key of the recipient.
*
* original_key = key.private_decrypt wrapped_key
*
* By default PKCS#1 padding will be used, but it is also possible to use
* other forms of padding, see PKey::RSA for further details.
*
* === Signatures
*
* Using "private_encrypt" to encrypt some data with the private key is
* equivalent to applying a digital signature to the data. A verifying
* party may validate the signature by comparing the result of decrypting
* the signature with "public_decrypt" to the original data. However,
* OpenSSL::PKey already has methods "sign" and "verify" that handle
* digital signatures in a standardized way - "private_encrypt" and
* "public_decrypt" shouldn't be used in practice.
*
* To sign a document, a cryptographically secure hash of the document is
* computed first, which is then signed using the private key.
*
* digest = OpenSSL::Digest::SHA256.new
* signature = key.sign digest, document
*
* To validate the signature, again a hash of the document is computed and
* the signature is decrypted using the public key. The result is then
* compared to the hash just computed, if they are equal the signature was
* valid.
*
* digest = OpenSSL::Digest::SHA256.new
* if key.verify digest, signature, document
* puts 'Valid'
* else
* puts 'Invalid'
* end
*
* == PBKDF2 Password-based Encryption
*
* If supported by the underlying OpenSSL version used, Password-based
* Encryption should use the features of PKCS5. If not supported or if
* required by legacy applications, the older, less secure methods specified
* in RFC 2898 are also supported (see below).
*
* PKCS5 supports PBKDF2 as it was specified in PKCS#5
* v2.0[http://www.rsa.com/rsalabs/node.asp?id=2127]. It still uses a
* password, a salt, and additionally a number of iterations that will
* slow the key derivation process down. The slower this is, the more work
* it requires being able to brute-force the resulting key.
*
* === Encryption
*
* The strategy is to first instantiate a Cipher for encryption, and
* then to generate a random IV plus a key derived from the password
* using PBKDF2. PKCS #5 v2.0 recommends at least 8 bytes for the salt,
* the number of iterations largely depends on the hardware being used.
*
* cipher = OpenSSL::Cipher.new 'AES-128-CBC'
* cipher.encrypt
* iv = cipher.random_iv
*
* pwd = 'some hopefully not to easily guessable password'
* salt = OpenSSL::Random.random_bytes 16
* iter = 20000
* key_len = cipher.key_len
* digest = OpenSSL::Digest::SHA256.new
*
* key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
* cipher.key = key
*
* Now encrypt the data:
*
* encrypted = cipher.update document
* encrypted << cipher.final
*
* === Decryption
*
* Use the same steps as before to derive the symmetric AES key, this time
* setting the Cipher up for decryption.
*
* cipher = OpenSSL::Cipher.new 'AES-128-CBC'
* cipher.decrypt
* cipher.iv = iv # the one generated with #random_iv
*
* pwd = 'some hopefully not to easily guessable password'
* salt = ... # the one generated above
* iter = 20000
* key_len = cipher.key_len
* digest = OpenSSL::Digest::SHA256.new
*
* key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
* cipher.key = key
*
* Now decrypt the data:
*
* decrypted = cipher.update encrypted
* decrypted << cipher.final
*
* == PKCS #5 Password-based Encryption
*
* PKCS #5 is a password-based encryption standard documented at
* RFC2898[http://www.ietf.org/rfc/rfc2898.txt]. It allows a short password or
* passphrase to be used to create a secure encryption key. If possible, PBKDF2
* as described above should be used if the circumstances allow it.
*
* PKCS #5 uses a Cipher, a pass phrase and a salt to generate an encryption
* key.
*
* pass_phrase = 'my secure pass phrase goes here'
* salt = '8 octets'
*
* === Encryption
*
* First set up the cipher for encryption
*
* encrypter = OpenSSL::Cipher.new 'AES-128-CBC'
* encrypter.encrypt
* encrypter.pkcs5_keyivgen pass_phrase, salt
*
* Then pass the data you want to encrypt through
*
* encrypted = encrypter.update 'top secret document'
* encrypted << encrypter.final
*
* === Decryption
*
* Use a new Cipher instance set up for decryption
*
* decrypter = OpenSSL::Cipher.new 'AES-128-CBC'
* decrypter.decrypt
* decrypter.pkcs5_keyivgen pass_phrase, salt
*
* Then pass the data you want to decrypt through
*
* plain = decrypter.update encrypted
* plain << decrypter.final
*
* == X509 Certificates
*
* === Creating a Certificate
*
* This example creates a self-signed certificate using an RSA key and a SHA1
* signature.
*
* name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example'
*
* cert = OpenSSL::X509::Certificate.new
* cert.version = 2
* cert.serial = 0
* cert.not_before = Time.now
* cert.not_after = Time.now + 3600
*
* cert.public_key = key.public_key
* cert.subject = name
*
* === Certificate Extensions
*
* You can add extensions to the certificate with
* OpenSSL::SSL::ExtensionFactory to indicate the purpose of the certificate.
*
* extension_factory = OpenSSL::X509::ExtensionFactory.new nil, cert
*
* cert.add_extension \
* extension_factory.create_extension('basicConstraints', 'CA:FALSE', true)
*
* cert.add_extension \
* extension_factory.create_extension(
* 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
*
* cert.add_extension \
* extension_factory.create_extension('subjectKeyIdentifier', 'hash')
*
* The list of supported extensions (and in some cases their possible values)
* can be derived from the "objects.h" file in the OpenSSL source code.
*
* === Signing a Certificate
*
* To sign a certificate set the issuer and use OpenSSL::X509::Certificate#sign
* with a digest algorithm. This creates a self-signed cert because we're using
* the same name and key to sign the certificate as was used to create the
* certificate.
*
* cert.issuer = name
* cert.sign key, OpenSSL::Digest::SHA1.new
*
* open 'certificate.pem', 'w' do |io| io.write cert.to_pem end
*
* === Loading a Certificate
*
* Like a key, a cert can also be loaded from a file.
*
* cert2 = OpenSSL::X509::Certificate.new File.read 'certificate.pem'
*
* === Verifying a Certificate
*
* Certificate#verify will return true when a certificate was signed with the
* given public key.
*
* raise 'certificate can not be verified' unless cert2.verify key
*
* == Certificate Authority
*
* A certificate authority (CA) is a trusted third party that allows you to
* verify the ownership of unknown certificates. The CA issues key signatures
* that indicate it trusts the user of that key. A user encountering the key
* can verify the signature by using the CA's public key.
*
* === CA Key
*
* CA keys are valuable, so we encrypt and save it to disk and make sure it is
* not readable by other users.
*
* ca_key = OpenSSL::PKey::RSA.new 2048
*
* cipher = OpenSSL::Cipher::Cipher.new 'AES-128-CBC'
*
* open 'ca_key.pem', 'w', 0400 do |io|
* io.write ca_key.export(cipher, pass_phrase)
* end
*
* === CA Certificate
*
* A CA certificate is created the same way we created a certificate above, but
* with different extensions.
*
* ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example'
*
* ca_cert = OpenSSL::X509::Certificate.new
* ca_cert.serial = 0
* ca_cert.version = 2
* ca_cert.not_before = Time.now
* ca_cert.not_after = Time.now + 86400
*
* ca_cert.public_key = ca_key.public_key
* ca_cert.subject = ca_name
* ca_cert.issuer = ca_name
*
* extension_factory = OpenSSL::X509::ExtensionFactory.new
* extension_factory.subject_certificate = ca_cert
* extension_factory.issuer_certificate = ca_cert
*
* ca_cert.add_extension \
* extension_factory.create_extension('subjectKeyIdentifier', 'hash')
*
* This extension indicates the CA's key may be used as a CA.
*
* ca_cert.add_extension \
* extension_factory.create_extension('basicConstraints', 'CA:TRUE', true)
*
* This extension indicates the CA's key may be used to verify signatures on
* both certificates and certificate revocations.
*
* ca_cert.add_extension \
* extension_factory.create_extension(
* 'keyUsage', 'cRLSign,keyCertSign', true)
*
* Root CA certificates are self-signed.
*
* ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new
*
* The CA certificate is saved to disk so it may be distributed to all the
* users of the keys this CA will sign.
*
* open 'ca_cert.pem', 'w' do |io|
* io.write ca_cert.to_pem
* end
*
* === Certificate Signing Request
*
* The CA signs keys through a Certificate Signing Request (CSR). The CSR
* contains the information necessary to identify the key.
*
* csr = OpenSSL::X509::Request.new
* csr.version = 0
* csr.subject = name
* csr.public_key = key.public_key
* csr.sign key, OpenSSL::Digest::SHA1.new
*
* A CSR is saved to disk and sent to the CA for signing.
*
* open 'csr.pem', 'w' do |io|
* io.write csr.to_pem
* end
*
* === Creating a Certificate from a CSR
*
* Upon receiving a CSR the CA will verify it before signing it. A minimal
* verification would be to check the CSR's signature.
*
* csr = OpenSSL::X509::Request.new File.read 'csr.pem'
*
* raise 'CSR can not be verified' unless csr.verify csr.public_key
*
* After verification a certificate is created, marked for various usages,
* signed with the CA key and returned to the requester.
*
* csr_cert = OpenSSL::X509::Certificate.new
* csr_cert.serial = 0
* csr_cert.version = 2
* csr_cert.not_before = Time.now
* csr_cert.not_after = Time.now + 600
*
* csr_cert.subject = csr.subject
* csr_cert.public_key = csr.public_key
* csr_cert.issuer = ca_cert.subject
*
* extension_factory = OpenSSL::X509::ExtensionFactory.new
* extension_factory.subject_certificate = csr_cert
* extension_factory.issuer_certificate = ca_cert
*
* csr_cert.add_extension \
* extension_factory.create_extension('basicConstraints', 'CA:FALSE')
*
* csr_cert.add_extension \
* extension_factory.create_extension(
* 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
*
* csr_cert.add_extension \
* extension_factory.create_extension('subjectKeyIdentifier', 'hash')
*
* csr_cert.sign ca_key, OpenSSL::Digest::SHA1.new
*
* open 'csr_cert.pem', 'w' do |io|
* io.write csr_cert.to_pem
* end
*
* == SSL and TLS Connections
*
* Using our created key and certificate we can create an SSL or TLS connection.
* An SSLContext is used to set up an SSL session.
*
* context = OpenSSL::SSL::SSLContext.new
*
* === SSL Server
*
* An SSL server requires the certificate and private key to communicate
* securely with its clients:
*
* context.cert = cert
* context.key = key
*
* Then create an SSLServer with a TCP server socket and the context. Use the
* SSLServer like an ordinary TCP server.
*
* require 'socket'
*
* tcp_server = TCPServer.new 5000
* ssl_server = OpenSSL::SSL::SSLServer.new tcp_server, context
*
* loop do
* ssl_connection = ssl_server.accept
*
* data = connection.gets
*
* response = "I got #{data.dump}"
* puts response
*
* connection.puts "I got #{data.dump}"
* connection.close
* end
*
* === SSL client
*
* An SSL client is created with a TCP socket and the context.
* SSLSocket#connect must be called to initiate the SSL handshake and start
* encryption. A key and certificate are not required for the client socket.
*
* require 'socket'
*
* tcp_client = TCPSocket.new 'localhost', 5000
* ssl_client = OpenSSL::SSL::SSLSocket.new client_socket, context
* ssl_client.connect
*
* ssl_client.puts "hello server!"
* puts ssl_client.gets
*
* === Peer Verification
*
* An unverified SSL connection does not provide much security. For enhanced
* security the client or server can verify the certificate of its peer.
*
* The client can be modified to verify the server's certificate against the
* certificate authority's certificate:
*
* context.ca_file = 'ca_cert.pem'
* context.verify_mode = OpenSSL::SSL::VERIFY_PEER
*
* require 'socket'
*
* tcp_client = TCPSocket.new 'localhost', 5000
* ssl_client = OpenSSL::SSL::SSLSocket.new client_socket, context
* ssl_client.connect
*
* ssl_client.puts "hello server!"
* puts ssl_client.gets
*
* If the server certificate is invalid or <tt>context.ca_file</tt> is not set
* when verifying peers an OpenSSL::SSL::SSLError will be raised.
*
*/
void
Init_openssl()
{
/*
* Init timezone info
*/
#if 0
tzset();
#endif
/*
* Init all digests, ciphers
*/
/* CRYPTO_malloc_init(); */
/* ENGINE_load_builtin_engines(); */
OpenSSL_add_ssl_algorithms();
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
SSL_load_error_strings();
/*
* FIXME:
* On unload do:
*/
#if 0
CONF_modules_unload(1);
destroy_ui_method();
EVP_cleanup();
ENGINE_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_remove_state(0);
ERR_free_strings();
#endif
/*
* Init main module
*/
mOSSL = rb_define_module("OpenSSL");
rb_global_variable(&mOSSL);
/*
* OpenSSL ruby extension version
*/
rb_define_const(mOSSL, "VERSION", rb_str_new2(OSSL_VERSION));
/*
* Version of OpenSSL the ruby OpenSSL extension was built with
*/
rb_define_const(mOSSL, "OPENSSL_VERSION", rb_str_new2(OPENSSL_VERSION_TEXT));
/*
* Version number of OpenSSL the ruby OpenSSL extension was built with
* (base 16)
*/
rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER));
/*
* Boolean indicating whether OpenSSL is FIPS-enabled or not
*/
#ifdef HAVE_OPENSSL_FIPS
rb_define_const(mOSSL, "OPENSSL_FIPS", Qtrue);
#else
rb_define_const(mOSSL, "OPENSSL_FIPS", Qfalse);
#endif
rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1);
/*
* Generic error,
* common for all classes under OpenSSL module
*/
eOSSLError = rb_define_class_under(mOSSL,"OpenSSLError",rb_eStandardError);
rb_global_variable(&eOSSLError);
/*
* Verify callback Proc index for ext-data
*/
if ((ossl_verify_cb_idx = X509_STORE_CTX_get_ex_new_index(0, (void *)"ossl_verify_cb_idx", 0, 0, 0)) < 0)
ossl_raise(eOSSLError, "X509_STORE_CTX_get_ex_new_index");
/*
* Init debug core
*/
dOSSL = Qfalse;
rb_global_variable(&dOSSL);
rb_define_module_function(mOSSL, "debug", ossl_debug_get, 0);
rb_define_module_function(mOSSL, "debug=", ossl_debug_set, 1);
rb_define_module_function(mOSSL, "errors", ossl_get_errors, 0);
/*
* Get ID of to_der
*/
ossl_s_to_der = rb_intern("to_der");
Init_ossl_locks();
/*
* Init components
*/
Init_ossl_bn();
Init_ossl_cipher();
Init_ossl_config();
Init_ossl_digest();
Init_ossl_hmac();
Init_ossl_ns_spki();
Init_ossl_pkcs12();
Init_ossl_pkcs7();
Init_ossl_pkcs5();
Init_ossl_pkey();
Init_ossl_rand();
Init_ossl_ssl();
Init_ossl_x509();
Init_ossl_ocsp();
Init_ossl_engine();
Init_ossl_asn1();
}
int main(int argc, char *argv[])
{
BIO *err;
int testresult = 0;
int currtest = 0;
SSL_library_init();
SSL_load_error_strings();
err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
confctx = SSL_CONF_CTX_new();
ctx = SSL_CTX_new(SSLv23_method());
ssl = SSL_new(ctx);
if (confctx == NULL || ctx == NULL)
goto end;
SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
| SSL_CONF_FLAG_CLIENT
| SSL_CONF_FLAG_SERVER);
/*
* For each test set up an SSL_CTX and SSL and see whether SSLv2 is enabled
* as expected after various SSL_CONF_cmd("Protocol", ...) calls.
*/
for (currtest = 0; currtest < TOTAL_NUM_TESTS; currtest++) {
BIO_printf(err, "SSLv2 CONF Test number %d\n", currtest);
if (currtest == TEST_SSL_CTX)
SSL_CONF_CTX_set_ssl_ctx(confctx, ctx);
else
SSL_CONF_CTX_set_ssl(confctx, ssl);
/* SSLv2 should be off by default */
if (!checksslv2(currtest, SSLV2OFF)) {
BIO_printf(err, "SSLv2 CONF Test: Off by default test FAIL\n");
goto end;
}
if (SSL_CONF_cmd(confctx, "Protocol", "ALL") != 2
|| !SSL_CONF_CTX_finish(confctx)) {
BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");
goto end;
}
/* Should still be off even after ALL Protocols on */
if (!checksslv2(currtest, SSLV2OFF)) {
BIO_printf(err, "SSLv2 CONF Test: Off after config #1 FAIL\n");
goto end;
}
if (SSL_CONF_cmd(confctx, "Protocol", "SSLv2") != 2
|| !SSL_CONF_CTX_finish(confctx)) {
BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");
goto end;
}
/* Should still be off even if explicitly asked for */
if (!checksslv2(currtest, SSLV2OFF)) {
BIO_printf(err, "SSLv2 CONF Test: Off after config #2 FAIL\n");
goto end;
}
if (SSL_CONF_cmd(confctx, "Protocol", "-SSLv2") != 2
|| !SSL_CONF_CTX_finish(confctx)) {
BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");;
goto end;
}
if (!checksslv2(currtest, SSLV2OFF)) {
BIO_printf(err, "SSLv2 CONF Test: Off after config #3 FAIL\n");
goto end;
}
if (currtest == TEST_SSL_CTX)
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
else
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
if (!checksslv2(currtest, SSLV2ON)) {
BIO_printf(err, "SSLv2 CONF Test: On after clear FAIL\n");
goto end;
}
if (SSL_CONF_cmd(confctx, "Protocol", "ALL") != 2
|| !SSL_CONF_CTX_finish(confctx)) {
BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");
goto end;
}
/* Option has been cleared and config says have SSLv2 so should be on */
if (!checksslv2(currtest, SSLV2ON)) {
BIO_printf(err, "SSLv2 CONF Test: On after config #1 FAIL\n");
goto end;
}
if (SSL_CONF_cmd(confctx, "Protocol", "SSLv2") != 2
|| !SSL_CONF_CTX_finish(confctx)) {
BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");
goto end;
}
/* Option has been cleared and config says have SSLv2 so should be on */
if (!checksslv2(currtest, SSLV2ON)) {
BIO_printf(err, "SSLv2 CONF Test: On after config #2 FAIL\n");
goto end;
}
if (SSL_CONF_cmd(confctx, "Protocol", "-SSLv2") != 2
|| !SSL_CONF_CTX_finish(confctx)) {
BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");
goto end;
}
/* Option has been cleared but config says no SSLv2 so should be off */
if (!checksslv2(currtest, SSLV2OFF)) {
BIO_printf(err, "SSLv2 CONF Test: Off after config #4 FAIL\n");
goto end;
}
}
testresult = 1;
end:
SSL_free(ssl);
SSL_CTX_free(ctx);
SSL_CONF_CTX_free(confctx);
if (!testresult) {
printf("SSLv2 CONF test: FAILED (Test %d)\n", currtest);
ERR_print_errors(err);
} else {
printf("SSLv2 CONF test: PASSED\n");
}
ERR_free_strings();
ERR_remove_thread_state(NULL);
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
CRYPTO_mem_leaks(err);
BIO_free(err);
return testresult ? EXIT_SUCCESS : EXIT_FAILURE;
}
int main(int argc,char **argv)
{
const char *szTestFile;
FILE *f;
if(argc != 2)
{
fprintf(stderr,"%s <test file>\n",argv[0]);
EXIT(1);
}
CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
szTestFile=argv[1];
f=fopen(szTestFile,"r");
if(!f)
{
perror(szTestFile);
EXIT(2);
}
/* Load up the software EVP_CIPHER and EVP_MD definitions */
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
#ifndef OPENSSL_NO_ENGINE
/* Load all compiled-in ENGINEs */
ENGINE_load_builtin_engines();
#endif
#if 0
OPENSSL_config();
#endif
#ifndef OPENSSL_NO_ENGINE
/* Register all available ENGINE implementations of ciphers and digests.
* This could perhaps be changed to "ENGINE_register_all_complete()"? */
ENGINE_register_all_ciphers();
ENGINE_register_all_digests();
/* If we add command-line options, this statement should be switchable.
* It'll prevent ENGINEs being ENGINE_init()ialised for cipher/digest use if
* they weren't already initialised. */
/* ENGINE_set_cipher_flags(ENGINE_CIPHER_FLAG_NOINIT); */
#endif
for( ; ; )
{
char line[4096];
char *p;
char *cipher;
unsigned char *iv,*key,*plaintext,*ciphertext;
int encdec;
int kn,in,pn,cn;
if(!fgets((char *)line,sizeof line,f))
break;
if(line[0] == '#' || line[0] == '\n')
continue;
p=line;
cipher=sstrsep(&p,":");
key=ustrsep(&p,":");
iv=ustrsep(&p,":");
plaintext=ustrsep(&p,":");
ciphertext=ustrsep(&p,":");
if (p[-1] == '\n') {
p[-1] = '\0';
encdec = -1;
} else {
encdec = atoi(sstrsep(&p,"\n"));
}
kn=convert(key);
in=convert(iv);
pn=convert(plaintext);
cn=convert(ciphertext);
if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec)
&& !test_digest(cipher,plaintext,pn,ciphertext,cn))
{
#ifdef OPENSSL_NO_AES
if (strstr(cipher, "AES") == cipher)
{
fprintf(stdout, "Cipher disabled, skipping %s\n", cipher);
continue;
}
#endif
#ifdef OPENSSL_NO_DES
if (strstr(cipher, "DES") == cipher)
{
fprintf(stdout, "Cipher disabled, skipping %s\n", cipher);
continue;
}
#endif
#ifdef OPENSSL_NO_RC4
if (strstr(cipher, "RC4") == cipher)
{
fprintf(stdout, "Cipher disabled, skipping %s\n", cipher);
continue;
}
#endif
#ifdef OPENSSL_NO_CAMELLIA
if (strstr(cipher, "CAMELLIA") == cipher)
{
fprintf(stdout, "Cipher disabled, skipping %s\n", cipher);
continue;
}
#endif
fprintf(stderr,"Can't find %s\n",cipher);
EXIT(3);
}
}
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_remove_state(0);
ERR_free_strings();
CRYPTO_mem_leaks_fp(stderr);
return 0;
}
~openssl_scope()
{
EVP_cleanup();
ERR_free_strings();
}
int ssl_test_dsa(int argc, char **argv)
{
BN_GENCB cb;
DSA *dsa=NULL;
int counter,ret=0,i,j;
unsigned char buf[256];
unsigned long h;
unsigned char sig[256];
unsigned int siglen;
#ifndef OPENSSL_SYS_WINDOWS
bio_err = BIO_new(BIO_s_mem());
if (bio_err == NULL) return(1);
#else
if (bio_err == NULL)
bio_err=BIO_new_fp(OPENSSL_TYPE__FILE_STDERR,BIO_NOCLOSE);
#endif
CRYPTO_malloc_debug_init();
CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
ERR_load_crypto_strings();
RAND_seed(rnd_seed, sizeof rnd_seed);
TINYCLR_SSL_PRINTF("test generation of DSA parameters\n");
BN_GENCB_set(&cb, dsa_cb, bio_err);
if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
seed, 20, &counter, &h, &cb))
goto end;
TINYCLR_SSL_PRINTF("seed\n");
for (i=0; i<20; i+=4)
{
TINYCLR_SSL_PRINTF("%02X%02X%02X%02X ",
seed[i],seed[i+1],seed[i+2],seed[i+3]);
}
TINYCLR_SSL_PRINTF("\ncounter=%d h=%ld\n",counter,h);
DSA_print(bio_err,dsa,0);
if (counter != 105)
{
TINYCLR_SSL_PRINTF("counter should be 105\n");
goto end;
}
if (h != 2)
{
TINYCLR_SSL_PRINTF("h should be 2\n");
goto end;
}
i=BN_bn2bin(dsa->q,buf);
j=sizeof(out_q);
if ((i != j) || (TINYCLR_SSL_MEMCMP(buf,out_q,i) != 0))
{
TINYCLR_SSL_PRINTF("q value is wrong\n");
goto end;
}
i=BN_bn2bin(dsa->p,buf);
j=sizeof(out_p);
if ((i != j) || (TINYCLR_SSL_MEMCMP(buf,out_p,i) != 0))
{
TINYCLR_SSL_PRINTF("p value is wrong\n");
goto end;
}
i=BN_bn2bin(dsa->g,buf);
j=sizeof(out_g);
if ((i != j) || (TINYCLR_SSL_MEMCMP(buf,out_g,i) != 0))
{
TINYCLR_SSL_PRINTF("g value is wrong\n");
goto end;
}
dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME;
DSA_generate_key(dsa);
DSA_sign(0, str1, 20, sig, &siglen, dsa);
if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
ret=1;
dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME;
DSA_generate_key(dsa);
DSA_sign(0, str1, 20, sig, &siglen, dsa);
if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
ret=1;
end:
if (!ret)
ERR_print_errors(bio_err);
if (dsa != NULL) DSA_free(dsa);
CRYPTO_cleanup_all_ex_data();
ERR_remove_thread_state(NULL);
ERR_free_strings();
CRYPTO_mem_leaks(bio_err);
if (bio_err != NULL)
{
BIO_free(bio_err);
bio_err = NULL;
}
#ifdef OPENSSL_SYS_NETWARE
if (!ret) TINYCLR_SSL_PRINTF("ERROR\n");
#endif
return(0);
}
void
crypto_finish(void)
{
ERR_free_strings();
}
int main(int argc, char **argv) {
int c = 0;
char *ptr, *progname = *argv;
const char *cmdopts = "hqv", *secret = NULL;
ptr = strrchr(progname, '/');
if (ptr != NULL) {
progname = ptr+1;
}
opterr = 0;
while ((c =
#ifdef HAVE_GETOPT_LONG
getopt_long(argc, argv, cmdopts, opts, NULL)
#else /* HAVE_GETOPT_LONG */
getopt(argc, argv, cmdopts)
#endif /* HAVE_GETOPT_LONG */
) != -1) {
switch (c) {
case 'h':
show_usage(progname, 0);
break;
case 'q':
verbose = FALSE;
quiet = TRUE;
break;
case 'v':
quiet = FALSE;
verbose = TRUE;
break;
case '?':
fprintf(stderr, "unknown option: %c\n", (char) optopt);
show_usage(progname, 1);
break;
}
}
auth_otp_pool = make_sub_pool(NULL);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
OPENSSL_config(NULL);
#endif /* prior to OpenSSL-1.1.x */
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
secret = generate_secret(auth_otp_pool);
if (secret == NULL) {
return 1;
}
if (quiet) {
fprintf(stdout, "%s\n", secret);
} else {
int code;
code = generate_code(auth_otp_pool, secret, strlen(secret));
if (code < 0) {
fprintf(stderr, "%s: error generating verification code: %s\n", progname,
strerror(errno));
destroy_pool(auth_otp_pool);
return 1;
}
fprintf(stdout, "-------------------------------------------------\n");
fprintf(stdout, "Your new secret key is: %s\n\n", secret);
fprintf(stdout, "To add this key to your SQL table, you might use:\n\n");
fprintf(stdout, " INSERT INTO auth_otp (secret, counter) VALUES ('%s', 0);\n\n",
secret);
fprintf(stdout, "Your verification code is: %06d\n", code);
fprintf(stdout, "-------------------------------------------------\n");
}
ERR_free_strings();
EVP_cleanup();
RAND_cleanup();
destroy_pool(auth_otp_pool);
return 0;
}
int main2(int argc, char **argv) {
InitializeCriticalSection(&mutex);
EnterCriticalSection(&mutex);
#endif
if(!detach())
return 1;
#ifdef HAVE_MLOCKALL
/* Lock all pages into memory if requested.
* This has to be done after daemon()/fork() so it works for child.
* No need to do that in parent as it's very short-lived. */
if(do_mlock && mlockall(MCL_CURRENT | MCL_FUTURE) != 0) {
logger(LOG_ERR, "System call `%s' failed: %s", "mlockall",
strerror(errno));
return 1;
}
#endif
/* Setup sockets and open device. */
if(!setup_network())
goto end;
/* Initiate all outgoing connections. */
try_outgoing_connections();
/* Change process priority */
char *priority = 0;
if(get_config_string(lookup_config(config_tree, "ProcessPriority"), &priority)) {
if(!strcasecmp(priority, "Normal")) {
if (setpriority(NORMAL_PRIORITY_CLASS) != 0) {
logger(LOG_ERR, "System call `%s' failed: %s",
"setpriority", strerror(errno));
goto end;
}
} else if(!strcasecmp(priority, "Low")) {
if (setpriority(BELOW_NORMAL_PRIORITY_CLASS) != 0) {
logger(LOG_ERR, "System call `%s' failed: %s",
"setpriority", strerror(errno));
goto end;
}
} else if(!strcasecmp(priority, "High")) {
if (setpriority(HIGH_PRIORITY_CLASS) != 0) {
logger(LOG_ERR, "System call `%s' failed: %s",
"setpriority", strerror(errno));
goto end;
}
} else {
logger(LOG_ERR, "Invalid priority `%s`!", priority);
goto end;
}
}
/* drop privileges */
if (!drop_privs())
goto end;
/* Start main loop. It only exits when tinc is killed. */
status = main_loop();
/* Shutdown properly. */
ifdebug(CONNECTIONS)
dump_device_stats();
close_network_connections();
end:
logger(LOG_NOTICE, "Terminating");
#ifndef HAVE_MINGW
remove_pid(pidfilename);
#endif
EVP_cleanup();
ENGINE_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_remove_state(0);
ERR_free_strings();
exit_configuration(&config_tree);
free_names();
return status;
}
void crypto_deinit(){
EVP_cleanup();
ERR_free_strings();
}
void free_openssl()
{
RAND_cleanup();
ERR_free_strings();
}
jint Java_org_keysupport_provider_ECDSASignature_jniVerifyFinal(JNIEnv *env,
jobject obj, jbyteArray jmsg, jint jmdid, jbyteArray jsig) {
// LOGD("entering ECDSASignature_jniVerifyFinal");
EC_Ctx *ec;
EVP_MD_CTX *ctx = 0;
const EVP_MD *md;
jsize msgLen = 0;
jsize sigLen = 0;
const unsigned char *sig_ptr = NULL;
if (!(ec = get_ptr(env, obj))) {
LOGE("Failed to obtain key pointer");
return 0;
}
if (!(ctx = (EVP_MD_CTX *) malloc(sizeof(EVP_MD_CTX)))) {
throw_exception(env, "java/lang/RuntimeException",
"allocating EVP_MD_CTX");
destroy_ec_ctx(ec);
FIPS_md_ctx_destroy(ctx);
return 0;
}
md = FIPS_get_digestbynid(jmdid);
ctx = EVP_MD_CTX_create();
msgLen = (*env)->GetArrayLength(env, jmsg);
sigLen = (*env)->GetArrayLength(env, jsig);
jbyte msg[msgLen];
jbyte sig[sigLen];
(*env)->GetByteArrayRegion(env, jmsg, 0, msgLen, msg);
(*env)->GetByteArrayRegion(env, jsig, 0, sigLen, sig);
sig_ptr = sig;
ECDSA_SIG *esig = d2i_ECDSA_SIG(NULL, &sig_ptr, sigLen);
FIPS_digestinit(ctx, md);
int ok = FIPS_ecdsa_verify(ec->ec, msg, msgLen, md, esig);
/*
* This is handled a bit differently than the way OpenSSL
* handles RSA Signatures, so our error handling below is a bit different.
*
* returns
* 1: correct signature
* 0: incorrect signature
* -1: error
*/
// LOGD("FIPS_ecdsa_verify Returned: %d\n", ok);
FIPS_md_ctx_destroy(ctx);
FIPS_ecdsa_sig_free(esig);
if (ok == 0) {
throw_exception(env, "java/security/SignatureException",
"Bad Signature");
return 0;
} else if (ok == -1) {
/*
* TODO: Print any pending errors
* ERR_print_errors_fp(ANDROID_LOG_ERROR);
*/
ERR_load_crypto_strings();
LOGE("%s", ERR_error_string(ERR_peek_error(), NULL));
throw_exception(env, "java/security/SignatureException",
"jniVerifyFinal fail");
ERR_free_strings();
return 0;
}
// LOGD("leaving ECDSASignature_jniVerifyFinal");
return ok;
}
int main(int argc, char **argv)
{
int ret;
struct server_settings settings;
// load arguments
ret = parse_server_settings(argc, (char **) argv, &settings);
if (is_failure(ret))
{
print_usage;
return ret;
}
int sock;
SSL_CTX *ssl_ctx;
SSL *ssl;
pthread_t thread_id;
struct client client = {&settings, NULL};
// init ssl
if (is_failure(init_ssl(&ssl_ctx, NULL, settings.cert_path, settings.key_path)))
goto GENERAL_CLEAN_UP;
sock = create_server_socket(settings.port);
printf("Listening on port %d\n", settings.port);
register_signal_handler();
while (server_running)
{
struct sockaddr_in addr;
uint len = sizeof addr;
int client_sock = accept(sock, (struct sockaddr *) &addr, &len);
if (client_sock < 0)
{
// not clean
if (server_running)
{
error_print("Failed to accept client connection\n");
ret = ERROR_SOCKET;
}
break;
}
puts("Client connected");
if (is_failure(accept_ssl(ssl_ctx, &ssl, client_sock)))
continue;
// spawn thread
client.ssl = ssl;
if (pthread_create(&thread_id, NULL, client_handler, (void *) &client) < 0)
error_print("Failed to spawn client thread\n");
}
GENERAL_CLEAN_UP:
puts("\nCleaning up");
if (ssl_ctx != NULL)
SSL_CTX_free(ssl_ctx);
ERR_free_strings();
EVP_cleanup();
return ret;
}
int
main(int argc, char **argv)
{
int r;
struct evhttp_uri *http_uri = NULL;
const char *url = NULL, *data_file = NULL;
const char *crt = "/etc/ssl/certs/ca-certificates.crt";
const char *scheme, *host, *path, *query;
char uri[256];
int port;
int retries = 0;
int timeout = -1;
SSL_CTX *ssl_ctx = NULL;
SSL *ssl = NULL;
struct bufferevent *bev;
struct evhttp_connection *evcon = NULL;
struct evhttp_request *req;
struct evkeyvalq *output_headers;
struct evbuffer *output_buffer;
int i;
int ret = 0;
enum { HTTP, HTTPS } type = HTTP;
for (i = 1; i < argc; i++) {
if (!strcmp("-url", argv[i])) {
if (i < argc - 1) {
url = argv[i + 1];
} else {
syntax();
goto error;
}
} else if (!strcmp("-crt", argv[i])) {
if (i < argc - 1) {
crt = argv[i + 1];
} else {
syntax();
goto error;
}
} else if (!strcmp("-ignore-cert", argv[i])) {
ignore_cert = 1;
} else if (!strcmp("-data", argv[i])) {
if (i < argc - 1) {
data_file = argv[i + 1];
} else {
syntax();
goto error;
}
} else if (!strcmp("-retries", argv[i])) {
if (i < argc - 1) {
retries = atoi(argv[i + 1]);
} else {
syntax();
goto error;
}
} else if (!strcmp("-timeout", argv[i])) {
if (i < argc - 1) {
timeout = atoi(argv[i + 1]);
} else {
syntax();
goto error;
}
} else if (!strcmp("-help", argv[i])) {
syntax();
goto error;
}
}
if (!url) {
syntax();
goto error;
}
#ifdef _WIN32
{
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD(2, 2);
err = WSAStartup(wVersionRequested, &wsaData);
if (err != 0) {
printf("WSAStartup failed with error: %d\n", err);
goto error;
}
}
#endif // _WIN32
http_uri = evhttp_uri_parse(url);
if (http_uri == NULL) {
err("malformed url");
goto error;
}
scheme = evhttp_uri_get_scheme(http_uri);
if (scheme == NULL || (strcasecmp(scheme, "https") != 0 &&
strcasecmp(scheme, "http") != 0)) {
err("url must be http or https");
goto error;
}
host = evhttp_uri_get_host(http_uri);
if (host == NULL) {
err("url must have a host");
goto error;
}
port = evhttp_uri_get_port(http_uri);
if (port == -1) {
port = (strcasecmp(scheme, "http") == 0) ? 80 : 443;
}
path = evhttp_uri_get_path(http_uri);
if (strlen(path) == 0) {
path = "/";
}
query = evhttp_uri_get_query(http_uri);
if (query == NULL) {
snprintf(uri, sizeof(uri) - 1, "%s", path);
} else {
snprintf(uri, sizeof(uri) - 1, "%s?%s", path, query);
}
uri[sizeof(uri) - 1] = '\0';
#if OPENSSL_VERSION_NUMBER < 0x10100000L
// Initialize OpenSSL
SSL_library_init();
ERR_load_crypto_strings();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
#endif
/* This isn't strictly necessary... OpenSSL performs RAND_poll
* automatically on first use of random number generator. */
r = RAND_poll();
if (r == 0) {
err_openssl("RAND_poll");
goto error;
}
/* Create a new OpenSSL context */
ssl_ctx = SSL_CTX_new(SSLv23_method());
if (!ssl_ctx) {
err_openssl("SSL_CTX_new");
goto error;
}
#ifndef _WIN32
/* TODO: Add certificate loading on Windows as well */
/* Attempt to use the system's trusted root certificates.
* (This path is only valid for Debian-based systems.) */
if (1 != SSL_CTX_load_verify_locations(ssl_ctx, crt, NULL)) {
err_openssl("SSL_CTX_load_verify_locations");
goto error;
}
/* Ask OpenSSL to verify the server certificate. Note that this
* does NOT include verifying that the hostname is correct.
* So, by itself, this means anyone with any legitimate
* CA-issued certificate for any website, can impersonate any
* other website in the world. This is not good. See "The
* Most Dangerous Code in the World" article at
* https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
*/
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
/* This is how we solve the problem mentioned in the previous
* comment. We "wrap" OpenSSL's validation routine in our
* own routine, which also validates the hostname by calling
* the code provided by iSECPartners. Note that even though
* the "Everything You've Always Wanted to Know About
* Certificate Validation With OpenSSL (But Were Afraid to
* Ask)" paper from iSECPartners says very explicitly not to
* call SSL_CTX_set_cert_verify_callback (at the bottom of
* page 2), what we're doing here is safe because our
* cert_verify_callback() calls X509_verify_cert(), which is
* OpenSSL's built-in routine which would have been called if
* we hadn't set the callback. Therefore, we're just
* "wrapping" OpenSSL's routine, not replacing it. */
SSL_CTX_set_cert_verify_callback(ssl_ctx, cert_verify_callback,
(void *) host);
#else // _WIN32
(void)crt;
#endif // _WIN32
// Create event base
base = event_base_new();
if (!base) {
perror("event_base_new()");
goto error;
}
// Create OpenSSL bufferevent and stack evhttp on top of it
ssl = SSL_new(ssl_ctx);
if (ssl == NULL) {
err_openssl("SSL_new()");
goto error;
}
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
// Set hostname for SNI extension
SSL_set_tlsext_host_name(ssl, host);
#endif
if (strcasecmp(scheme, "http") == 0) {
bev = bufferevent_socket_new(base, -1, BEV_OPT_CLOSE_ON_FREE);
} else {
type = HTTPS;
bev = bufferevent_openssl_socket_new(base, -1, ssl,
BUFFEREVENT_SSL_CONNECTING,
BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS);
}
if (bev == NULL) {
fprintf(stderr, "bufferevent_openssl_socket_new() failed\n");
goto error;
}
bufferevent_openssl_set_allow_dirty_shutdown(bev, 1);
// For simplicity, we let DNS resolution block. Everything else should be
// asynchronous though.
evcon = evhttp_connection_base_bufferevent_new(base, NULL, bev,
host, port);
if (evcon == NULL) {
fprintf(stderr, "evhttp_connection_base_bufferevent_new() failed\n");
goto error;
}
if (retries > 0) {
evhttp_connection_set_retries(evcon, retries);
}
if (timeout >= 0) {
evhttp_connection_set_timeout(evcon, timeout);
}
// Fire off the request
req = evhttp_request_new(http_request_done, bev);
if (req == NULL) {
fprintf(stderr, "evhttp_request_new() failed\n");
goto error;
}
output_headers = evhttp_request_get_output_headers(req);
evhttp_add_header(output_headers, "Host", host);
evhttp_add_header(output_headers, "Connection", "close");
if (data_file) {
/* NOTE: In production code, you'd probably want to use
* evbuffer_add_file() or evbuffer_add_file_segment(), to
* avoid needless copying. */
FILE * f = fopen(data_file, "rb");
char buf[1024];
size_t s;
size_t bytes = 0;
if (!f) {
syntax();
goto error;
}
output_buffer = evhttp_request_get_output_buffer(req);
while ((s = fread(buf, 1, sizeof(buf), f)) > 0) {
evbuffer_add(output_buffer, buf, s);
bytes += s;
}
evutil_snprintf(buf, sizeof(buf)-1, "%lu", (unsigned long)bytes);
evhttp_add_header(output_headers, "Content-Length", buf);
fclose(f);
}
r = evhttp_make_request(evcon, req, data_file ? EVHTTP_REQ_POST : EVHTTP_REQ_GET, uri);
if (r != 0) {
fprintf(stderr, "evhttp_make_request() failed\n");
goto error;
}
event_base_dispatch(base);
goto cleanup;
error:
ret = 1;
cleanup:
if (evcon)
evhttp_connection_free(evcon);
if (http_uri)
evhttp_uri_free(http_uri);
event_base_free(base);
if (ssl_ctx)
SSL_CTX_free(ssl_ctx);
if (type == HTTP && ssl)
SSL_free(ssl);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_cleanup();
ERR_free_strings();
#ifdef EVENT__HAVE_ERR_REMOVE_THREAD_STATE
ERR_remove_thread_state(NULL);
#else
ERR_remove_state(0);
#endif
CRYPTO_cleanup_all_ex_data();
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
#endif /*OPENSSL_VERSION_NUMBER < 0x10100000L */
#ifdef _WIN32
WSACleanup();
#endif
return ret;
}