int lu_fsctl_mount(struct fs_ctl *ctl){ int res; struct file_system *fs; if(!ctl->fs_ops) return 0; if(!(fs = new_fsinstance(ctl))) return 0; res = ctl->fs_ops->mount(fs->fs_context); if(res){ ctl->fs_available = fs; fs->fs_mounted = 1; if(load_credentials(ctl, fs) < 0) TRACE("could not load credentials."); else TRACE("credentials loaded."); }else{ WARN("fs mount failed..."); free(fs); } return res; }
// Use this to load the keys for a Nym (whether public or private), and then // call VerifyPseudonym, and then load the actual Nymfile using // LoadSignedNymfile. bool Nym::LoadCredentials( bool bLoadPrivate, const OTPasswordData* pPWData, const OTPassword* pImportPassword) { eLock lock(shared_lock_); return load_credentials(lock); }
// This version is run on the server side, and assumes only a Public Key. // This code reads up the file, discards the bookends, and saves only the // gibberish itself. bool Nym::LoadPublicKey() { eLock lock(shared_lock_); if (load_credentials(lock) && (m_mapCredentialSets.size() > 0)) { return true; } LogVerbose(OT_METHOD)(__FUNCTION__)(": Failure. ").Flush(); return false; }
/** * Accept the GSI Authentication. * @param sock the socket for communication. * @param ctx the authorization context. * @return the context identifier. */ bool GSISocketServer::AcceptGSIAuthentication() { char *name = NULL; long errorcode = 0; int flags; time_t curtime, starttime; int ret, accept_status; bool accept_timed_out = false; int expected = 0; BIO *bio = NULL; char *cert_file, *user_cert, *user_key, *user_proxy; char *serial=NULL; cert_file = user_cert = user_key = user_proxy = NULL; if (proxy_get_filenames(0, &cert_file, &cacertdir, &user_proxy, &user_cert, &user_key) == 0) { (void)load_credentials(user_cert, user_key, &ucert, &own_stack, &upkey, NULL); } free(cert_file); free(user_cert); free(user_key); free(user_proxy); own_cert = ucert; own_key = upkey; ctx = SSL_CTX_new(SSLv23_method()); SSL_CTX_load_verify_locations(ctx, NULL, cacertdir); SSL_CTX_use_certificate(ctx, ucert); SSL_CTX_use_PrivateKey(ctx,upkey); SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:!MD2"); SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY); SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, proxy_verify_callback); SSL_CTX_set_verify_depth(ctx, 100); SSL_CTX_set_cert_verify_callback(ctx, proxy_app_verify_callback, 0); if (own_stack) { /* * Certificate was a proxy with a cert. chain. * Add the certificates one by one to the chain. */ X509_STORE_add_cert(ctx->cert_store, ucert); for (int i = 0; i <sk_X509_num(own_stack); ++i) { X509 *cert = (sk_X509_value(own_stack,i)); if (!X509_STORE_add_cert(ctx->cert_store, cert)) { if (ERR_GET_REASON(ERR_peek_error()) == X509_R_CERT_ALREADY_IN_HASH_TABLE) { ERR_clear_error(); continue; } else { SetErrorOpenSSL("Cannot add certificate to the SSL context's certificate store"); goto err; } } } } flags = fcntl(newsock, F_GETFL, 0); (void)fcntl(newsock, F_SETFL, flags | O_NONBLOCK); bio = BIO_new_socket(newsock, BIO_NOCLOSE); (void)BIO_set_nbio(bio, 1); ssl = SSL_new(ctx); setup_SSL_proxy_handler(ssl, cacertdir); writeb = bio->method->bwrite; readb = bio->method->bread; bio->method->bwrite = globusf_write; bio->method->bread = globusf_read; SSL_set_bio(ssl, bio, bio); curtime = starttime = time(NULL); ret = accept_status = -1; expected = 0; do { ret = do_select(newsock, starttime, timeout, expected); LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Select status: %d",ret); curtime = time(NULL); if (ret == 0){ LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Select timed out."); if (curtime - starttime > timeout){ accept_timed_out = true; break; }else{ continue; } } if (ret > 0) { accept_status = SSL_accept(ssl); curtime = time(NULL); expected = errorcode = SSL_get_error(ssl, accept_status); LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Accept status: %d",accept_status); LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Error code: %d",errorcode); LOGM(VARP, logh, LEV_DEBUG, T_PRE, "SSL_WANT_READ: %d, SSL_WANT_WRITE: %d",SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE); } if (ret < 0) // No more data from the select break; if (accept_status == 1) // SSL handshake completed break; if (timeout != -1 && (curtime - starttime > timeout)){ // Timeout reached accept_timed_out = true; break; } if (accept_status <= 0 && ( errorcode != SSL_ERROR_WANT_READ && errorcode != SSL_ERROR_WANT_WRITE )) // SSL handshake error break; } while (true); // Error enstabilishing context if (accept_status != 1){ LOGM(VARP, logh, LEV_INFO, T_PRE, "Error enstabilishing SSL context."); if (accept_timed_out){ SetError("SSL Handshake failed due to server timeout!"); }else{ SetErrorOpenSSL("SSL Handshake error:"); } goto err; } // Context enstabilished actual_cert = SSL_get_peer_certificate(ssl); peer_stack = SSL_get_peer_cert_chain(ssl); char buffer[1000]; // if (LogLevelMin(logh, LEV_DEBUG)) { LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Certificate DN: %s", X509_NAME_oneline(X509_get_subject_name(actual_cert), buffer, 999)); LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Certificate CA: %s", X509_NAME_oneline(X509_get_issuer_name(actual_cert), buffer, 999)); LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Stack Size: %d", sk_X509_num(peer_stack)); // } peer_cert = get_real_cert(actual_cert, peer_stack); if (peer_cert) { char *name = X509_NAME_oneline(X509_get_subject_name(peer_cert), NULL, 0); own_subject = std::string(name); OPENSSL_free(name); } if (LogLevelMin(logh, LEV_DEBUG)){ for (int i = 0; i < sk_X509_num(peer_stack); i++) { X509 *cert = sk_X509_value(peer_stack, i); LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Certificate DN: %s", X509_NAME_oneline(X509_get_subject_name(cert), buffer, 999)); LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Certificate CA: %s", X509_NAME_oneline(X509_get_issuer_name(cert), buffer, 999)); } } name = X509_NAME_oneline(X509_get_subject_name(peer_cert), NULL, 0); if (name) peer_subject = std::string(name); OPENSSL_free(name); name = X509_NAME_oneline(X509_get_issuer_name(peer_cert), NULL, 0); if (name) peer_ca = std::string(name); OPENSSL_free(name); serial = get_peer_serial(actual_cert); peer_serial = std::string(serial ? serial : ""); OPENSSL_free(serial); return true; err: destroy_SSL_proxy_handler(ssl); SSL_free(ssl); SSL_CTX_free(ctx); return false; }