gboolean
_lm_ssl_set_ca (LmSSL *ssl,
const gchar *ca_path)
{
struct stat target;
int success = 0;
if (stat (ca_path, &target) != 0) {
g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL,
"ca_path '%s': no such file or directory", ca_path);
return FALSE;
}
if (S_ISDIR (target.st_mode)) {
success = SSL_CTX_load_verify_locations(ssl->ssl_ctx, NULL, ca_path);
} else if (S_ISREG (target.st_mode)) {
success = SSL_CTX_load_verify_locations(ssl->ssl_ctx, ca_path, NULL);
}
if (success == 0) {
g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL,
"Loading of ca_path '%s' failed: %s",
ca_path,
ERR_error_string(ERR_peek_last_error(), NULL));
return FALSE;
}
return TRUE;
}
static void error_queue(const char *name)
{
if (ERR_peek_last_error()) {
fprintf(stderr, "%s generated errors:\n", name);
ERR_print_errors_fp(stderr);
}
}
/*
* Errors
*/
static VALUE
ossl_make_error(VALUE exc, const char *fmt, va_list args)
{
VALUE str = Qnil;
unsigned long e;
if (fmt) {
str = rb_vsprintf(fmt, args);
}
e = ERR_peek_last_error();
if (e) {
const char *msg = ERR_reason_error_string(e);
if (NIL_P(str)) {
if (msg) str = rb_str_new_cstr(msg);
}
else {
if (RSTRING_LEN(str)) rb_str_cat2(str, ": ");
rb_str_cat2(str, msg ? msg : "(null)");
}
ossl_clear_error();
}
if (NIL_P(str)) str = rb_str_new(0, 0);
return rb_exc_new3(exc, str);
}
/*
* Errors
*/
static VALUE
ossl_make_error(VALUE exc, const char *fmt, va_list args)
{
char buf[BUFSIZ];
const char *msg;
long e;
int len = 0;
#ifdef HAVE_ERR_PEEK_LAST_ERROR
e = ERR_peek_last_error();
#else
e = ERR_peek_error();
#endif
if (fmt) {
len = vsnprintf(buf, BUFSIZ, fmt, args);
}
if (len < BUFSIZ && e) {
if (dOSSL == Qtrue) /* FULL INFO */
msg = ERR_error_string(e, NULL);
else
msg = ERR_reason_error_string(e);
len += snprintf(buf+len, BUFSIZ-len, "%s%s", (len ? ": " : ""), msg);
}
if (dOSSL == Qtrue){ /* show all errors on the stack */
while ((e = ERR_get_error()) != 0){
rb_warn("error on stack: %s", ERR_error_string(e, NULL));
}
}
ERR_clear_error();
if(len > BUFSIZ) len = rb_long2int(strlen(buf));
return rb_exc_new(exc, buf, len);
}
/* LCOV_EXCL_START */
static PyObject *
_setException(PyObject *exc)
{
unsigned long errcode;
const char *lib, *func, *reason;
errcode = ERR_peek_last_error();
if (!errcode) {
PyErr_SetString(exc, "unknown reasons");
return NULL;
}
ERR_clear_error();
lib = ERR_lib_error_string(errcode);
func = ERR_func_error_string(errcode);
reason = ERR_reason_error_string(errcode);
if (lib && func) {
PyErr_Format(exc, "[%s: %s] %s", lib, func, reason);
}
else if (lib) {
PyErr_Format(exc, "[%s] %s", lib, reason);
}
else {
PyErr_SetString(exc, reason);
}
return NULL;
}
int
X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
{
int ret = 0;
BIO *in = NULL;
int i, count = 0;
X509_CRL *x = NULL;
if (file == NULL)
return (1);
in = BIO_new(BIO_s_file_internal());
if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) {
X509err(X509_F_X509_LOAD_CRL_FILE, ERR_R_SYS_LIB);
goto err;
}
if (type == X509_FILETYPE_PEM) {
for (;;) {
x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
if (x == NULL) {
if ((ERR_GET_REASON(ERR_peek_last_error()) ==
PEM_R_NO_START_LINE) && (count > 0)) {
ERR_clear_error();
break;
} else {
X509err(X509_F_X509_LOAD_CRL_FILE,
ERR_R_PEM_LIB);
goto err;
}
}
i = X509_STORE_add_crl(ctx->store_ctx, x);
if (!i)
goto err;
count++;
X509_CRL_free(x);
x = NULL;
}
ret = count;
} else if (type == X509_FILETYPE_ASN1) {
x = d2i_X509_CRL_bio(in, NULL);
if (x == NULL) {
X509err(X509_F_X509_LOAD_CRL_FILE, ERR_R_ASN1_LIB);
goto err;
}
i = X509_STORE_add_crl(ctx->store_ctx, x);
if (!i)
goto err;
ret = i;
} else {
X509err(X509_F_X509_LOAD_CRL_FILE, X509_R_BAD_X509_FILETYPE);
goto err;
}
err:
if (x != NULL)
X509_CRL_free(x);
if (in != NULL)
BIO_free(in);
return (ret);
}
ssize_t
iobuf_read_ssl(struct iobuf *io, void *ssl)
{
ssize_t n;
int r;
n = SSL_read(ssl, io->buf + io->wpos, iobuf_left(io));
if (n < 0) {
switch ((r = SSL_get_error(ssl, n))) {
case SSL_ERROR_WANT_READ:
return (IOBUF_WANT_READ);
case SSL_ERROR_WANT_WRITE:
return (IOBUF_WANT_WRITE);
case SSL_ERROR_SYSCALL:
if (ERR_peek_last_error())
return (IOBUF_SSLERROR);
if (r == 0)
errno = EPIPE;
return (IOBUF_ERROR);
default:
return (IOBUF_SSLERROR);
}
} else if (n == 0)
return (IOBUF_CLOSED);
io->wpos += n;
return (n);
}
static int def_load(CONF *conf, const char *name, long *line)
{
int ret;
BIO *in=NULL;
#ifndef OPENSSL_NO_FP_API
#ifdef OPENSSL_SYS_VMS
in=BIO_new_file(name, "r");
#else
in=BIO_new_file(name, "rb");
#endif
#endif
if (in == NULL)
{
if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE)
CONFerr(CONF_F_DEF_LOAD,CONF_R_NO_SUCH_FILE);
else
CONFerr(CONF_F_DEF_LOAD,ERR_R_SYS_LIB);
return 0;
}
ret = def_load_bio(conf, in, line);
BIO_free(in);
return ret;
}
ssize_t
iobuf_write_ssl(struct iobuf *io, void *ssl)
{
struct ioqbuf *q;
int r;
ssize_t n;
q = io->outq;
n = SSL_write(ssl, q->buf + q->rpos, q->wpos - q->rpos);
if (n <= 0) {
switch ((r = SSL_get_error(ssl, n))) {
case SSL_ERROR_WANT_READ:
return (IOBUF_WANT_READ);
case SSL_ERROR_WANT_WRITE:
return (IOBUF_WANT_WRITE);
case SSL_ERROR_ZERO_RETURN: /* connection closed */
return (IOBUF_CLOSED);
case SSL_ERROR_SYSCALL:
if (ERR_peek_last_error())
return (IOBUF_SSLERROR);
if (r == 0)
errno = EPIPE;
return (IOBUF_ERROR);
default:
return (IOBUF_SSLERROR);
}
}
iobuf_drain(io, n);
return (n);
}
/**
Validates key components of RSA context.
NOTE: This function performs integrity checks on all the RSA key material, so
the RSA key structure must contain all the private key data.
This function validates key compoents of RSA context in following aspects:
- Whether p is a prime
- Whether q is a prime
- Whether n = p * q
- Whether d*e = 1 mod lcm(p-1,q-1)
If RsaContext is NULL, then return FALSE.
@param[in] RsaContext Pointer to RSA context to check.
@retval TRUE RSA key components are valid.
@retval FALSE RSA key components are not valid.
**/
BOOLEAN
EFIAPI
RsaCheckKey (
IN VOID *RsaContext
)
{
UINTN Reason;
//
// Check input parameters.
//
if (RsaContext == NULL) {
return FALSE;
}
if (RSA_check_key ((RSA *) RsaContext) != 1) {
Reason = ERR_GET_REASON (ERR_peek_last_error ());
if (Reason == RSA_R_P_NOT_PRIME ||
Reason == RSA_R_Q_NOT_PRIME ||
Reason == RSA_R_N_DOES_NOT_EQUAL_P_Q ||
Reason == RSA_R_D_E_NOT_CONGRUENT_TO_1) {
return FALSE;
}
}
return TRUE;
}
int
SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *data, int data_len)
{
pem_password_cb *psw_fn = ctx->default_passwd_callback;
void *psw_arg = ctx->default_passwd_callback_userdata;
X509 *cert;
BIO *bio = NULL;
int ok;
ERR_clear_error();
/* Read from memory */
bio = BIO_new_mem_buf(data, data_len);
if (!bio) {
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
goto failed;
}
/* Load primary cert */
cert = PEM_read_bio_X509_AUX(bio, NULL, psw_fn, psw_arg);
if (!cert) {
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
goto failed;
}
/* Increments refcount */
ok = SSL_CTX_use_certificate(ctx, cert);
X509_free(cert);
if (!ok || ERR_peek_error())
goto failed;
/* Load extra certs */
ok = SSL_CTX_clear_extra_chain_certs(ctx);
while (ok) {
cert = PEM_read_bio_X509(bio, NULL, psw_fn, psw_arg);
if (!cert) {
/* Is it EOF? */
unsigned long err = ERR_peek_last_error();
if (ERR_GET_LIB(err) != ERR_LIB_PEM)
break;
if (ERR_GET_REASON(err) != PEM_R_NO_START_LINE)
break;
/* On EOF do successful exit */
BIO_free(bio);
ERR_clear_error();
return 1;
}
/* Does not increment refcount */
ok = SSL_CTX_add_extra_chain_cert(ctx, cert);
if (!ok)
X509_free(cert);
}
failed:
if (bio)
BIO_free(bio);
return 0;
}
//Get last err informations(without logging)
unsigned long PRE_ERR_GetLastError()
{
ErrCode = ERR_peek_last_error();
ERR_error_string(ErrCode,ErrBuff);
#ifdef DEBUG
printf("%d_%s\n",ErrNo++,ErrBuff);
#endif
return ErrCode;
}
int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
{
int ret = 0;
BIO *in = NULL;
int i, count = 0;
X509 *x = NULL;
in = BIO_new(BIO_s_file());
if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) {
X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_SYS_LIB);
goto err;
}
if (type == X509_FILETYPE_PEM) {
for (;;) {
x = PEM_read_bio_X509_AUX(in, NULL, NULL, "");
if (x == NULL) {
if ((ERR_GET_REASON(ERR_peek_last_error()) ==
PEM_R_NO_START_LINE) && (count > 0)) {
ERR_clear_error();
break;
} else {
X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_PEM_LIB);
goto err;
}
}
i = X509_STORE_add_cert(ctx->store_ctx, x);
if (!i)
goto err;
count++;
X509_free(x);
x = NULL;
}
ret = count;
} else if (type == X509_FILETYPE_ASN1) {
x = d2i_X509_bio(in, NULL);
if (x == NULL) {
X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_ASN1_LIB);
goto err;
}
i = X509_STORE_add_cert(ctx->store_ctx, x);
if (!i)
goto err;
ret = i;
} else {
X509err(X509_F_X509_LOAD_CERT_FILE, X509_R_BAD_X509_FILETYPE);
goto err;
}
if (ret == 0)
X509err(X509_F_X509_LOAD_CERT_FILE, X509_R_NO_CERTIFICATE_FOUND);
err:
X509_free(x);
BIO_free(in);
return ret;
}
int
ca_X509_verify(void *certificate, void *chain, const char *CAfile,
const char *CRLfile, const char **errstr)
{
X509_STORE *store = NULL;
X509_STORE_CTX *xsc = NULL;
int ret = 0;
if ((store = X509_STORE_new()) == NULL)
goto end;
if (!X509_STORE_load_locations(store, CAfile, NULL)) {
log_warn("warn: unable to load CA file %s", CAfile);
goto end;
}
X509_STORE_set_default_paths(store);
if ((xsc = X509_STORE_CTX_new()) == NULL)
goto end;
if (X509_STORE_CTX_init(xsc, store, certificate, chain) != 1)
goto end;
X509_STORE_CTX_set_verify_cb(xsc, ca_verify_cb);
ret = X509_verify_cert(xsc);
end:
*errstr = NULL;
if (ret != 1) {
if (xsc)
*errstr = X509_verify_cert_error_string(xsc->error);
else if (ERR_peek_last_error())
*errstr = ERR_error_string(ERR_peek_last_error(), NULL);
}
if (xsc)
X509_STORE_CTX_free(xsc);
if (store)
X509_STORE_free(store);
return ret > 0 ? 1 : 0;
}
static int checkX509_STORE_error(char* err, size_t err_len) {
unsigned long errCode = ERR_peek_last_error();
if (ERR_GET_LIB(errCode) != ERR_LIB_X509 ||
ERR_GET_REASON(errCode) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
snprintf(err,
err_len,
"Error adding certificate to X509 store: %s",
ERR_reason_error_string(errCode));
return 0;
}
return 1;
}
extern "C" int32_t CryptoNative_SslGetError(SSL* ssl, int32_t ret)
{
// This pops off "old" errors left by other operations
// until the first and last error are the same
// this should be looked at again when OpenSsl 1.1 is migrated to
while (ERR_peek_error() != ERR_peek_last_error())
{
ERR_get_error();
}
int32_t errorCode = SSL_get_error(ssl, ret);
ERR_clear_error();
return errorCode;
}
static const char*
io_ssl_error(void)
{
static char buf[128];
unsigned long e;
e = ERR_peek_last_error();
if (e) {
ERR_error_string(e, buf);
return (buf);
}
return ("No SSL error");
}
const QString QFrankSSL::K_SSLFehlertext(const QFrankSSL::ArtDerFehlerquelle &fehlerquelle)const
{
static QByteArray Fehlerpuffer("x",256);
switch(fehlerquelle)
{
case QFrankSSL::SSL_Bibliothek:
ERR_error_string_n(ERR_peek_last_error(),Fehlerpuffer.data(),Fehlerpuffer.size());
return QString(Fehlerpuffer);
break;
case QFrankSSL::SSL_Struktur:
return QString("%1").arg(K_SSL_Fehlercode);
break;
}
return "";
}
EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
{
const EC_METHOD *meth;
EC_GROUP *ret;
meth = EC_GFp_nist_method();
ret = EC_GROUP_new(meth);
if (ret == NULL)
return NULL;
if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx))
{
unsigned long err;
err = ERR_peek_last_error();
if (!(ERR_GET_LIB(err) == ERR_LIB_EC &&
((ERR_GET_REASON(err) == EC_R_NOT_A_NIST_PRIME) ||
(ERR_GET_REASON(err) == EC_R_NOT_A_SUPPORTED_NIST_PRIME))))
{
/* real error */
EC_GROUP_clear_free(ret);
return NULL;
}
/* not an actual error, we just cannot use EC_GFp_nist_method */
ERR_clear_error();
EC_GROUP_clear_free(ret);
meth = EC_GFp_mont_method();
ret = EC_GROUP_new(meth);
if (ret == NULL)
return NULL;
if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx))
{
EC_GROUP_clear_free(ret);
return NULL;
}
}
return ret;
}
/* Based on Node's SSL_CTX_use_certificate_chain, in src/node_crypto.cc */
selene_error_t *read_certificate_chain(selene_conf_t *conf, BIO *in,
selene_cert_chain_t **p_certs) {
X509 *x = NULL;
selene_cert_chain_t *chain;
selene_cert_t *tmpc;
x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
if (x == NULL) {
return selene_error_create(SELENE_ENOMEM, "Failed to parse certificate");
}
SELENE_ERR(sln_cert_chain_create(conf, &chain));
SELENE_ERR(sln_cert_create(conf, x, 0, &tmpc));
SLN_CERT_CHAIN_INSERT_TAIL(chain, tmpc);
{
/**
* If we could set up our certificate, now proceed to
* the CA certificates.
*/
X509 *ca;
unsigned long err;
while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
SELENE_ERR(sln_cert_create(conf, ca, 0, &tmpc));
SLN_CERT_CHAIN_INSERT_TAIL(chain, tmpc);
}
/* When the while loop ends, it's usually just EOF. */
err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
ERR_clear_error();
} else {
/* some real error */
/* TODO: handle parse errors of the ca certs */
ERR_clear_error();
}
}
*p_certs = chain;
return SELENE_SUCCESS;
}
static PyObject *
_setSSLError (char *errstr, int errcode, char *filename, int lineno) {
char buf[2048];
PyObject *v;
if (errstr == NULL) {
errcode = ERR_peek_last_error();
errstr = ERR_error_string(errcode, NULL);
}
PyOS_snprintf(buf, sizeof(buf), "_ssl.c:%d: %s", lineno, errstr);
v = Py_BuildValue("(is)", errcode, buf);
if (v != NULL) {
PyErr_SetObject(PySSLErrorObject, v);
Py_DECREF(v);
}
return NULL;
}
/**
* ssl_load_certificates - Load certificates and filter out the expired ones
* @param ctx SSL context
* @retval 1 Success
* @retval 0 Error
*
* ssl certificate verification can behave strangely if there are expired certs
* loaded into the trusted store. This function filters out expired certs.
*
* Previously the code used this form:
* SSL_CTX_load_verify_locations (ssldata->ctx, #C_CertificateFile, NULL);
*/
static int ssl_load_certificates(SSL_CTX *ctx)
{
FILE *fp = NULL;
X509 *cert = NULL;
X509_STORE *store = NULL;
int rc = 1;
char buf[256];
mutt_debug(LL_DEBUG2, "loading trusted certificates\n");
store = SSL_CTX_get_cert_store(ctx);
if (!store)
{
store = X509_STORE_new();
SSL_CTX_set_cert_store(ctx, store);
}
fp = fopen(C_CertificateFile, "rt");
if (!fp)
return 0;
while (NULL != PEM_read_X509(fp, &cert, NULL, NULL))
{
if ((X509_cmp_current_time(X509_get0_notBefore(cert)) >= 0) ||
(X509_cmp_current_time(X509_get0_notAfter(cert)) <= 0))
{
mutt_debug(LL_DEBUG2, "filtering expired cert: %s\n",
X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)));
}
else
{
X509_STORE_add_cert(store, cert);
}
}
/* PEM_read_X509 sets the error NO_START_LINE on eof */
if (ERR_GET_REASON(ERR_peek_last_error()) != PEM_R_NO_START_LINE)
rc = 0;
ERR_clear_error();
X509_free(cert);
mutt_file_fclose(&fp);
return rc;
}
/*
* Read a bio that contains our certificate in "PEM" format,
* possibly followed by a sequence of CA certificates that should be
* sent to the peer in the Certificate message.
*/
static int
ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
{
X509 *ca, *x = NULL;
unsigned long err;
int ret = 0;
if ((x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
ctx->default_passwd_callback_userdata)) == NULL) {
SSLerrorx(ERR_R_PEM_LIB);
goto err;
}
if (!SSL_CTX_use_certificate(ctx, x))
goto err;
if (!ssl_cert_set0_chain(ctx->internal->cert, NULL))
goto err;
/* Process any additional CA certificates. */
while ((ca = PEM_read_bio_X509(in, NULL,
ctx->default_passwd_callback,
ctx->default_passwd_callback_userdata)) != NULL) {
if (!ssl_cert_add0_chain_cert(ctx->internal->cert, ca)) {
X509_free(ca);
goto err;
}
}
/* When the while loop ends, it's usually just EOF. */
err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
ERR_clear_error();
ret = 1;
}
err:
X509_free(x);
return (ret);
}
/**
* Read from a BIO, adding to the x509 store.
*/
static int
X509_STORE_load_bio(X509_STORE *ca_store, BIO *in) {
int ret = 1;
X509 *ca;
int r;
int found = 0;
unsigned long err;
while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
r = X509_STORE_add_cert(ca_store, ca);
if (r == 0) {
X509_free(ca);
ret = 0;
break;
}
found++;
/**
* The x509 cert object is reference counted by OpenSSL, so the STORE
* keeps it alive after its been added.
*/
X509_free(ca);
}
/* When the while loop ends, it's usually just EOF. */
err = ERR_peek_last_error();
if (found != 0 &&
ERR_GET_LIB(err) == ERR_LIB_PEM &&
ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
ERR_clear_error();
} else {
/* some real error */
ret = 0;
}
return ret;
}
SISCertificateChain* makeChain(const char* certData, EVP_PKEY** publicKey) {
BIO* in = BIO_new_mem_buf((void*) certData, -1);
BIO* out = BIO_new(BIO_s_mem());
while (true) {
X509* cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
if (!cert) {
unsigned long err = ERR_peek_last_error();
int lib = ERR_GET_LIB(err);
int func = ERR_GET_FUNC(err);
int reason = ERR_GET_REASON(err);
if (lib == ERR_LIB_PEM && func == PEM_F_PEM_READ_BIO && reason == PEM_R_NO_START_LINE)
break;
ERR_print_errors_fp(stderr);
throw SignBadCert;
}
if (!*publicKey)
*publicKey = X509_PUBKEY_get(X509_get_X509_PUBKEY(cert));
i2d_X509_bio(out, cert);
X509_OBJECT obj;
obj.type = X509_LU_X509;
obj.data.x509 = cert;
X509_OBJECT_free_contents(&obj);
}
BIO_free_all(in);
char* ptr;
long length = BIO_get_mem_data(out, &ptr);
if (length <= 0) {
fprintf(stderr, "Bad certificate file\n");
throw SignBadCert;
}
SISBlob* blob = new SISBlob((uint8_t*) ptr, length);
BIO_free_all(out);
return new SISCertificateChain(blob);
}
/*
* Errors
*/
static VALUE
ossl_make_error(VALUE exc, const char *fmt, va_list args)
{
VALUE str = Qnil;
const char *msg;
long e;
#ifdef HAVE_ERR_PEEK_LAST_ERROR
e = ERR_peek_last_error();
#else
e = ERR_peek_error();
#endif
if (fmt) {
str = rb_vsprintf(fmt, args);
}
if (e) {
if (dOSSL == Qtrue) /* FULL INFO */
msg = ERR_error_string(e, NULL);
else
msg = ERR_reason_error_string(e);
if (NIL_P(str)) {
if (msg) str = rb_str_new_cstr(msg);
}
else {
if (RSTRING_LEN(str)) rb_str_cat2(str, ": ");
rb_str_cat2(str, msg ? msg : "(null)");
}
}
if (dOSSL == Qtrue){ /* show all errors on the stack */
while ((e = ERR_get_error()) != 0){
rb_warn("error on stack: %s", ERR_error_string(e, NULL));
}
}
ERR_clear_error();
if (NIL_P(str)) str = rb_str_new(0, 0);
return rb_exc_new3(exc, str);
}
/*
* Errors
*/
void
ossl_raise(VALUE exc, const char *fmt, ...)
{
va_list args;
char buf[BUFSIZ];
const char *msg;
long e;
int len = 0;
#ifdef HAVE_ERR_PEEK_LAST_ERROR
e = ERR_peek_last_error();
#else
e = ERR_peek_error();
#endif
if (fmt) {
va_start(args, fmt);
len = vsnprintf(buf, BUFSIZ, fmt, args);
va_end(args);
}
if (len < BUFSIZ && e) {
if (dOSSL == Qtrue) /* FULL INFO */
msg = ERR_error_string(e, NULL);
else
msg = ERR_reason_error_string(e);
fmt = len ? ": %s" : "%s";
len += snprintf(buf+len, BUFSIZ-len, fmt, msg);
}
if (dOSSL == Qtrue){ /* show all errors on the stack */
while ((e = ERR_get_error()) != 0){
rb_warn("error on stack: %s", ERR_error_string(e, NULL));
}
}
ERR_clear_error();
if(len > BUFSIZ) len = strlen(buf);
rb_exc_raise(rb_exc_new(exc, buf, len));
}
static int try_connect(struct dtls_connection *d) {
int ret, code;
if (d->connected)
return 0;
__DBG("try_connect(%i)", d->active);
if (d->active)
ret = SSL_connect(d->ssl);
else
ret = SSL_accept(d->ssl);
code = SSL_get_error(d->ssl, ret);
ret = 0;
switch (code) {
case SSL_ERROR_NONE:
ilog(LOG_DEBUG, "DTLS handshake successful");
d->connected = 1;
ret = 1;
break;
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
break;
default:
ret = ERR_peek_last_error();
ilog(LOG_ERROR, "DTLS error: %i (%s)", code, ERR_reason_error_string(ret));
ret = -1;
break;
}
return ret;
}
int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
EC_POINT *point, const BIGNUM *x_,
int y_bit, BN_CTX *ctx) {
BN_CTX *new_ctx = NULL;
BIGNUM *tmp1, *tmp2, *x, *y;
int ret = 0;
ERR_clear_error();
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) {
return 0;
}
}
y_bit = (y_bit != 0);
BN_CTX_start(ctx);
tmp1 = BN_CTX_get(ctx);
tmp2 = BN_CTX_get(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
if (y == NULL) {
goto err;
}
/* Recover y. We have a Weierstrass equation
* y^2 = x^3 + a*x + b,
* so y is one of the square roots of x^3 + a*x + b. */
/* tmp1 := x^3 */
if (!BN_nnmod(x, x_, &group->field, ctx)) {
goto err;
}
if (group->meth->field_decode == 0) {
/* field_{sqr,mul} work on standard representation */
if (!group->meth->field_sqr(group, tmp2, x_, ctx) ||
!group->meth->field_mul(group, tmp1, tmp2, x_, ctx)) {
goto err;
}
} else {
if (!BN_mod_sqr(tmp2, x_, &group->field, ctx) ||
!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx)) {
goto err;
}
}
/* tmp1 := tmp1 + a*x */
if (group->a_is_minus3) {
if (!BN_mod_lshift1_quick(tmp2, x, &group->field) ||
!BN_mod_add_quick(tmp2, tmp2, x, &group->field) ||
!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) {
goto err;
}
} else {
if (group->meth->field_decode) {
if (!group->meth->field_decode(group, tmp2, &group->a, ctx) ||
!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx)) {
goto err;
}
} else {
/* field_mul works on standard representation */
if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx)) {
goto err;
}
}
if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) {
goto err;
}
}
/* tmp1 := tmp1 + b */
if (group->meth->field_decode) {
if (!group->meth->field_decode(group, tmp2, &group->b, ctx) ||
!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) {
goto err;
}
} else {
if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) {
goto err;
}
}
if (!BN_mod_sqrt(y, tmp1, &group->field, ctx)) {
unsigned long err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_BN &&
ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) {
ERR_clear_error();
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_set_compressed_coordinates, EC_R_INVALID_COMPRESSED_POINT);
} else {
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_set_compressed_coordinates, ERR_R_BN_LIB);
}
goto err;
}
if (y_bit != BN_is_odd(y)) {
if (BN_is_zero(y)) {
int kron;
kron = BN_kronecker(x, &group->field, ctx);
if (kron == -2) {
goto err;
}
if (kron == 1) {
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_set_compressed_coordinates,
EC_R_INVALID_COMPRESSION_BIT);
} else {
/* BN_mod_sqrt() should have cought this error (not a square) */
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_set_compressed_coordinates,
EC_R_INVALID_COMPRESSED_POINT);
}
goto err;
}
if (!BN_usub(y, &group->field, y)) {
goto err;
}
}
if (y_bit != BN_is_odd(y)) {
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_set_compressed_coordinates,
ERR_R_INTERNAL_ERROR);
goto err;
}
if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
goto err;
ret = 1;
err:
BN_CTX_end(ctx);
if (new_ctx != NULL)
BN_CTX_free(new_ctx);
return ret;
}
int
main(int argc, char **argv)
{
ARGS arg;
#define PROG_NAME_SIZE 39
char pname[PROG_NAME_SIZE + 1];
FUNCTION f, *fp;
const char *prompt;
char buf[1024];
char *to_free = NULL;
int n, i, ret = 0;
char *p;
LHASH_OF(FUNCTION) * prog = NULL;
long errline;
arg.data = NULL;
arg.count = 0;
if (pledge("stdio cpath wpath rpath inet dns proc flock tty", NULL) == -1) {
fprintf(stderr, "openssl: pledge: %s\n", strerror(errno));
exit(1);
}
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
if (bio_err == NULL) {
fprintf(stderr, "openssl: failed to initialise bio_err\n");
exit(1);
}
if (BIO_sock_init() != 1) {
BIO_printf(bio_err, "BIO_sock_init failed\n");
exit(1);
}
CRYPTO_set_locking_callback(lock_dbg_cb);
openssl_startup();
/* Lets load up our environment a little */
p = getenv("OPENSSL_CONF");
if (p == NULL) {
p = to_free = make_config_name();
if (p == NULL) {
BIO_printf(bio_err, "error making config file name\n");
goto end;
}
}
default_config_file = p;
config = NCONF_new(NULL);
i = NCONF_load(config, p, &errline);
if (i == 0) {
if (ERR_GET_REASON(ERR_peek_last_error()) ==
CONF_R_NO_SUCH_FILE) {
BIO_printf(bio_err,
"WARNING: can't open config file: %s\n", p);
ERR_clear_error();
NCONF_free(config);
config = NULL;
} else {
ERR_print_errors(bio_err);
NCONF_free(config);
exit(1);
}
}
if (!load_config(bio_err, NULL)) {
BIO_printf(bio_err, "failed to load configuration\n");
goto end;
}
prog = prog_init();
/* first check the program name */
program_name(argv[0], pname, sizeof pname);
f.name = pname;
fp = lh_FUNCTION_retrieve(prog, &f);
if (fp != NULL) {
argv[0] = pname;
single_execution = 1;
ret = fp->func(argc, argv);
goto end;
}
/*
* ok, now check that there are not arguments, if there are, run with
* them, shifting the ssleay off the front
*/
if (argc != 1) {
argc--;
argv++;
single_execution = 1;
ret = do_cmd(prog, argc, argv);
if (ret < 0)
ret = 0;
goto end;
}
/* ok, lets enter the old 'OpenSSL>' mode */
for (;;) {
ret = 0;
p = buf;
n = sizeof buf;
i = 0;
for (;;) {
p[0] = '\0';
if (i++)
prompt = ">";
else
prompt = "OpenSSL> ";
fputs(prompt, stdout);
fflush(stdout);
if (!fgets(p, n, stdin))
goto end;
if (p[0] == '\0')
goto end;
i = strlen(p);
if (i <= 1)
break;
if (p[i - 2] != '\\')
break;
i -= 2;
p += i;
n -= i;
}
if (!chopup_args(&arg, buf, &argc, &argv))
break;
ret = do_cmd(prog, argc, argv);
if (ret < 0) {
ret = 0;
goto end;
}
if (ret != 0)
BIO_printf(bio_err, "error in %s\n", argv[0]);
(void) BIO_flush(bio_err);
}
BIO_printf(bio_err, "bad exit\n");
ret = 1;
end:
free(to_free);
if (config != NULL) {
NCONF_free(config);
config = NULL;
}
if (prog != NULL)
lh_FUNCTION_free(prog);
free(arg.data);
openssl_shutdown();
if (bio_err != NULL) {
BIO_free(bio_err);
bio_err = NULL;
}
return (ret);
}
