static int do_decrypt(EVP_CIPHER_CTX* aes256, pubnub_bymebl_t data, uint8_t const* key, uint8_t const* iv, pubnub_bymebl_t *msg)
{
int len = 0;
if (!EVP_DecryptInit_ex(aes256, EVP_aes_256_cbc(), NULL, key, iv)) {
ERR_print_errors_cb(print_to_pubnub_log, NULL);
PUBNUB_LOG_ERROR("Failed to initialize AES-256 decryption\n");
return -1;
}
if (!EVP_DecryptUpdate(aes256, msg->ptr, &len, data.ptr, data.size)) {
ERR_print_errors_cb(print_to_pubnub_log, NULL);
PUBNUB_LOG_ERROR("Failed to AES-256 decrypt the mesage\n");
return -1;
}
msg->size = len;
if (!EVP_DecryptFinal_ex(aes256, msg->ptr + len, &len)) {
ERR_print_errors_cb(print_to_pubnub_log, NULL);
PUBNUB_LOG_ERROR("Failed to finalize AES-256 decryption\n");
return -1;
}
msg->size += len;
return 0;
}
static int add_pem_cert(SSL_CTX *sslCtx, char const* pem_cert)
{
X509 *cert;
BIO *mem = BIO_new(BIO_s_mem());
if (NULL == mem) {
PUBNUB_LOG_ERROR("SSL_CTX=%p: Failed BIO_new for PEM certificate\n", sslCtx);
return -1;
}
BIO_puts(mem, pem_cert);
cert = PEM_read_bio_X509(mem, NULL, 0, NULL);
BIO_free(mem);
if (NULL == cert) {
ERR_print_errors_cb(print_to_pubnub_log, NULL);
PUBNUB_LOG_ERROR("SSL_CTX=%p: Failed to read PEM certificate\n", sslCtx);
return -1;
}
if (0 == X509_STORE_add_cert(SSL_CTX_get_cert_store(sslCtx), cert)) {
ERR_print_errors_cb(print_to_pubnub_log, NULL);
PUBNUB_LOG_ERROR("SSL_CTX=%p: Failed to add PEM certificate\n", sslCtx);
X509_free(cert);
return -1;
}
X509_free(cert);
return 0;
}
Profile(const std::string& profilename, ConfigTag* tag)
: name(profilename)
, dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dh.pem")))
, ctx(SSL_CTX_new(SSLv23_server_method()))
, clictx(SSL_CTX_new(SSLv23_client_method()))
{
if ((!ctx.SetDH(dh)) || (!clictx.SetDH(dh)))
throw Exception("Couldn't set DH parameters");
std::string hash = tag->getString("hash", "md5");
digest = EVP_get_digestbyname(hash.c_str());
if (digest == NULL)
throw Exception("Unknown hash type " + hash);
std::string ciphers = tag->getString("ciphers");
if (!ciphers.empty())
{
if ((!ctx.SetCiphers(ciphers)) || (!clictx.SetCiphers(ciphers)))
{
ERR_print_errors_cb(error_callback, this);
throw Exception("Can't set cipher list to \"" + ciphers + "\" " + lasterr);
}
}
/* Load our keys and certificates
* NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck.
*/
std::string filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("certfile", "cert.pem"));
if ((!ctx.SetCerts(filename)) || (!clictx.SetCerts(filename)))
{
ERR_print_errors_cb(error_callback, this);
throw Exception("Can't read certificate file: " + lasterr);
}
filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("keyfile", "key.pem"));
if ((!ctx.SetPrivateKey(filename)) || (!clictx.SetPrivateKey(filename)))
{
ERR_print_errors_cb(error_callback, this);
throw Exception("Can't read key file: " + lasterr);
}
// Load the CAs we trust
filename = ServerInstance->Config->Paths.PrependConfig(tag->getString("cafile", "ca.pem"));
if ((!ctx.SetCA(filename)) || (!clictx.SetCA(filename)))
{
ERR_print_errors_cb(error_callback, this);
ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", filename.c_str(), lasterr.c_str());
}
}
static enum pbpal_resolv_n_connect_result resolv_and_connect_wout_SSL(pubnub_t *pb)
{
PUBNUB_LOG_TRACE("resolv_and_connect_wout_SSL\n");
if (NULL == pb->pal.socket) {
char const*origin = PUBNUB_ORIGIN_SETTABLE ? pb->origin : PUBNUB_ORIGIN;
PUBNUB_LOG_TRACE("pb=%p: Don't have BIO\n", pb);
pb->pal.socket = BIO_new_connect((char*)origin);
}
if (NULL == pb->pal.socket) {
return pbpal_resolv_resource_failure;
}
BIO_set_conn_port(pb->pal.socket, "http");
BIO_set_nbio(pb->pal.socket, !pb->options.use_blocking_io);
WATCH_ENUM(pb->options.use_blocking_io);
if (BIO_do_connect(pb->pal.socket) <= 0) {
if (BIO_should_retry(pb->pal.socket)) {
return pbpal_connect_wouldblock;
}
ERR_print_errors_cb(print_to_pubnub_log, NULL);
PUBNUB_LOG_ERROR("BIO_do_connect failed\n");
return pbpal_connect_failed;
}
PUBNUB_LOG_TRACE("pb=%p: BIO connected\n", pb);
{
int fd = BIO_get_fd(pb->pal.socket, NULL);
socket_set_rcv_timeout(fd, pb->transaction_timeout_ms);
}
return pbpal_connect_success;
}
static void finalize(int success)
{
if (success)
ERR_clear_error();
else
ERR_print_errors_cb(openssl_error_cb, NULL);
}
int
UI_process(UI *ui)
{
int i, ok = 0;
if (ui->meth->ui_open_session && !ui->meth->ui_open_session(ui))
return -1;
if (ui->flags & UI_FLAG_PRINT_ERRORS)
ERR_print_errors_cb(
(int (*)(const char *, size_t, void *)) print_error,
(void *)ui);
for (i = 0; i < sk_UI_STRING_num(ui->strings); i++) {
if (ui->meth->ui_write_string &&
!ui->meth->ui_write_string(ui,
sk_UI_STRING_value(ui->strings, i))) {
ok = -1;
goto err;
}
}
if (ui->meth->ui_flush)
switch (ui->meth->ui_flush(ui)) {
case -1: /* Interrupt/Cancel/something... */
ok = -2;
goto err;
case 0: /* Errors */
ok = -1;
goto err;
default: /* Success */
ok = 0;
break;
}
for (i = 0; i < sk_UI_STRING_num(ui->strings); i++) {
if (ui->meth->ui_read_string) {
switch (ui->meth->ui_read_string(ui,
sk_UI_STRING_value(ui->strings, i))) {
case -1: /* Interrupt/Cancel/something... */
ui->flags &= ~UI_FLAG_REDOABLE;
ok = -2;
goto err;
case 0: /* Errors */
ok = -1;
goto err;
default: /* Success */
ok = 0;
break;
}
}
}
err:
if (ui->meth->ui_close_session && !ui->meth->ui_close_session(ui))
return -1;
return ok;
}
void ERR_print_errors_fp(FILE *fp)
{
BIO *bio = BIO_new_fp(fp, BIO_NOCLOSE);
if (bio == NULL)
return;
ERR_print_errors_cb(print_bio, bio);
BIO_free(bio);
}
static int handshake( PCLIENT pc ) {
struct ssl_session *ses = pc->ssl_session;
if (!SSL_is_init_finished(ses->ssl)) {
int r;
lprintf( "doing handshake...." );
/* NOT INITIALISED */
r = SSL_do_handshake(ses->ssl);
lprintf( "handle data posted to SSL? %d", r );
if( r == 0 ) {
ERR_print_errors_cb( logerr, (void*)__LINE__ );
r = SSL_get_error( ses->ssl, r );
ERR_print_errors_cb( logerr, (void*)__LINE__ );
lprintf( "SSL_Read failed... %d", r );
return -1;
}
if (r < 0) {
r = SSL_get_error(ses->ssl, r);
if( SSL_ERROR_SSL == r ) {
lprintf( "SSL_Read failed... %d", r );
ERR_print_errors_cb( logerr, (void*)__LINE__ );
return -1;
}
if (SSL_ERROR_WANT_READ == r)
{
int pending = BIO_ctrl_pending( ses->wbio);
if (pending > 0) {
int read;
if( pending > ses->obuflen ) {
if( ses->obuffer )
Deallocate( uint8_t *, ses->obuffer );
ses->obuffer = NewArray( uint8_t, ses->obuflen = pending*2 );
}
read = BIO_read(ses->wbio, ses->obuffer, pending);
lprintf( "send %d for handshake", read );
if (read > 0)
SendTCP( pc, ses->obuffer, read );
}
static void
log_message(int level, const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
# ifdef OCSP_DAEMON
if (multi) {
char buf[1024];
if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0) {
syslog(level, "%s", buf);
}
if (level >= LOG_ERR)
ERR_print_errors_cb(print_syslog, &level);
}
# endif
if (!multi) {
BIO_printf(bio_err, "%s: ", prog);
BIO_vprintf(bio_err, fmt, ap);
BIO_printf(bio_err, "\n");
}
va_end(ap);
}
void my_ERR_print_errors_fp(FILE *fp)
{
ERR_print_errors_cb(my_print_fp, fp);
}
int UI_process(UI *ui)
{
int i, ok = 0;
const char *state = "processing";
if (ui->meth->ui_open_session != NULL
&& ui->meth->ui_open_session(ui) <= 0) {
state = "opening session";
ok = -1;
goto err;
}
if (ui->flags & UI_FLAG_PRINT_ERRORS)
ERR_print_errors_cb((int (*)(const char *, size_t, void *))
print_error, (void *)ui);
for (i = 0; i < sk_UI_STRING_num(ui->strings); i++) {
if (ui->meth->ui_write_string != NULL
&& (ui->meth->ui_write_string(ui,
sk_UI_STRING_value(ui->strings, i))
<= 0))
{
state = "writing strings";
ok = -1;
goto err;
}
}
if (ui->meth->ui_flush != NULL)
switch (ui->meth->ui_flush(ui)) {
case -1: /* Interrupt/Cancel/something... */
ok = -2;
goto err;
case 0: /* Errors */
state = "flushing";
ok = -1;
goto err;
default: /* Success */
ok = 0;
break;
}
for (i = 0; i < sk_UI_STRING_num(ui->strings); i++) {
if (ui->meth->ui_read_string != NULL) {
switch (ui->meth->ui_read_string(ui,
sk_UI_STRING_value(ui->strings,
i))) {
case -1: /* Interrupt/Cancel/something... */
ok = -2;
goto err;
case 0: /* Errors */
state = "reading strings";
ok = -1;
goto err;
default: /* Success */
ok = 0;
break;
}
}
}
state = NULL;
err:
if (ui->meth->ui_close_session != NULL
&& ui->meth->ui_close_session(ui) <= 0) {
if (state == NULL)
state = "closing session";
ok = -1;
}
if (ok == -1) {
UIerr(UI_F_UI_PROCESS, UI_R_PROCESSING_ERROR);
ERR_add_error_data(2, "while ", state);
}
return ok;
}
static void
openssl_poll (GstDtlsConnection * self)
{
int ret;
int error;
log_state (self, "poll: before handshake");
ERR_clear_error ();
ret = SSL_do_handshake (self->priv->ssl);
log_state (self, "poll: after handshake");
switch (ret) {
case 1:
if (!self->priv->keys_exported) {
GST_INFO_OBJECT (self,
"handshake just completed successfully, exporting keys");
export_srtp_keys (self);
} else {
GST_INFO_OBJECT (self, "handshake is completed");
}
return;
case 0:
GST_DEBUG_OBJECT (self, "do_handshake encountered EOF");
break;
case -1:
GST_DEBUG_OBJECT (self, "do_handshake encountered BIO error");
break;
default:
GST_DEBUG_OBJECT (self, "do_handshake returned %d", ret);
}
error = SSL_get_error (self->priv->ssl, ret);
switch (error) {
case SSL_ERROR_NONE:
GST_WARNING_OBJECT (self, "no error, handshake should be done");
break;
case SSL_ERROR_SSL:
GST_ERROR_OBJECT (self, "SSL error");
ERR_print_errors_cb (ssl_err_cb, self);
return;
case SSL_ERROR_WANT_READ:
GST_LOG_OBJECT (self, "SSL wants read");
break;
case SSL_ERROR_WANT_WRITE:
GST_LOG_OBJECT (self, "SSL wants write");
break;
case SSL_ERROR_SYSCALL:{
gchar message[1024] = "<unknown>";
gint syserror;
#ifdef G_OS_WIN32
syserror = WSAGetLastError ();
FormatMessage (FORMAT_MESSAGE_FROM_SYSTEM, NULL, syserror, 0, message,
sizeof message, NULL);
#else
syserror = errno;
strerror_r (syserror, message, sizeof message);
#endif
GST_CAT_LEVEL_LOG (GST_CAT_DEFAULT,
syserror != 0 ? GST_LEVEL_WARNING : GST_LEVEL_LOG,
self, "SSL syscall error: errno %d: %s", syserror, message);
break;
}
default:
GST_WARNING_OBJECT (self, "Unknown SSL error: %d, ret: %d", error, ret);
}
ERR_print_errors_cb (ssl_warn_cb, self);
}
enum pbpal_resolv_n_connect_result pbpal_resolv_and_connect(pubnub_t *pb)
{
SSL *ssl = NULL;
int rslt;
char const* origin = PUBNUB_ORIGIN_SETTABLE ? pb->origin : PUBNUB_ORIGIN;
PUBNUB_ASSERT(pb_valid_ctx_ptr(pb));
PUBNUB_ASSERT_OPT((pb->state == PBS_READY) || (pb->state == PBS_WAIT_CONNECT));
if (!pb->options.useSSL) {
return resolv_and_connect_wout_SSL(pb);
}
if (NULL == pb->pal.ctx) {
PUBNUB_LOG_TRACE("pb=%p: Don't have SSL_CTX\n", pb);
pb->pal.ctx = SSL_CTX_new(SSLv23_client_method());
if (NULL == pb->pal.ctx) {
ERR_print_errors_cb(print_to_pubnub_log, NULL);
PUBNUB_LOG_ERROR("pb=%p SSL_CTX_new failed\n", pb);
return pbpal_resolv_resource_failure;
}
PUBNUB_LOG_TRACE("pb=%p: Got SSL_CTX\n", pb);
add_pubnub_cert(pb->pal.ctx);
}
if (NULL == pb->pal.socket) {
PUBNUB_LOG_TRACE("pb=%p: Don't have BIO\n", pb);
pb->pal.socket = BIO_new_ssl_connect(pb->pal.ctx);
if (PUBNUB_TIMERS_API) {
pb->pal.connect_timeout = time(NULL) + pb->transaction_timeout_ms/1000;
}
}
else {
BIO_get_ssl(pb->pal.socket, &ssl);
if (NULL == ssl) {
return resolv_and_connect_wout_SSL(pb);
}
ssl = NULL;
}
if (NULL == pb->pal.socket) {
ERR_print_errors_cb(print_to_pubnub_log, NULL);
return pbpal_resolv_resource_failure;
}
PUBNUB_LOG_TRACE("pb=%p: Using BIO == %p\n", pb, pb->pal.socket);
BIO_get_ssl(pb->pal.socket, &ssl);
PUBNUB_ASSERT(NULL != ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); /* maybe not auto_retry? */
if (pb->pal.session != NULL) {
SSL_set_session(ssl, pb->pal.session);
}
BIO_set_conn_hostname(pb->pal.socket, origin);
BIO_set_conn_port(pb->pal.socket, "https");
if (pb->pal.ip_timeout != 0) {
if (pb->pal.ip_timeout < time(NULL)) {
pb->pal.ip_timeout = 0;
}
else {
PUBNUB_LOG_TRACE("SSL re-connect to: %d.%d.%d.%d\n", pb->pal.ip[0], pb->pal.ip[1], pb->pal.ip[2], pb->pal.ip[3]);
BIO_set_conn_ip(pb->pal.socket, pb->pal.ip);
}
}
BIO_set_nbio(pb->pal.socket, !pb->options.use_blocking_io);
WATCH_ENUM(pb->options.use_blocking_io);
if (BIO_do_connect(pb->pal.socket) <= 0) {
if (BIO_should_retry(pb->pal.socket) && PUBNUB_TIMERS_API && (pb->pal.connect_timeout > time(NULL))) {
PUBNUB_LOG_TRACE("pb=%p: BIO_should_retry\n", pb);
return pbpal_connect_wouldblock;
}
/* Expire the IP for the next connect */
pb->pal.ip_timeout = 0;
ERR_print_errors_cb(print_to_pubnub_log, NULL);
if (pb->pal.session != NULL) {
SSL_SESSION_free(pb->pal.session);
pb->pal.session = NULL;
}
PUBNUB_LOG_ERROR("pb=%p: BIO_do_connect failed\n", pb);
return pbpal_connect_failed;
}
PUBNUB_LOG_TRACE("pb=%p: BIO connected\n", pb);
{
int fd = BIO_get_fd(pb->pal.socket, NULL);
socket_set_rcv_timeout(fd, pb->transaction_timeout_ms);
}
rslt = SSL_get_verify_result(ssl);
if (rslt != X509_V_OK) {
PUBNUB_LOG_WARNING("pb=%p: SSL_get_verify_result() failed == %d(%s)\n", pb, rslt, X509_verify_cert_error_string(rslt));
ERR_print_errors_cb(print_to_pubnub_log, NULL);
if (pb->options.fallbackSSL) {
BIO_free_all(pb->pal.socket);
pb->pal.socket = NULL;
return resolv_and_connect_wout_SSL(pb);
}
return pbpal_connect_failed;
}
PUBNUB_LOG_INFO("pb=%p: SSL session reused: %s\n", pb, SSL_session_reused(ssl) ? "yes" : "no");
if (pb->pal.session != NULL) {
SSL_SESSION_free(pb->pal.session);
}
pb->pal.session = SSL_get1_session(ssl);
if (0 == pb->pal.ip_timeout) {
pb->pal.ip_timeout = SSL_SESSION_get_time(pb->pal.session) + SSL_SESSION_get_timeout(pb->pal.session);
memcpy(pb->pal.ip, BIO_get_conn_ip(pb->pal.socket), 4);
}
PUBNUB_LOG_TRACE("pb=%p: SSL connected to IP: %d.%d.%d.%d\n", pb, pb->pal.ip[0], pb->pal.ip[1], pb->pal.ip[2], pb->pal.ip[3]);
return pbpal_connect_success;
}
void BIO_print_errors(BIO *bio) {
ERR_print_errors_cb(print_bio, bio);
}
static void openssl_log_errors()
{
ERR_print_errors_cb(&log_callback, nullptr);
}
void ERR_print_errors_fp(TINYCLR_SSL_FILE *fp)
{
ERR_print_errors_cb(print_fp, fp);
}
HttpResponse* http_response_recv(rdpTls* tls, BOOL readContentLength)
{
size_t size;
size_t position;
size_t bodyLength = 0;
size_t payloadOffset;
HttpResponse* response;
size = 2048;
payloadOffset = 0;
response = http_response_new();
if (!response)
return NULL;
response->ContentLength = 0;
while (payloadOffset == 0)
{
size_t s;
char* end;
/* Read until we encounter \r\n\r\n */
int status = BIO_read(tls->bio, Stream_Pointer(response->data), 1);
if (status <= 0)
{
if (!BIO_should_retry(tls->bio))
{
WLog_ERR(TAG, "%s: Retries exceeded", __FUNCTION__);
ERR_print_errors_cb(print_bio_error, NULL);
goto out_error;
}
USleep(100);
continue;
}
#ifdef HAVE_VALGRIND_MEMCHECK_H
VALGRIND_MAKE_MEM_DEFINED(Stream_Pointer(response->data), status);
#endif
Stream_Seek(response->data, (size_t)status);
if (!Stream_EnsureRemainingCapacity(response->data, 1024))
goto out_error;
position = Stream_GetPosition(response->data);
if (position < 4)
continue;
else if (position > RESPONSE_SIZE_LIMIT)
{
WLog_ERR(TAG, "Request header too large! (%"PRIdz" bytes) Aborting!", bodyLength);
goto out_error;
}
/* Always check at most the lase 8 bytes for occurance of the desired
* sequence of \r\n\r\n */
s = (position > 8) ? 8 : position;
end = (char*)Stream_Pointer(response->data) - s;
if (string_strnstr(end, "\r\n\r\n", s) != NULL)
payloadOffset = Stream_GetPosition(response->data);
}
if (payloadOffset)
{
size_t count = 0;
char* buffer = (char*)Stream_Buffer(response->data);
char* line = (char*) Stream_Buffer(response->data);
while ((line = string_strnstr(line, "\r\n", payloadOffset - (line - buffer) - 2UL)))
{
line += 2;
count++;
}
response->count = count;
if (count)
{
response->lines = (char**) calloc(response->count, sizeof(char*));
if (!response->lines)
goto out_error;
}
buffer[payloadOffset - 1] = '\0';
buffer[payloadOffset - 2] = '\0';
count = 0;
line = strtok(buffer, "\r\n");
while (line && (response->count > count))
{
response->lines[count] = line;
line = strtok(NULL, "\r\n");
count++;
}
if (!http_response_parse_header(response))
goto out_error;
response->BodyLength = Stream_GetPosition(response->data) - payloadOffset;
bodyLength = response->BodyLength; /* expected body length */
if (readContentLength)
{
const char* cur = response->ContentType;
while (cur != NULL)
{
if (http_use_content_length(cur))
{
if (response->ContentLength < RESPONSE_SIZE_LIMIT)
bodyLength = response->ContentLength;
break;
}
cur = strchr(cur, ';');
}
}
if (bodyLength > RESPONSE_SIZE_LIMIT)
{
WLog_ERR(TAG, "Expected request body too large! (%"PRIdz" bytes) Aborting!", bodyLength);
goto out_error;
}
/* Fetch remaining body! */
while (response->BodyLength < bodyLength)
{
int status;
if (!Stream_EnsureRemainingCapacity(response->data, bodyLength - response->BodyLength))
goto out_error;
status = BIO_read(tls->bio, Stream_Pointer(response->data), bodyLength - response->BodyLength);
if (status <= 0)
{
if (!BIO_should_retry(tls->bio))
{
WLog_ERR(TAG, "%s: Retries exceeded", __FUNCTION__);
ERR_print_errors_cb(print_bio_error, NULL);
goto out_error;
}
USleep(100);
continue;
}
Stream_Seek(response->data, (size_t)status);
response->BodyLength += (unsigned long)status;
if (response->BodyLength > RESPONSE_SIZE_LIMIT)
{
WLog_ERR(TAG, "Request body too large! (%"PRIdz" bytes) Aborting!", response->BodyLength);
goto out_error;
}
}
if (response->BodyLength > 0)
response->BodyContent = &(Stream_Buffer(response->data))[payloadOffset];
if (bodyLength != response->BodyLength)
{
WLog_WARN(TAG, "%s: %s unexpected body length: actual: %d, expected: %d",
__FUNCTION__, response->ContentType, response->BodyLength, bodyLength);
if (bodyLength > 0)
response->BodyLength = MIN(bodyLength, response->BodyLength);
}
}
return response;
out_error:
http_response_free(response);
return NULL;
}
void ERR_print_errors(BIO *bp)
{
ERR_print_errors_cb(print_bio, bp);
}
static int rtCrPkcs7VerifySignedDataUsingOpenSsl(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
void const *pvContent, uint32_t cbContent, PRTERRINFO pErrInfo)
{
/*
* Verify using OpenSSL.
*/
int rcOssl;
unsigned char const *pbRawContent = RTASN1CORE_GET_RAW_ASN1_PTR(&pContentInfo->SeqCore.Asn1Core);
PKCS7 *pOsslPkcs7 = NULL;
if (d2i_PKCS7(&pOsslPkcs7, &pbRawContent, RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core)) == pOsslPkcs7)
{
STACK_OF(X509) *pAddCerts = NULL;
if (hAdditionalCerts != NIL_RTCRSTORE)
rcOssl = RTCrStoreConvertToOpenSslCertStack(hAdditionalCerts, 0, (void **)&pAddCerts);
else
{
pAddCerts = sk_X509_new_null();
rcOssl = RT_LIKELY(pAddCerts != NULL) ? VINF_SUCCESS : VERR_NO_MEMORY;
}
if (RT_SUCCESS(rcOssl))
{
PCRTCRPKCS7SETOFCERTS pCerts = &pContentInfo->u.pSignedData->Certificates;
for (uint32_t i = 0; i < pCerts->cItems; i++)
if (pCerts->paItems[i].enmChoice == RTCRPKCS7CERTCHOICE_X509)
rtCrOpenSslAddX509CertToStack(pAddCerts, pCerts->paItems[i].u.pX509Cert);
X509_STORE *pTrustedCerts = NULL;
if (hTrustedCerts != NIL_RTCRSTORE)
rcOssl = RTCrStoreConvertToOpenSslCertStore(hTrustedCerts, 0, (void **)&pTrustedCerts);
if (RT_SUCCESS(rcOssl))
{
rtCrOpenSslInit();
BIO *pBioContent = BIO_new_mem_buf((void *)pvContent, cbContent);
if (pBioContent)
{
uint32_t fOsslFlags = PKCS7_NOCHAIN;
fOsslFlags |= PKCS7_NOVERIFY; // temporary hack.
if (PKCS7_verify(pOsslPkcs7, pAddCerts, pTrustedCerts, pBioContent, NULL /*out*/, fOsslFlags))
rcOssl = VINF_SUCCESS;
else
{
rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_OSSL_VERIFY_FAILED, "PKCS7_verify failed: ");
if (pErrInfo)
ERR_print_errors_cb(rtCrOpenSslErrInfoCallback, pErrInfo);
}
BIO_free(pBioContent);
}
if (pTrustedCerts)
X509_STORE_free(pTrustedCerts);
}
else
rcOssl = RTErrInfoSet(pErrInfo, rcOssl, "RTCrStoreConvertToOpenSslCertStack failed");
if (pAddCerts)
sk_X509_pop_free(pAddCerts, X509_free);
}
else
rcOssl = RTErrInfoSet(pErrInfo, rcOssl, "RTCrStoreConvertToOpenSslCertStack failed");
PKCS7_free(pOsslPkcs7);
}
else
rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_OSSL_D2I_FAILED, "d2i_PKCS7 failed");
return rcOssl;
}
void ERR_print_errors_fp(FILE *fp)
{
ERR_print_errors_cb(print_fp, fp);
}
MONO_API void
mono_btls_ssl_print_errors_cb (ERR_print_errors_callback_t callback, void *ctx)
{
ERR_print_errors_cb (callback, ctx);
}
