static liHandlerResult openssl_setenv(liVRequest *vr, gpointer param, gpointer *context) {
liConnection *con;
openssl_connection_ctx *conctx;
SSL *ssl;
X509 *x0=NULL, *x1=NULL;
guint params = GPOINTER_TO_UINT(param);
UNUSED(context);
if (!(con = li_connection_from_vrequest(vr))
|| !(con->srv_sock && con->srv_sock->new_cb == openssl_con_new)
|| !(conctx = con->con_sock.data)
|| !(ssl = li_openssl_filter_ssl(conctx->ssl_filter)))
return LI_HANDLER_GO_ON;
if ((params & SE_CLIENT) && (x1 || (x1 = SSL_get_peer_certificate(ssl))))
openssl_setenv_X509_add_entries(vr, x1, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
if ((params & SE_CLIENT_CERT) && (x1 || (x1 = SSL_get_peer_certificate(ssl))))
openssl_setenv_X509_add_PEM(vr, x1, CONST_STR_LEN("SSL_CLIENT_CERT"));
if ((params & SE_SERVER) && (x0 || (x0 = SSL_get_certificate(ssl))))
openssl_setenv_X509_add_entries(vr, x0, CONST_STR_LEN("SSL_SERVER_S_DN_"));
if ((params & SE_SERVER_CERT) && (x0 || (x0 = SSL_get_certificate(ssl))))
openssl_setenv_X509_add_PEM(vr, x0, CONST_STR_LEN("SSL_SERVER_CERT"));
/* only peer increases ref count */
if (x1) X509_free(x1);
return LI_HANDLER_GO_ON;
}
static CryptoCert tls_get_certificate(rdpTls* tls, BOOL peer)
{
CryptoCert cert;
X509* remote_cert;
STACK_OF(X509) *chain;
if (peer)
remote_cert = SSL_get_peer_certificate(tls->ssl);
else
remote_cert = X509_dup(SSL_get_certificate(tls->ssl));
if (!remote_cert)
{
WLog_ERR(TAG, "failed to get the server TLS certificate");
return NULL;
}
cert = malloc(sizeof(*cert));
if (!cert)
{
X509_free(remote_cert);
return NULL;
}
cert->px509 = remote_cert;
/* Get the peer's chain. If it does not exist, we're setting NULL (clean data either way) */
chain = SSL_get_peer_cert_chain(tls->ssl);
cert->px509chain = chain;
return cert;
}
static CryptoCert tls_get_certificate(rdpTls* tls, BOOL peer)
{
CryptoCert cert;
X509* remote_cert;
if (peer)
remote_cert = SSL_get_peer_certificate(tls->ssl);
else
remote_cert = X509_dup( SSL_get_certificate(tls->ssl) );
if (!remote_cert)
{
WLog_ERR(TAG, "failed to get the server TLS certificate");
return NULL;
}
cert = malloc(sizeof(*cert));
if (!cert)
{
X509_free(remote_cert);
return NULL;
}
cert->px509 = remote_cert;
return cert;
}
static CryptoCert tls_get_certificate(rdpTls* tls, BOOL peer)
{
CryptoCert cert;
X509* remote_cert;
if (peer)
remote_cert = SSL_get_peer_certificate(tls->ssl);
else
remote_cert = X509_dup( SSL_get_certificate(tls->ssl) );
if (!remote_cert)
{
DEBUG_WARN( "%s: failed to get the server TLS certificate\n", __FUNCTION__);
return NULL;
}
cert = malloc(sizeof(*cert));
if (!cert)
{
X509_free(remote_cert);
return NULL;
}
cert->px509 = remote_cert;
return cert;
}
int
eventer_ssl_get_local_commonname(eventer_ssl_ctx_t *ctx, char *buff, int len) {
char *out = NULL;
X509_NAME *name;
X509 *cert = SSL_get_certificate(ctx->ssl);
if(cert == NULL) return -1;
name = X509_get_subject_name(cert);
if(name) {
int pos;
if(-1 != (pos = X509_NAME_get_index_by_NID(name, NID_commonName, -1))) {
X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, pos);
if(entry) {
ASN1_STRING *entryData = X509_NAME_ENTRY_get_data( entry );
unsigned char *utf8;
int length = ASN1_STRING_to_UTF8( &utf8, entryData );
strlcpy(buff, (const char *)utf8, MIN(length+1,len));
out = buff;
OPENSSL_free( utf8 );
}
}
}
X509_free(cert);
if(out) return strlen(out);
return -1;
}
static int get_cert(X509** cert, struct tcp_connection** c, struct sip_msg* msg, int my)
{
SSL* ssl;
*cert = 0;
*c = get_cur_connection(msg);
if (!(*c)) {
INFO("TLS connection not found\n");
return -1;
}
ssl = get_ssl(*c);
if (!ssl) goto err;
*cert = my ? SSL_get_certificate(ssl) : SSL_get_peer_certificate(ssl);
if (!*cert) {
if (my) {
ERR("Unable to retrieve my TLS certificate from SSL structure\n");
} else {
ERR("Unable to retrieve peer TLS certificate from SSL structure\n");
}
goto err;
}
return 0;
err:
tcpconn_put(*c);
return -1;
}
static int
tlso_session_my_dn( tls_session *sess, struct berval *der_dn )
{
tlso_session *s = (tlso_session *)sess;
X509 *x;
X509_NAME *xn;
x = SSL_get_certificate( s );
if (!x) return LDAP_INVALID_CREDENTIALS;
xn = X509_get_subject_name(x);
#if OPENSSL_VERSION_NUMBER < 0x10100000
der_dn->bv_len = i2d_X509_NAME( xn, NULL );
der_dn->bv_val = xn->bytes->data;
#else
{
size_t len = 0;
der_dn->bv_val = NULL;
X509_NAME_get0_der( (const unsigned char **)&der_dn->bv_val, &len, xn );
der_dn->bv_len = len;
}
#endif
/* Don't X509_free, the session is still using it */
return 0;
}
char *
be_tls_get_certificate_hash(Port *port, size_t *len)
{
#ifdef HAVE_X509_GET_SIGNATURE_NID
X509 *server_cert;
char *cert_hash;
const EVP_MD *algo_type = NULL;
unsigned char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */
unsigned int hash_size;
int algo_nid;
*len = 0;
server_cert = SSL_get_certificate(port->ssl);
if (server_cert == NULL)
return NULL;
/*
* Get the signature algorithm of the certificate to determine the hash
* algorithm to use for the result.
*/
if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
&algo_nid, NULL))
elog(ERROR, "could not determine server certificate signature algorithm");
/*
* The TLS server's certificate bytes need to be hashed with SHA-256 if
* its signature algorithm is MD5 or SHA-1 as per RFC 5929
* (https://tools.ietf.org/html/rfc5929#section-4.1). If something else
* is used, the same hash as the signature algorithm is used.
*/
switch (algo_nid)
{
case NID_md5:
case NID_sha1:
algo_type = EVP_sha256();
break;
default:
algo_type = EVP_get_digestbynid(algo_nid);
if (algo_type == NULL)
elog(ERROR, "could not find digest for NID %s",
OBJ_nid2sn(algo_nid));
break;
}
/* generate and save the certificate hash */
if (!X509_digest(server_cert, algo_type, hash, &hash_size))
elog(ERROR, "could not generate server certificate hash");
cert_hash = palloc(hash_size);
memcpy(cert_hash, hash, hash_size);
*len = hash_size;
return cert_hash;
#else
ereport(ERROR,
(errcode(ERRCODE_PROTOCOL_VIOLATION),
errmsg("channel binding type \"tls-server-end-point\" is not supported by this build")));
return NULL;
#endif
}
SSLSocket::SSLSocket(const char *host, uint16_t port, const char *CAfile, const char *CRTfile, const char *KEYfile, void *passwd, int timeout, bool verify) {
loadSSL();
ctx = sslCreateCtx(true, verify, CAfile, CRTfile, KEYfile, passwd);
m_sock = sslConnect(host, port, timeout);
buffer = new SocketBuffer(this);
clientName = getCommonName(SSL_get_certificate(conn.sslHandle));
serverName = getCommonName(SSL_get_peer_certificate(conn.sslHandle));
}
SSLSocket::SSLSocket(connection c) {
loadSSL();
ctx = NULL;
m_sock = c.socket;
conn.socket = c.socket;
conn.sslHandle = c.sslHandle;
buffer = new SocketBuffer(this);
clientName = getCommonName(SSL_get_peer_certificate(conn.sslHandle));
serverName = getCommonName(SSL_get_certificate(conn.sslHandle));
}
static void *
_SSL_get_sess_obj(SSL *ssl, int type)
{
void *obj = NULL;
switch (type) {
case 0:
obj = X509_get_pubkey(SSL_get_certificate(ssl));
break;
case 1:
obj = SSL_get_privatekey(ssl);
break;
case 2:
obj = SSL_get_certificate(ssl);
break;
}
return (obj);
}
CWBool CWSecurityInitSessionClient(CWSocket sock, CWNetworkLev4Address *addrPtr, CWSafeList packetReceiveList, CWSecurityContext ctx, CWSecuritySession *sessionPtr, int *PMTUPtr) {
BIO *sbio = NULL;
CWNetworkLev4Address peer;
int peerlen = sizeof(peer);
int i;
if(ctx == NULL || sessionPtr == NULL || PMTUPtr == NULL) return CWErrorRaise(CW_ERROR_WRONG_ARG, NULL);
if((*sessionPtr = SSL_new(ctx)) == NULL) {
CWSecurityRaiseError(CW_ERROR_CREATING);
}
#ifdef CW_DEBUGGING
CWDebugLog("My Certificate");
PEM_write_X509(stdout, SSL_get_certificate(*sessionPtr));
#endif
if((sbio = BIO_new_memory(sock, addrPtr, packetReceiveList)) == NULL) {
SSL_free(*sessionPtr);
CWSecurityRaiseError(CW_ERROR_CREATING);
}
if (getsockname(sock, (struct sockaddr*)&peer, (void *)&peerlen) < 0) {
SSL_free(*sessionPtr);
CWSecurityRaiseSystemError(CW_ERROR_GENERAL);
}
i = BIO_ctrl_set_connected(sbio, 1, &peer);
//BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); // TO-DO (pass MTU?)
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_MTU, 10000, NULL); // TO-DO if we don't set a big MTU, thw DTLS implementation will
// not be able to use a big certificate
// Let the verify_callback catch the verify_depth error so that we get
// an appropriate error in the logfile.
SSL_set_verify_depth((*sessionPtr), CW_DTLS_CERT_VERIFY_DEPTH + 1);
SSL_set_read_ahead( (*sessionPtr), 1); // required by DTLS implementation to avoid data loss
SSL_set_bio((*sessionPtr), sbio, sbio);
SSL_set_connect_state((*sessionPtr));
CWDebugLog("Before HS");
CWSecurityManageSSLError(
SSL_do_handshake(*sessionPtr), *sessionPtr, SSL_free(*sessionPtr););
static int
tlso_session_my_dn( tls_session *sess, struct berval *der_dn )
{
tlso_session *s = (tlso_session *)sess;
X509 *x;
X509_NAME *xn;
x = SSL_get_certificate( s );
if (!x) return LDAP_INVALID_CREDENTIALS;
xn = X509_get_subject_name(x);
der_dn->bv_len = i2d_X509_NAME( xn, NULL );
der_dn->bv_val = xn->bytes->data;
/* Don't X509_free, the session is still using it */
return 0;
}
static int
ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
{
int rc;
X509 *cert;
u_char *p;
ngx_connection_t *c;
ngx_ssl_stapling_t *staple;
c = ngx_ssl_get_connection(ssl_conn);
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"SSL certificate status callback");
rc = SSL_TLSEXT_ERR_NOACK;
cert = SSL_get_certificate(ssl_conn);
staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
if (staple == NULL) {
return rc;
}
if (staple->staple.len
&& staple->valid >= ngx_time())
{
/* we have to copy ocsp response as OpenSSL will free it by itself */
p = OPENSSL_malloc(staple->staple.len);
if (p == NULL) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed");
return SSL_TLSEXT_ERR_NOACK;
}
ngx_memcpy(p, staple->staple.data, staple->staple.len);
SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len);
rc = SSL_TLSEXT_ERR_OK;
}
ngx_ssl_stapling_update(staple);
return rc;
}
/*
Get the SSL state of the socket in a buffer
*/
static char *getOssState(MprSocket *sp)
{
OpenSocket *osp;
MprBuf *buf;
X509 *cert;
char subject[512], issuer[512];
osp = sp->sslSocket;
buf = mprCreateBuf(0, 0);
mprPutToBuf(buf, "{\"provider\":\"openssl\",\"cipher\":\"%s\",\"session\":\"%s\",",
SSL_get_cipher(osp->handle), sp->session);
mprPutToBuf(buf, "\"peer\":\"%s\",", sp->peerName);
mprPutToBuf(buf, "\"%s\":{", sp->acceptIp ? "client" : "server");
if ((cert = SSL_get_peer_certificate(osp->handle)) != 0) {
X509_NAME_oneline(X509_get_issuer_name(cert), issuer, sizeof(issuer) -1);
mprPutToBuf(buf, "\"issuer\": {");
parseCertFields(buf, &issuer[1]);
mprPutToBuf(buf, "},");
X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject) -1);
mprPutToBuf(buf, "\"subject\": {");
parseCertFields(buf, &subject[1]);
mprPutToBuf(buf, "},");
X509_free(cert);
}
if ((cert = SSL_get_certificate(osp->handle)) != 0) {
mprPutToBuf(buf, "\"issuer\": {");
X509_NAME_oneline(X509_get_issuer_name(cert), issuer, sizeof(issuer) -1);
parseCertFields(buf, &issuer[1]);
mprPutToBuf(buf, "},");
mprPutToBuf(buf, "\"subject\": {");
X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject) -1);
parseCertFields(buf, &subject[1]);
mprPutToBuf(buf, "},");
/* Don't call X509_free on own cert */
}
mprAdjustBufEnd(buf, -1);
mprPutToBuf(buf, "}}");
return mprBufToString(buf);
}
int
syslog_sign_init()
{
SSL *ssl;
sign_global_conf = EVP_MD_CTX_create();
EVP_MD_CTX_init(sign_global_conf);
if (ssl = SSL_new(ssl_global_conf)) {
dprintf("Try to get keys from TLS X.509 cert...\n");
if (!(xcert = SSL_get_certificate(ssl))) {
logerror("SSL_get_certificate() failed");
SSL_free(ssl);
return EXIT_FAILURE;
}
if (!(eprivkey = SSL_get_privatekey(ssl))) {
logerror("SSL_get_privatekey() failed");
SSL_free(ssl);
return EXIT_FAILURE;
}
if (!(epubkey = X509_get_pubkey(xcert))) {
logerror("X509_get_pubkey() failed");
SSL_free(ssl);
return EXIT_FAILURE;
}
}
SSL_free(ssl);
if (EVP_PKEY_DSA != EVP_PKEY_type(epubkey->type)) {
dprintf("X.509 cert has no DSA key\n");
EVP_PKEY_free(epubkey);
eprivkey = NULL;
epubkey = NULL;
} else {
dprintf("Got public and private key "
"from X.509 --> use type PKIX\n");
sign_method = EVP_dss1();
}
}
/*
Get the SSL state of the socket in a buffer
*/
static char *getOssState(MprSocket *sp)
{
OpenSocket *osp;
MprBuf *buf;
X509_NAME *xSubject;
X509 *cert;
char *prefix, subject[512], issuer[512], peer[512];
osp = sp->sslSocket;
buf = mprCreateBuf(0, 0);
mprPutToBuf(buf, "PROVIDER=openssl,CIPHER=%s,SESSION=%s,", SSL_get_cipher(osp->handle), sp->session);
if ((cert = SSL_get_peer_certificate(osp->handle)) == 0) {
mprPutToBuf(buf, "%s=\"none\",", sp->acceptIp ? "CLIENT_CERT" : "SERVER_CERT");
} else {
xSubject = X509_get_subject_name(cert);
X509_NAME_get_text_by_NID(xSubject, NID_commonName, peer, sizeof(peer) - 1);
mprPutToBuf(buf, "PEER=\"%s\",", peer);
prefix = sp->acceptIp ? "CLIENT_" : "SERVER_";
X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject) -1);
parseCertFields(buf, prefix, "S_", &subject[1]);
X509_NAME_oneline(X509_get_issuer_name(cert), issuer, sizeof(issuer) -1);
parseCertFields(buf, prefix, "I_", &issuer[1]);
X509_free(cert);
}
if ((cert = SSL_get_certificate(osp->handle)) != 0) {
prefix = sp->acceptIp ? "SERVER_" : "CLIENT_";
X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject) -1);
parseCertFields(buf, prefix, "S_", &subject[1]);
X509_NAME_oneline(X509_get_issuer_name(cert), issuer, sizeof(issuer) -1);
parseCertFields(buf, prefix, "I_", &issuer[1]);
/* Don't call X509_free on own cert */
}
return mprGetBufStart(buf);
}
/*
* call-seq:
* ssl.cert => cert or nil
*/
static VALUE
ossl_ssl_get_cert(VALUE self)
{
SSL *ssl;
X509 *cert = NULL;
Data_Get_Struct(self, SSL, ssl);
if (ssl) {
rb_warning("SSL session is not started yet.");
return Qnil;
}
/*
* Is this OpenSSL bug? Should add a ref?
* TODO: Ask for.
*/
cert = SSL_get_certificate(ssl); /* NO DUPs => DON'T FREE. */
if (!cert) {
return Qnil;
}
return ossl_x509_new(cert);
}
static CryptoCert tls_get_certificate(rdpTls* tls, boolean peer)
{
CryptoCert cert;
X509* server_cert;
if (peer)
server_cert = SSL_get_peer_certificate(tls->ssl);
else
server_cert = SSL_get_certificate(tls->ssl);
if (!server_cert)
{
printf("tls_get_certificate: failed to get the server TLS certificate\n");
cert = NULL;
}
else
{
cert = xmalloc(sizeof(*cert));
cert->px509 = server_cert;
}
return cert;
}
static void workaround_openssl_certchain_bug(struct openconnect_info *vpninfo,
SSL *ssl)
{
/* OpenSSL has problems with certificate chains -- if there are
multiple certs with the same name, it doesn't necessarily
choose the _right_ one. (RT#1942)
Pick the right ones for ourselves and add them manually. */
X509 *cert = SSL_get_certificate(ssl);
X509 *cert2;
X509_STORE *store = SSL_CTX_get_cert_store(vpninfo->https_ctx);
X509_STORE_CTX ctx;
if (!cert || !store)
return;
/* If we already have 'supporting' certs, don't add them again */
if (vpninfo->https_ctx->extra_certs)
return;
if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL))
return;
while (ctx.get_issuer(&cert2, &ctx, cert) == 1) {
char buf[200];
if (cert2 == cert)
break;
if (X509_check_issued(cert2, cert2) == X509_V_OK)
break;
cert = cert2;
X509_NAME_oneline(X509_get_subject_name(cert),
buf, sizeof(buf));
vpn_progress(vpninfo, PRG_DEBUG,
_("Extra cert from cafile: '%s'\n"), buf);
SSL_CTX_add_extra_chain_cert(vpninfo->https_ctx, cert);
}
X509_STORE_CTX_cleanup(&ctx);
}
static inline int get_cert(X509** cert, struct tcp_connection** c,
struct sip_msg* msg, int my)
{
SSL* ssl;
*cert = 0;
*c = get_cur_connection(msg);
if (!(*c)) {
LM_INFO("TLS connection not found\n");
return -1;
}
ssl = get_ssl(*c);
if (!ssl) goto err;
*cert = my ? SSL_get_certificate(ssl) : SSL_get_peer_certificate(ssl);
if (!*cert) {
LM_ERR("failed to get certificate from SSL structure\n");
goto err;
}
return 0;
err:
tcpconn_put(*c);
return -1;
}
/// loads one PEM file with one certificate, no chain, no CA
int Certificate::loadCertificateFromFile( void )
{
const int certificateFileCheckResult = validateCertificateFilename(m_certfn);
if(certificateFileCheckResult < 0) return certificateFileCheckResult;
m_ssl = SSL_new( SSL_CTX_new( SSLv23_method() ) );
SSL_use_certificate_file( m_ssl, m_certfn.c_str(), m_type);
// or like this, including a CA
// SSL_CTX_use_certificate_chain_file( _ssl_ctx, fname.c_str() );
X509 *x509crt = SSL_get_certificate( m_ssl );
// validity format is here:
// https://github.com/openssl/openssl/commit/f48b83b4fb7d6689584cf25f61ca63a4891f5b11
// in fact these are strings in UTC format, need to convert them into time_t to become useful
m_time_end = _timeASN1toTIME_T( x509crt->cert_info->validity->notAfter );
remainingValidityTime();
LOG(Log::INF) << " certificate remaining time= " << remainingDays() << "days "
<< remainingHours() << ":"
<< remainingMins() << ":"
<< remainingSecs();
return( 0 );
}
static void setup_ssl(tcptest_t *item)
{
static int ssl_init_complete = 0;
struct servent *sp;
char portinfo[100];
X509 *peercert;
char *certcn, *certstart, *certend;
int err;
strbuffer_t *sslinfo;
char msglin[2048];
item->sslrunning = 1;
if (!ssl_init_complete) {
/* Setup entropy */
if (RAND_status() != 1) {
char path[PATH_MAX]; /* Path for the random file */
/* load entropy from files */
RAND_load_file(RAND_file_name(path, sizeof (path)), -1);
/* load entropy from egd sockets */
RAND_egd("/var/run/egd-pool");
RAND_egd("/dev/egd-pool");
RAND_egd("/etc/egd-pool");
RAND_egd("/var/spool/prngd/pool");
/* shuffle $RANDFILE (or ~/.rnd if unset) */
RAND_write_file(RAND_file_name(path, sizeof (path)));
if (RAND_status() != 1) {
errprintf("Failed to find enough entropy on your system");
item->errcode = CONTEST_ESSL;
return;
}
}
SSL_load_error_strings();
SSL_library_init();
ssl_init_complete = 1;
}
if (item->sslctx == NULL) {
switch (item->ssloptions->sslversion) {
case SSLVERSION_V2:
item->sslctx = SSL_CTX_new(SSLv2_client_method()); break;
case SSLVERSION_V3:
item->sslctx = SSL_CTX_new(SSLv3_client_method()); break;
case SSLVERSION_TLS1:
item->sslctx = SSL_CTX_new(TLSv1_client_method()); break;
default:
item->sslctx = SSL_CTX_new(SSLv23_client_method()); break;
}
if (!item->sslctx) {
char sslerrmsg[256];
ERR_error_string(ERR_get_error(), sslerrmsg);
errprintf("Cannot create SSL context - IP %s, service %s: %s\n",
inet_ntoa(item->addr.sin_addr), item->svcinfo->svcname, sslerrmsg);
item->sslrunning = 0;
item->errcode = CONTEST_ESSL;
return;
}
/* Workaround SSL bugs */
SSL_CTX_set_options(item->sslctx, SSL_OP_ALL);
SSL_CTX_set_quiet_shutdown(item->sslctx, 1);
/* Limit set of ciphers, if user wants to */
if (item->ssloptions->cipherlist)
SSL_CTX_set_cipher_list(item->sslctx, item->ssloptions->cipherlist);
if (item->ssloptions->clientcert) {
int status;
char certfn[PATH_MAX];
SSL_CTX_set_default_passwd_cb(item->sslctx, cert_password_cb);
SSL_CTX_set_default_passwd_cb_userdata(item->sslctx, item);
sprintf(certfn, "%s/certs/%s", xgetenv("XYMONHOME"), item->ssloptions->clientcert);
status = SSL_CTX_use_certificate_chain_file(item->sslctx, certfn);
if (status == 1) {
status = SSL_CTX_use_PrivateKey_file(item->sslctx, certfn, SSL_FILETYPE_PEM);
}
if (status != 1) {
char sslerrmsg[256];
ERR_error_string(ERR_get_error(), sslerrmsg);
errprintf("Cannot load SSL client certificate/key %s: %s\n",
item->ssloptions->clientcert, sslerrmsg);
item->sslrunning = 0;
item->errcode = CONTEST_ESSL;
return;
}
}
}
if (item->ssldata == NULL) {
item->ssldata = SSL_new(item->sslctx);
if (!item->ssldata) {
char sslerrmsg[256];
ERR_error_string(ERR_get_error(), sslerrmsg);
errprintf("SSL_new failed - IP %s, service %s: %s\n",
inet_ntoa(item->addr.sin_addr), item->svcinfo->svcname, sslerrmsg);
item->sslrunning = 0;
SSL_CTX_free(item->sslctx);
item->errcode = CONTEST_ESSL;
return;
}
/* Verify that the client certificate is working */
if (item->ssloptions->clientcert) {
X509 *x509;
x509 = SSL_get_certificate(item->ssldata);
if(x509 != NULL) {
EVP_PKEY *pktmp = X509_get_pubkey(x509);
EVP_PKEY_copy_parameters(pktmp,SSL_get_privatekey(item->ssldata));
EVP_PKEY_free(pktmp);
}
if (!SSL_CTX_check_private_key(item->sslctx)) {
errprintf("Private/public key mismatch for certificate %s\n", item->ssloptions->clientcert);
item->sslrunning = 0;
item->errcode = CONTEST_ESSL;
return;
}
}
/* SSL setup is done. Now attach the socket FD to the SSL protocol handler */
if (SSL_set_fd(item->ssldata, item->fd) != 1) {
char sslerrmsg[256];
ERR_error_string(ERR_get_error(), sslerrmsg);
errprintf("Could not initiate SSL on connection - IP %s, service %s: %s\n",
inet_ntoa(item->addr.sin_addr), item->svcinfo->svcname, sslerrmsg);
item->sslrunning = 0;
SSL_free(item->ssldata);
SSL_CTX_free(item->sslctx);
item->errcode = CONTEST_ESSL;
return;
}
}
sp = getservbyport(item->addr.sin_port, "tcp");
if (sp) {
sprintf(portinfo, "%s (%d/tcp)", sp->s_name, item->addr.sin_port);
}
else {
sprintf(portinfo, "%d/tcp", item->addr.sin_port);
}
if ((err = SSL_connect(item->ssldata)) != 1) {
char sslerrmsg[256];
switch (SSL_get_error (item->ssldata, err)) {
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
item->sslrunning = SSLSETUP_PENDING;
break;
case SSL_ERROR_SYSCALL:
ERR_error_string(ERR_get_error(), sslerrmsg);
/* Filter out the bogus SSL error */
if (strstr(sslerrmsg, "error:00000000:") == NULL) {
errprintf("IO error in SSL_connect to %s on host %s: %s\n",
portinfo, inet_ntoa(item->addr.sin_addr), sslerrmsg);
}
item->errcode = CONTEST_ESSL;
item->sslrunning = 0; SSL_free(item->ssldata); SSL_CTX_free(item->sslctx);
break;
case SSL_ERROR_SSL:
ERR_error_string(ERR_get_error(), sslerrmsg);
errprintf("Unspecified SSL error in SSL_connect to %s on host %s: %s\n",
portinfo, inet_ntoa(item->addr.sin_addr), sslerrmsg);
item->errcode = CONTEST_ESSL;
item->sslrunning = 0; SSL_free(item->ssldata); SSL_CTX_free(item->sslctx);
break;
default:
ERR_error_string(ERR_get_error(), sslerrmsg);
errprintf("Unknown error %d in SSL_connect to %s on host %s: %s\n",
err, portinfo, inet_ntoa(item->addr.sin_addr), sslerrmsg);
item->errcode = CONTEST_ESSL;
item->sslrunning = 0; SSL_free(item->ssldata); SSL_CTX_free(item->sslctx);
break;
}
return;
}
/* If we get this far, the SSL handshake has completed. So grab the certificate */
peercert = SSL_get_peer_certificate(item->ssldata);
if (!peercert) {
errprintf("Cannot get peer certificate for %s on host %s\n",
portinfo, inet_ntoa(item->addr.sin_addr));
item->errcode = CONTEST_ESSL;
item->sslrunning = 0; SSL_free(item->ssldata); SSL_CTX_free(item->sslctx);
return;
}
sslinfo = newstrbuffer(0);
certcn = X509_NAME_oneline(X509_get_subject_name(peercert), NULL, 0);
certstart = strdup(xymon_ASN1_UTCTIME(X509_get_notBefore(peercert)));
certend = strdup(xymon_ASN1_UTCTIME(X509_get_notAfter(peercert)));
snprintf(msglin, sizeof(msglin),
"Server certificate:\n\tsubject:%s\n\tstart date: %s\n\texpire date:%s\n",
certcn, certstart, certend);
addtobuffer(sslinfo, msglin);
item->certsubject = strdup(certcn);
item->certexpires = sslcert_expiretime(certend);
xfree(certcn); xfree(certstart); xfree(certend);
X509_free(peercert);
/* We list the available ciphers in the SSL cert data */
{
int i;
STACK_OF(SSL_CIPHER) *sk;
addtobuffer(sslinfo, "\nAvailable ciphers:\n");
sk = SSL_get_ciphers(item->ssldata);
for (i=0; i<sk_SSL_CIPHER_num(sk); i++) {
int b1, b2;
char *cph;
b1 = SSL_CIPHER_get_bits(sk_SSL_CIPHER_value(sk,i), &b2);
cph = SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk,i));
snprintf(msglin, sizeof(msglin), "Cipher %d: %s (%d bits)\n", i, cph, b1);
addtobuffer(sslinfo, msglin);
if ((item->mincipherbits == 0) || (b1 < item->mincipherbits)) item->mincipherbits = b1;
}
}
item->certinfo = grabstrbuffer(sslinfo);
}
SSL *SSLSocket::createSSL(SSL_CTX *ctx) {
ERR_clear_error();
/* look at options in the stream and set appropriate verification flags */
if (m_context[s_verify_peer].toBoolean()) {
/* turn on verification callback */
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verifyCallback);
/* CA stuff */
String cafile = m_context[s_cafile].toString();
String capath = m_context[s_capath].toString();
if (!cafile.empty() || !capath.empty()) {
if (!SSL_CTX_load_verify_locations(ctx, cafile.data(), capath.data())) {
raise_warning("Unable to set verify locations `%s' `%s'",
cafile.data(), capath.data());
return nullptr;
}
}
int64_t depth = m_context[s_verify_depth].toInt64();
if (depth) {
SSL_CTX_set_verify_depth(ctx, depth);
}
} else {
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, nullptr);
}
/* callback for the passphrase (for localcert) */
if (!m_context[s_passphrase].toString().empty()) {
SSL_CTX_set_default_passwd_cb_userdata(ctx, this);
SSL_CTX_set_default_passwd_cb(ctx, passwdCallback);
}
String cipherlist = m_context[s_ciphers].toString();
if (cipherlist.empty()) {
cipherlist = "DEFAULT";
}
SSL_CTX_set_cipher_list(ctx, cipherlist.data());
String certfile = m_context[s_local_cert].toString();
if (!certfile.empty()) {
String resolved_path_buff = File::TranslatePath(certfile);
if (!resolved_path_buff.empty()) {
/* a certificate to use for authentication */
if (SSL_CTX_use_certificate_chain_file(ctx, resolved_path_buff.data())
!= 1) {
raise_warning("Unable to set local cert chain file `%s'; Check "
"that your cafile/capath settings include details of "
"your certificate and its issuer", certfile.data());
return nullptr;
}
if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff.data(),
SSL_FILETYPE_PEM) != 1) {
raise_warning("Unable to set private key file `%s'",
resolved_path_buff.data());
return nullptr;
}
SSL *tmpssl = SSL_new(ctx);
X509 *cert = SSL_get_certificate(tmpssl);
if (cert) {
EVP_PKEY *key = X509_get_pubkey(cert);
EVP_PKEY_copy_parameters(key, SSL_get_privatekey(tmpssl));
EVP_PKEY_free(key);
}
SSL_free(tmpssl);
if (!SSL_CTX_check_private_key(ctx)) {
raise_warning("Private key does not match certificate!");
}
}
}
SSL *ssl = SSL_new(ctx);
if (ssl) {
SSL_set_ex_data(ssl, GetSSLExDataIndex(), this); /* map SSL => stream */
}
return ssl;
}
X509* CertificateManager::loadCertificateFromFile(const char* file) {
SSL_CTX *context = SSL_CTX_new(SSLv23_server_method());
SSL_CTX_use_certificate_file(context, file, SSL_FILETYPE_PEM);
return SSL_get_certificate(SSL_new(context));
}
/*
* Wrapper around SSL_accept, returns -1 on error, 0 on success
*/
static int tls_accept(struct tcp_connection *c, short *poll_events)
{
int ret, err;
SSL *ssl;
X509* cert;
if ( (c->proto_flags&F_TLS_DO_ACCEPT)==0 ) {
LM_BUG("invalid connection state (bug in TLS code)\n");
return -1;
}
ssl = (SSL *) c->extra_data;
#ifndef OPENSSL_NO_KRB5
if ( ssl->kssl_ctx==NULL )
ssl->kssl_ctx = kssl_ctx_new( );
#endif
ret = SSL_accept(ssl);
#ifndef OPENSSL_NO_KRB5
if ( ssl->kssl_ctx ) {
kssl_ctx_free( ssl->kssl_ctx );
ssl->kssl_ctx = 0;
}
#endif
if (ret > 0) {
LM_INFO("New TLS connection from %s:%d accepted\n",
ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
/* TLS accept done, reset the flag */
c->proto_flags &= ~F_TLS_DO_ACCEPT;
LM_DBG("new TLS connection from %s:%d using %s %s %d\n",
ip_addr2a(&c->rcv.src_ip), c->rcv.src_port,
SSL_get_cipher_version(ssl), SSL_get_cipher_name(ssl),
SSL_get_cipher_bits(ssl, 0) );
LM_DBG("local socket: %s:%d\n",
ip_addr2a(&c->rcv.dst_ip), c->rcv.dst_port );
cert = SSL_get_peer_certificate(ssl);
if (cert != 0) {
tls_dump_cert_info("tls_accept: client TLS certificate", cert);
if (SSL_get_verify_result(ssl) != X509_V_OK) {
LM_WARN("TLS client certificate verification failed\n");
tls_dump_verification_failure(SSL_get_verify_result(ssl));
}
X509_free(cert);
} else {
LM_INFO("Client did not present a TLS certificate\n");
}
cert = SSL_get_certificate(ssl);
if (cert != 0) {
tls_dump_cert_info("tls_accept: local TLS server certificate",
cert);
} else {
/* this should not happen, servers always present a cert */
LM_ERR("local TLS server domain has no certificate\n");
}
return 0;
} else {
err = SSL_get_error(ssl, ret);
switch (err) {
case SSL_ERROR_ZERO_RETURN:
LM_INFO("TLS connection from %s:%d accept failed cleanly\n",
ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
c->state = S_CONN_BAD;
return -1;
case SSL_ERROR_WANT_READ:
if (poll_events)
*poll_events = POLLIN;
return 0;
case SSL_ERROR_WANT_WRITE:
if (poll_events)
*poll_events = POLLOUT;
return 0;
default:
c->state = S_CONN_BAD;
if (errno == 0) {
LM_ERR("New TLS connection from %s:%d failed to accept:"
" rejected by client\n",
ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
} else {
LM_ERR("New TLS connection from %s:%d failed to accept\n",
ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
LM_ERR("TLS error: (ret=%d, err=%d, errno=%d/%s):\n",
ret, err, errno, strerror(errno));
tls_print_errstack();
}
return -1;
}
}
LM_BUG("bug\n");
return -1;
}
/*
* wrapper around SSL_connect, returns 0 on success, -1 on error
*/
static int tls_connect(struct tcp_connection *c, short *poll_events)
{
int ret, err;
SSL *ssl;
X509* cert;
if ( (c->proto_flags&F_TLS_DO_CONNECT)==0 ) {
LM_BUG("invalid connection state (bug in TLS code)\n");
return -1;
}
ssl = (SSL *) c->extra_data;
ret = SSL_connect(ssl);
if (ret > 0) {
LM_INFO("New TLS connection to %s:%d established\n",
ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
c->proto_flags &= ~F_TLS_DO_CONNECT;
LM_DBG("new TLS connection to %s:%d using %s %s %d\n",
ip_addr2a(&c->rcv.src_ip), c->rcv.src_port,
SSL_get_cipher_version(ssl), SSL_get_cipher_name(ssl),
SSL_get_cipher_bits(ssl, 0)
);
LM_DBG("sending socket: %s:%d \n",
ip_addr2a(&c->rcv.dst_ip), c->rcv.dst_port
);
cert = SSL_get_peer_certificate(ssl);
if (cert != 0) {
tls_dump_cert_info("tls_connect: server TLS certificate", cert);
if (SSL_get_verify_result(ssl) != X509_V_OK) {
LM_WARN("TLS server certificate verification failed\n");
tls_dump_verification_failure(SSL_get_verify_result(ssl));
}
X509_free(cert);
} else {
/* this should not happen, servers always present a cert */
LM_ERR("server did not present a TLS certificate\n");
}
cert = SSL_get_certificate(ssl);
if (cert != 0) {
tls_dump_cert_info("tls_connect: local TLS client certificate",
cert);
} else {
LM_INFO("local TLS client domain does not have a certificate\n");
}
return 0;
} else {
err = SSL_get_error(ssl, ret);
switch (err) {
case SSL_ERROR_ZERO_RETURN:
LM_INFO("New TLS connection to %s:%d failed cleanly\n",
ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
c->state = S_CONN_BAD;
return -1;
case SSL_ERROR_WANT_READ:
if (poll_events)
*poll_events = POLLIN;
return 0;
case SSL_ERROR_WANT_WRITE:
if (poll_events)
*poll_events = POLLOUT;
return 0;
case SSL_ERROR_SYSCALL:
LM_ERR("SSL_ERROR_SYSCALL err=%s(%d)\n",
strerror(errno), errno);
default:
LM_ERR("New TLS connection to %s:%d failed\n",
ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
LM_ERR("TLS error: %d (ret=%d) err=%s(%d)\n",
err,ret,strerror(errno), errno);
c->state = S_CONN_BAD;
tls_print_errstack();
return -1;
}
}
LM_BUG("bug\n");
return -1;
}
static int openssl_ssl_get(lua_State*L)
{
SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl");
int i;
int top = lua_gettop(L);
for (i = 2; i <= top; i++)
{
const char* what = luaL_checklstring(L, i, NULL);
if (strcmp(what, "fd") == 0)
{
lua_pushinteger(L, SSL_get_fd(s));
}
else if (strcmp(what, "rfd") == 0)
{
lua_pushinteger(L, SSL_get_rfd(s));
}
else if (strcmp(what, "wfd") == 0)
{
lua_pushinteger(L, SSL_get_wfd(s));
}
else if (strcmp(what, "client_CA_list") == 0)
{
STACK_OF(X509_NAME)* sn = SSL_get_client_CA_list(s);
PUSH_OBJECT(sn, "openssl.sk_x509_name");
}
else if (strcmp(what, "read_ahead") == 0)
{
lua_pushboolean(L, SSL_get_read_ahead(s));
}
else if (strcmp(what, "shared_ciphers") == 0)
{
char buf[LUAL_BUFFERSIZE] = {0};
lua_pushstring(L, SSL_get_shared_ciphers(s, buf, sizeof(buf)));
}
else if (strcmp(what, "cipher_list") == 0)
{
//TODO FIX
lua_pushstring(L, SSL_get_cipher_list(s, 0));
}
else if (strcmp(what, "verify_mode") == 0)
{
//FIX
lua_pushinteger(L, SSL_get_verify_mode(s));
}
else if (strcmp(what, "verify_depth") == 0)
{
lua_pushinteger(L, SSL_get_verify_depth(s));
}
else if (strcmp(what, "state_string") == 0)
{
lua_pushstring(L, SSL_state_string(s));
}
else if (strcmp(what, "state_string_long") == 0)
{
lua_pushstring(L, SSL_state_string_long(s));
}
else if (strcmp(what, "rstate_string") == 0)
{
lua_pushstring(L, SSL_rstate_string(s));
}
else if (strcmp(what, "rstate_string_long") == 0)
{
lua_pushstring(L, SSL_rstate_string_long(s));
}
else if (strcmp(what, "version") == 0)
{
lua_pushstring(L, SSL_get_version(s));
}
else if (strcmp(what, "iversion") == 0)
{
lua_pushinteger(L, SSL_version(s));
}
else if (strcmp(what, "default_timeout") == 0)
{
lua_pushinteger(L, SSL_get_default_timeout(s));
}
else if (strcmp(what, "certificate") == 0)
{
X509* cert = SSL_get_certificate(s);
PUSH_OBJECT(cert, "openssl.x509");
}
else if (strcmp(what, "verify_result") == 0)
{
long l = SSL_get_verify_result(s);
lua_pushinteger(L, l);
}
else if (strcmp(what, "version") == 0)
{
lua_pushstring(L, SSL_get_version(s));
}
else if (strcmp(what, "state") == 0)
{
lua_pushinteger(L, SSL_state(s));
}
else if (strcmp(what, "hostname") == 0)
{
lua_pushstring(L, SSL_get_servername(s, TLSEXT_NAMETYPE_host_name));
}
else
luaL_argerror(L, i, "can't understant");
}
return top - 1;
}
static
int cert_stuff(struct connectdata *conn,
SSL_CTX* ctx,
char *cert_file,
const char *cert_type,
char *key_file,
const char *key_type)
{
struct SessionHandle *data = conn->data;
int file_type;
if(cert_file != NULL) {
SSL *ssl;
X509 *x509;
if(data->set.key_passwd) {
#ifndef HAVE_USERDATA_IN_PWD_CALLBACK
/*
* If password has been given, we store that in the global
* area (*shudder*) for a while:
*/
size_t len = strlen(data->set.key_passwd);
if(len < sizeof(global_passwd))
memcpy(global_passwd, data->set.key_passwd, len+1);
#else
/*
* We set the password in the callback userdata
*/
SSL_CTX_set_default_passwd_cb_userdata(ctx,
data->set.key_passwd);
#endif
/* Set passwd callback: */
SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
}
file_type = do_file_type(cert_type);
switch(file_type) {
case SSL_FILETYPE_PEM:
/* SSL_CTX_use_certificate_chain_file() only works on PEM files */
if(SSL_CTX_use_certificate_chain_file(ctx,
cert_file) != 1) {
failf(data, "unable to set certificate file (wrong password?)");
return 0;
}
break;
case SSL_FILETYPE_ASN1:
/* SSL_CTX_use_certificate_file() works with either PEM or ASN1, but
we use the case above for PEM so this can only be performed with
ASN1 files. */
if(SSL_CTX_use_certificate_file(ctx,
cert_file,
file_type) != 1) {
failf(data, "unable to set certificate file (wrong password?)");
return 0;
}
break;
case SSL_FILETYPE_ENGINE:
failf(data, "file type ENG for certificate not implemented");
return 0;
default:
failf(data, "not supported file type '%s' for certificate", cert_type);
return 0;
}
file_type = do_file_type(key_type);
switch(file_type) {
case SSL_FILETYPE_PEM:
if(key_file == NULL)
/* cert & key can only be in PEM case in the same file */
key_file=cert_file;
case SSL_FILETYPE_ASN1:
if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) {
failf(data, "unable to set private key file: '%s' type %s\n",
key_file, key_type?key_type:"PEM");
return 0;
}
break;
case SSL_FILETYPE_ENGINE:
#ifdef HAVE_OPENSSL_ENGINE_H
{ /* XXXX still needs some work */
EVP_PKEY *priv_key = NULL;
if(conn && conn->data && conn->data->engine) {
#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
UI_METHOD *ui_method = UI_OpenSSL();
#endif
if(!key_file || !key_file[0]) {
failf(data, "no key set to load from crypto engine\n");
return 0;
}
/* the typecast below was added to please mingw32 */
priv_key = (EVP_PKEY *)
ENGINE_load_private_key(conn->data->engine,key_file,
#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
ui_method,
#endif
data->set.key_passwd);
if(!priv_key) {
failf(data, "failed to load private key from crypto engine\n");
return 0;
}
if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) {
failf(data, "unable to set private key\n");
EVP_PKEY_free(priv_key);
return 0;
}
EVP_PKEY_free(priv_key); /* we don't need the handle any more... */
}
else {
failf(data, "crypto engine not set, can't load private key\n");
return 0;
}
}
break;
#else
failf(data, "file type ENG for private key not supported\n");
return 0;
#endif
default:
failf(data, "not supported file type for private key\n");
return 0;
}
ssl=SSL_new(ctx);
x509=SSL_get_certificate(ssl);
/* This version was provided by Evan Jordan and is supposed to not
leak memory as the previous version: */
if(x509 != NULL) {
EVP_PKEY *pktmp = X509_get_pubkey(x509);
EVP_PKEY_copy_parameters(pktmp,SSL_get_privatekey(ssl));
EVP_PKEY_free(pktmp);
}
SSL_free(ssl);
/* If we are using DSA, we can copy the parameters from
* the private key */
/* Now we know that a key and cert have been set against
* the SSL context */
if(!SSL_CTX_check_private_key(ctx)) {
failf(data, "Private key does not match the certificate public key");
return(0);
}
#ifndef HAVE_USERDATA_IN_PWD_CALLBACK
/* erase it now */
memset(global_passwd, 0, sizeof(global_passwd));
#endif
}
return(1);
}
void Families::LoadCertificate (const std::string& filename)
{
SSL_CTX * ctx = SSL_CTX_new (TLS_method ());
int ret = SSL_CTX_use_certificate_file (ctx, filename.c_str (), SSL_FILETYPE_PEM);
if (ret)
{
SSL * ssl = SSL_new (ctx);
X509 * cert = SSL_get_certificate (ssl);
if (cert)
{
std::shared_ptr<i2p::crypto::Verifier> verifier;
// extract issuer name
char name[100];
X509_NAME_oneline (X509_get_issuer_name(cert), name, 100);
char * cn = strstr (name, "CN=");
if (cn)
{
cn += 3;
char * family = strstr (cn, ".family");
if (family) family[0] = 0;
}
auto pkey = X509_get_pubkey (cert);
int keyType = EVP_PKEY_base_id (pkey);
switch (keyType)
{
case EVP_PKEY_DSA:
// TODO:
break;
case EVP_PKEY_EC:
{
EC_KEY * ecKey = EVP_PKEY_get1_EC_KEY (pkey);
if (ecKey)
{
auto group = EC_KEY_get0_group (ecKey);
if (group)
{
int curve = EC_GROUP_get_curve_name (group);
if (curve == NID_X9_62_prime256v1)
{
uint8_t signingKey[64];
BIGNUM * x = BN_new(), * y = BN_new();
EC_POINT_get_affine_coordinates_GFp (group,
EC_KEY_get0_public_key (ecKey), x, y, NULL);
i2p::crypto::bn2buf (x, signingKey, 32);
i2p::crypto::bn2buf (y, signingKey + 32, 32);
BN_free (x); BN_free (y);
verifier = std::make_shared<i2p::crypto::ECDSAP256Verifier>();
verifier->SetPublicKey (signingKey);
}
else
LogPrint (eLogWarning, "Family: elliptic curve ", curve, " is not supported");
}
EC_KEY_free (ecKey);
}
break;
}
default:
LogPrint (eLogWarning, "Family: Certificate key type ", keyType, " is not supported");
}
EVP_PKEY_free (pkey);
if (verifier && cn)
m_SigningKeys[cn] = verifier;
}
SSL_free (ssl);
}
else
LogPrint (eLogError, "Family: Can't open certificate file ", filename);
SSL_CTX_free (ctx);
}
