static liHandlerResult openssl_setenv(liVRequest *vr, gpointer param, gpointer *context) { liConnection *con; openssl_connection_ctx *conctx; SSL *ssl; X509 *x0=NULL, *x1=NULL; guint params = GPOINTER_TO_UINT(param); UNUSED(context); if (!(con = li_connection_from_vrequest(vr)) || !(con->srv_sock && con->srv_sock->new_cb == openssl_con_new) || !(conctx = con->con_sock.data) || !(ssl = li_openssl_filter_ssl(conctx->ssl_filter))) return LI_HANDLER_GO_ON; if ((params & SE_CLIENT) && (x1 || (x1 = SSL_get_peer_certificate(ssl)))) openssl_setenv_X509_add_entries(vr, x1, CONST_STR_LEN("SSL_CLIENT_S_DN_")); if ((params & SE_CLIENT_CERT) && (x1 || (x1 = SSL_get_peer_certificate(ssl)))) openssl_setenv_X509_add_PEM(vr, x1, CONST_STR_LEN("SSL_CLIENT_CERT")); if ((params & SE_SERVER) && (x0 || (x0 = SSL_get_certificate(ssl)))) openssl_setenv_X509_add_entries(vr, x0, CONST_STR_LEN("SSL_SERVER_S_DN_")); if ((params & SE_SERVER_CERT) && (x0 || (x0 = SSL_get_certificate(ssl)))) openssl_setenv_X509_add_PEM(vr, x0, CONST_STR_LEN("SSL_SERVER_CERT")); /* only peer increases ref count */ if (x1) X509_free(x1); return LI_HANDLER_GO_ON; }
static CryptoCert tls_get_certificate(rdpTls* tls, BOOL peer) { CryptoCert cert; X509* remote_cert; STACK_OF(X509) *chain; if (peer) remote_cert = SSL_get_peer_certificate(tls->ssl); else remote_cert = X509_dup(SSL_get_certificate(tls->ssl)); if (!remote_cert) { WLog_ERR(TAG, "failed to get the server TLS certificate"); return NULL; } cert = malloc(sizeof(*cert)); if (!cert) { X509_free(remote_cert); return NULL; } cert->px509 = remote_cert; /* Get the peer's chain. If it does not exist, we're setting NULL (clean data either way) */ chain = SSL_get_peer_cert_chain(tls->ssl); cert->px509chain = chain; return cert; }
static CryptoCert tls_get_certificate(rdpTls* tls, BOOL peer) { CryptoCert cert; X509* remote_cert; if (peer) remote_cert = SSL_get_peer_certificate(tls->ssl); else remote_cert = X509_dup( SSL_get_certificate(tls->ssl) ); if (!remote_cert) { WLog_ERR(TAG, "failed to get the server TLS certificate"); return NULL; } cert = malloc(sizeof(*cert)); if (!cert) { X509_free(remote_cert); return NULL; } cert->px509 = remote_cert; return cert; }
static CryptoCert tls_get_certificate(rdpTls* tls, BOOL peer) { CryptoCert cert; X509* remote_cert; if (peer) remote_cert = SSL_get_peer_certificate(tls->ssl); else remote_cert = X509_dup( SSL_get_certificate(tls->ssl) ); if (!remote_cert) { DEBUG_WARN( "%s: failed to get the server TLS certificate\n", __FUNCTION__); return NULL; } cert = malloc(sizeof(*cert)); if (!cert) { X509_free(remote_cert); return NULL; } cert->px509 = remote_cert; return cert; }
int eventer_ssl_get_local_commonname(eventer_ssl_ctx_t *ctx, char *buff, int len) { char *out = NULL; X509_NAME *name; X509 *cert = SSL_get_certificate(ctx->ssl); if(cert == NULL) return -1; name = X509_get_subject_name(cert); if(name) { int pos; if(-1 != (pos = X509_NAME_get_index_by_NID(name, NID_commonName, -1))) { X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, pos); if(entry) { ASN1_STRING *entryData = X509_NAME_ENTRY_get_data( entry ); unsigned char *utf8; int length = ASN1_STRING_to_UTF8( &utf8, entryData ); strlcpy(buff, (const char *)utf8, MIN(length+1,len)); out = buff; OPENSSL_free( utf8 ); } } } X509_free(cert); if(out) return strlen(out); return -1; }
static int get_cert(X509** cert, struct tcp_connection** c, struct sip_msg* msg, int my) { SSL* ssl; *cert = 0; *c = get_cur_connection(msg); if (!(*c)) { INFO("TLS connection not found\n"); return -1; } ssl = get_ssl(*c); if (!ssl) goto err; *cert = my ? SSL_get_certificate(ssl) : SSL_get_peer_certificate(ssl); if (!*cert) { if (my) { ERR("Unable to retrieve my TLS certificate from SSL structure\n"); } else { ERR("Unable to retrieve peer TLS certificate from SSL structure\n"); } goto err; } return 0; err: tcpconn_put(*c); return -1; }
static int tlso_session_my_dn( tls_session *sess, struct berval *der_dn ) { tlso_session *s = (tlso_session *)sess; X509 *x; X509_NAME *xn; x = SSL_get_certificate( s ); if (!x) return LDAP_INVALID_CREDENTIALS; xn = X509_get_subject_name(x); #if OPENSSL_VERSION_NUMBER < 0x10100000 der_dn->bv_len = i2d_X509_NAME( xn, NULL ); der_dn->bv_val = xn->bytes->data; #else { size_t len = 0; der_dn->bv_val = NULL; X509_NAME_get0_der( (const unsigned char **)&der_dn->bv_val, &len, xn ); der_dn->bv_len = len; } #endif /* Don't X509_free, the session is still using it */ return 0; }
char * be_tls_get_certificate_hash(Port *port, size_t *len) { #ifdef HAVE_X509_GET_SIGNATURE_NID X509 *server_cert; char *cert_hash; const EVP_MD *algo_type = NULL; unsigned char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */ unsigned int hash_size; int algo_nid; *len = 0; server_cert = SSL_get_certificate(port->ssl); if (server_cert == NULL) return NULL; /* * Get the signature algorithm of the certificate to determine the hash * algorithm to use for the result. */ if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert), &algo_nid, NULL)) elog(ERROR, "could not determine server certificate signature algorithm"); /* * The TLS server's certificate bytes need to be hashed with SHA-256 if * its signature algorithm is MD5 or SHA-1 as per RFC 5929 * (https://tools.ietf.org/html/rfc5929#section-4.1). If something else * is used, the same hash as the signature algorithm is used. */ switch (algo_nid) { case NID_md5: case NID_sha1: algo_type = EVP_sha256(); break; default: algo_type = EVP_get_digestbynid(algo_nid); if (algo_type == NULL) elog(ERROR, "could not find digest for NID %s", OBJ_nid2sn(algo_nid)); break; } /* generate and save the certificate hash */ if (!X509_digest(server_cert, algo_type, hash, &hash_size)) elog(ERROR, "could not generate server certificate hash"); cert_hash = palloc(hash_size); memcpy(cert_hash, hash, hash_size); *len = hash_size; return cert_hash; #else ereport(ERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("channel binding type \"tls-server-end-point\" is not supported by this build"))); return NULL; #endif }
SSLSocket::SSLSocket(const char *host, uint16_t port, const char *CAfile, const char *CRTfile, const char *KEYfile, void *passwd, int timeout, bool verify) { loadSSL(); ctx = sslCreateCtx(true, verify, CAfile, CRTfile, KEYfile, passwd); m_sock = sslConnect(host, port, timeout); buffer = new SocketBuffer(this); clientName = getCommonName(SSL_get_certificate(conn.sslHandle)); serverName = getCommonName(SSL_get_peer_certificate(conn.sslHandle)); }
SSLSocket::SSLSocket(connection c) { loadSSL(); ctx = NULL; m_sock = c.socket; conn.socket = c.socket; conn.sslHandle = c.sslHandle; buffer = new SocketBuffer(this); clientName = getCommonName(SSL_get_peer_certificate(conn.sslHandle)); serverName = getCommonName(SSL_get_certificate(conn.sslHandle)); }
static void * _SSL_get_sess_obj(SSL *ssl, int type) { void *obj = NULL; switch (type) { case 0: obj = X509_get_pubkey(SSL_get_certificate(ssl)); break; case 1: obj = SSL_get_privatekey(ssl); break; case 2: obj = SSL_get_certificate(ssl); break; } return (obj); }
CWBool CWSecurityInitSessionClient(CWSocket sock, CWNetworkLev4Address *addrPtr, CWSafeList packetReceiveList, CWSecurityContext ctx, CWSecuritySession *sessionPtr, int *PMTUPtr) { BIO *sbio = NULL; CWNetworkLev4Address peer; int peerlen = sizeof(peer); int i; if(ctx == NULL || sessionPtr == NULL || PMTUPtr == NULL) return CWErrorRaise(CW_ERROR_WRONG_ARG, NULL); if((*sessionPtr = SSL_new(ctx)) == NULL) { CWSecurityRaiseError(CW_ERROR_CREATING); } #ifdef CW_DEBUGGING CWDebugLog("My Certificate"); PEM_write_X509(stdout, SSL_get_certificate(*sessionPtr)); #endif if((sbio = BIO_new_memory(sock, addrPtr, packetReceiveList)) == NULL) { SSL_free(*sessionPtr); CWSecurityRaiseError(CW_ERROR_CREATING); } if (getsockname(sock, (struct sockaddr*)&peer, (void *)&peerlen) < 0) { SSL_free(*sessionPtr); CWSecurityRaiseSystemError(CW_ERROR_GENERAL); } i = BIO_ctrl_set_connected(sbio, 1, &peer); //BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); // TO-DO (pass MTU?) BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_MTU, 10000, NULL); // TO-DO if we don't set a big MTU, thw DTLS implementation will // not be able to use a big certificate // Let the verify_callback catch the verify_depth error so that we get // an appropriate error in the logfile. SSL_set_verify_depth((*sessionPtr), CW_DTLS_CERT_VERIFY_DEPTH + 1); SSL_set_read_ahead( (*sessionPtr), 1); // required by DTLS implementation to avoid data loss SSL_set_bio((*sessionPtr), sbio, sbio); SSL_set_connect_state((*sessionPtr)); CWDebugLog("Before HS"); CWSecurityManageSSLError( SSL_do_handshake(*sessionPtr), *sessionPtr, SSL_free(*sessionPtr););
static int tlso_session_my_dn( tls_session *sess, struct berval *der_dn ) { tlso_session *s = (tlso_session *)sess; X509 *x; X509_NAME *xn; x = SSL_get_certificate( s ); if (!x) return LDAP_INVALID_CREDENTIALS; xn = X509_get_subject_name(x); der_dn->bv_len = i2d_X509_NAME( xn, NULL ); der_dn->bv_val = xn->bytes->data; /* Don't X509_free, the session is still using it */ return 0; }
static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) { int rc; X509 *cert; u_char *p; ngx_connection_t *c; ngx_ssl_stapling_t *staple; c = ngx_ssl_get_connection(ssl_conn); ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL certificate status callback"); rc = SSL_TLSEXT_ERR_NOACK; cert = SSL_get_certificate(ssl_conn); staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); if (staple == NULL) { return rc; } if (staple->staple.len && staple->valid >= ngx_time()) { /* we have to copy ocsp response as OpenSSL will free it by itself */ p = OPENSSL_malloc(staple->staple.len); if (p == NULL) { ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed"); return SSL_TLSEXT_ERR_NOACK; } ngx_memcpy(p, staple->staple.data, staple->staple.len); SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len); rc = SSL_TLSEXT_ERR_OK; } ngx_ssl_stapling_update(staple); return rc; }
/* Get the SSL state of the socket in a buffer */ static char *getOssState(MprSocket *sp) { OpenSocket *osp; MprBuf *buf; X509 *cert; char subject[512], issuer[512]; osp = sp->sslSocket; buf = mprCreateBuf(0, 0); mprPutToBuf(buf, "{\"provider\":\"openssl\",\"cipher\":\"%s\",\"session\":\"%s\",", SSL_get_cipher(osp->handle), sp->session); mprPutToBuf(buf, "\"peer\":\"%s\",", sp->peerName); mprPutToBuf(buf, "\"%s\":{", sp->acceptIp ? "client" : "server"); if ((cert = SSL_get_peer_certificate(osp->handle)) != 0) { X509_NAME_oneline(X509_get_issuer_name(cert), issuer, sizeof(issuer) -1); mprPutToBuf(buf, "\"issuer\": {"); parseCertFields(buf, &issuer[1]); mprPutToBuf(buf, "},"); X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject) -1); mprPutToBuf(buf, "\"subject\": {"); parseCertFields(buf, &subject[1]); mprPutToBuf(buf, "},"); X509_free(cert); } if ((cert = SSL_get_certificate(osp->handle)) != 0) { mprPutToBuf(buf, "\"issuer\": {"); X509_NAME_oneline(X509_get_issuer_name(cert), issuer, sizeof(issuer) -1); parseCertFields(buf, &issuer[1]); mprPutToBuf(buf, "},"); mprPutToBuf(buf, "\"subject\": {"); X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject) -1); parseCertFields(buf, &subject[1]); mprPutToBuf(buf, "},"); /* Don't call X509_free on own cert */ } mprAdjustBufEnd(buf, -1); mprPutToBuf(buf, "}}"); return mprBufToString(buf); }
int syslog_sign_init() { SSL *ssl; sign_global_conf = EVP_MD_CTX_create(); EVP_MD_CTX_init(sign_global_conf); if (ssl = SSL_new(ssl_global_conf)) { dprintf("Try to get keys from TLS X.509 cert...\n"); if (!(xcert = SSL_get_certificate(ssl))) { logerror("SSL_get_certificate() failed"); SSL_free(ssl); return EXIT_FAILURE; } if (!(eprivkey = SSL_get_privatekey(ssl))) { logerror("SSL_get_privatekey() failed"); SSL_free(ssl); return EXIT_FAILURE; } if (!(epubkey = X509_get_pubkey(xcert))) { logerror("X509_get_pubkey() failed"); SSL_free(ssl); return EXIT_FAILURE; } } SSL_free(ssl); if (EVP_PKEY_DSA != EVP_PKEY_type(epubkey->type)) { dprintf("X.509 cert has no DSA key\n"); EVP_PKEY_free(epubkey); eprivkey = NULL; epubkey = NULL; } else { dprintf("Got public and private key " "from X.509 --> use type PKIX\n"); sign_method = EVP_dss1(); } }
/* Get the SSL state of the socket in a buffer */ static char *getOssState(MprSocket *sp) { OpenSocket *osp; MprBuf *buf; X509_NAME *xSubject; X509 *cert; char *prefix, subject[512], issuer[512], peer[512]; osp = sp->sslSocket; buf = mprCreateBuf(0, 0); mprPutToBuf(buf, "PROVIDER=openssl,CIPHER=%s,SESSION=%s,", SSL_get_cipher(osp->handle), sp->session); if ((cert = SSL_get_peer_certificate(osp->handle)) == 0) { mprPutToBuf(buf, "%s=\"none\",", sp->acceptIp ? "CLIENT_CERT" : "SERVER_CERT"); } else { xSubject = X509_get_subject_name(cert); X509_NAME_get_text_by_NID(xSubject, NID_commonName, peer, sizeof(peer) - 1); mprPutToBuf(buf, "PEER=\"%s\",", peer); prefix = sp->acceptIp ? "CLIENT_" : "SERVER_"; X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject) -1); parseCertFields(buf, prefix, "S_", &subject[1]); X509_NAME_oneline(X509_get_issuer_name(cert), issuer, sizeof(issuer) -1); parseCertFields(buf, prefix, "I_", &issuer[1]); X509_free(cert); } if ((cert = SSL_get_certificate(osp->handle)) != 0) { prefix = sp->acceptIp ? "SERVER_" : "CLIENT_"; X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject) -1); parseCertFields(buf, prefix, "S_", &subject[1]); X509_NAME_oneline(X509_get_issuer_name(cert), issuer, sizeof(issuer) -1); parseCertFields(buf, prefix, "I_", &issuer[1]); /* Don't call X509_free on own cert */ } return mprGetBufStart(buf); }
/* * call-seq: * ssl.cert => cert or nil */ static VALUE ossl_ssl_get_cert(VALUE self) { SSL *ssl; X509 *cert = NULL; Data_Get_Struct(self, SSL, ssl); if (ssl) { rb_warning("SSL session is not started yet."); return Qnil; } /* * Is this OpenSSL bug? Should add a ref? * TODO: Ask for. */ cert = SSL_get_certificate(ssl); /* NO DUPs => DON'T FREE. */ if (!cert) { return Qnil; } return ossl_x509_new(cert); }
static CryptoCert tls_get_certificate(rdpTls* tls, boolean peer) { CryptoCert cert; X509* server_cert; if (peer) server_cert = SSL_get_peer_certificate(tls->ssl); else server_cert = SSL_get_certificate(tls->ssl); if (!server_cert) { printf("tls_get_certificate: failed to get the server TLS certificate\n"); cert = NULL; } else { cert = xmalloc(sizeof(*cert)); cert->px509 = server_cert; } return cert; }
static void workaround_openssl_certchain_bug(struct openconnect_info *vpninfo, SSL *ssl) { /* OpenSSL has problems with certificate chains -- if there are multiple certs with the same name, it doesn't necessarily choose the _right_ one. (RT#1942) Pick the right ones for ourselves and add them manually. */ X509 *cert = SSL_get_certificate(ssl); X509 *cert2; X509_STORE *store = SSL_CTX_get_cert_store(vpninfo->https_ctx); X509_STORE_CTX ctx; if (!cert || !store) return; /* If we already have 'supporting' certs, don't add them again */ if (vpninfo->https_ctx->extra_certs) return; if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) return; while (ctx.get_issuer(&cert2, &ctx, cert) == 1) { char buf[200]; if (cert2 == cert) break; if (X509_check_issued(cert2, cert2) == X509_V_OK) break; cert = cert2; X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); vpn_progress(vpninfo, PRG_DEBUG, _("Extra cert from cafile: '%s'\n"), buf); SSL_CTX_add_extra_chain_cert(vpninfo->https_ctx, cert); } X509_STORE_CTX_cleanup(&ctx); }
static inline int get_cert(X509** cert, struct tcp_connection** c, struct sip_msg* msg, int my) { SSL* ssl; *cert = 0; *c = get_cur_connection(msg); if (!(*c)) { LM_INFO("TLS connection not found\n"); return -1; } ssl = get_ssl(*c); if (!ssl) goto err; *cert = my ? SSL_get_certificate(ssl) : SSL_get_peer_certificate(ssl); if (!*cert) { LM_ERR("failed to get certificate from SSL structure\n"); goto err; } return 0; err: tcpconn_put(*c); return -1; }
/// loads one PEM file with one certificate, no chain, no CA int Certificate::loadCertificateFromFile( void ) { const int certificateFileCheckResult = validateCertificateFilename(m_certfn); if(certificateFileCheckResult < 0) return certificateFileCheckResult; m_ssl = SSL_new( SSL_CTX_new( SSLv23_method() ) ); SSL_use_certificate_file( m_ssl, m_certfn.c_str(), m_type); // or like this, including a CA // SSL_CTX_use_certificate_chain_file( _ssl_ctx, fname.c_str() ); X509 *x509crt = SSL_get_certificate( m_ssl ); // validity format is here: // https://github.com/openssl/openssl/commit/f48b83b4fb7d6689584cf25f61ca63a4891f5b11 // in fact these are strings in UTC format, need to convert them into time_t to become useful m_time_end = _timeASN1toTIME_T( x509crt->cert_info->validity->notAfter ); remainingValidityTime(); LOG(Log::INF) << " certificate remaining time= " << remainingDays() << "days " << remainingHours() << ":" << remainingMins() << ":" << remainingSecs(); return( 0 ); }
static void setup_ssl(tcptest_t *item) { static int ssl_init_complete = 0; struct servent *sp; char portinfo[100]; X509 *peercert; char *certcn, *certstart, *certend; int err; strbuffer_t *sslinfo; char msglin[2048]; item->sslrunning = 1; if (!ssl_init_complete) { /* Setup entropy */ if (RAND_status() != 1) { char path[PATH_MAX]; /* Path for the random file */ /* load entropy from files */ RAND_load_file(RAND_file_name(path, sizeof (path)), -1); /* load entropy from egd sockets */ RAND_egd("/var/run/egd-pool"); RAND_egd("/dev/egd-pool"); RAND_egd("/etc/egd-pool"); RAND_egd("/var/spool/prngd/pool"); /* shuffle $RANDFILE (or ~/.rnd if unset) */ RAND_write_file(RAND_file_name(path, sizeof (path))); if (RAND_status() != 1) { errprintf("Failed to find enough entropy on your system"); item->errcode = CONTEST_ESSL; return; } } SSL_load_error_strings(); SSL_library_init(); ssl_init_complete = 1; } if (item->sslctx == NULL) { switch (item->ssloptions->sslversion) { case SSLVERSION_V2: item->sslctx = SSL_CTX_new(SSLv2_client_method()); break; case SSLVERSION_V3: item->sslctx = SSL_CTX_new(SSLv3_client_method()); break; case SSLVERSION_TLS1: item->sslctx = SSL_CTX_new(TLSv1_client_method()); break; default: item->sslctx = SSL_CTX_new(SSLv23_client_method()); break; } if (!item->sslctx) { char sslerrmsg[256]; ERR_error_string(ERR_get_error(), sslerrmsg); errprintf("Cannot create SSL context - IP %s, service %s: %s\n", inet_ntoa(item->addr.sin_addr), item->svcinfo->svcname, sslerrmsg); item->sslrunning = 0; item->errcode = CONTEST_ESSL; return; } /* Workaround SSL bugs */ SSL_CTX_set_options(item->sslctx, SSL_OP_ALL); SSL_CTX_set_quiet_shutdown(item->sslctx, 1); /* Limit set of ciphers, if user wants to */ if (item->ssloptions->cipherlist) SSL_CTX_set_cipher_list(item->sslctx, item->ssloptions->cipherlist); if (item->ssloptions->clientcert) { int status; char certfn[PATH_MAX]; SSL_CTX_set_default_passwd_cb(item->sslctx, cert_password_cb); SSL_CTX_set_default_passwd_cb_userdata(item->sslctx, item); sprintf(certfn, "%s/certs/%s", xgetenv("XYMONHOME"), item->ssloptions->clientcert); status = SSL_CTX_use_certificate_chain_file(item->sslctx, certfn); if (status == 1) { status = SSL_CTX_use_PrivateKey_file(item->sslctx, certfn, SSL_FILETYPE_PEM); } if (status != 1) { char sslerrmsg[256]; ERR_error_string(ERR_get_error(), sslerrmsg); errprintf("Cannot load SSL client certificate/key %s: %s\n", item->ssloptions->clientcert, sslerrmsg); item->sslrunning = 0; item->errcode = CONTEST_ESSL; return; } } } if (item->ssldata == NULL) { item->ssldata = SSL_new(item->sslctx); if (!item->ssldata) { char sslerrmsg[256]; ERR_error_string(ERR_get_error(), sslerrmsg); errprintf("SSL_new failed - IP %s, service %s: %s\n", inet_ntoa(item->addr.sin_addr), item->svcinfo->svcname, sslerrmsg); item->sslrunning = 0; SSL_CTX_free(item->sslctx); item->errcode = CONTEST_ESSL; return; } /* Verify that the client certificate is working */ if (item->ssloptions->clientcert) { X509 *x509; x509 = SSL_get_certificate(item->ssldata); if(x509 != NULL) { EVP_PKEY *pktmp = X509_get_pubkey(x509); EVP_PKEY_copy_parameters(pktmp,SSL_get_privatekey(item->ssldata)); EVP_PKEY_free(pktmp); } if (!SSL_CTX_check_private_key(item->sslctx)) { errprintf("Private/public key mismatch for certificate %s\n", item->ssloptions->clientcert); item->sslrunning = 0; item->errcode = CONTEST_ESSL; return; } } /* SSL setup is done. Now attach the socket FD to the SSL protocol handler */ if (SSL_set_fd(item->ssldata, item->fd) != 1) { char sslerrmsg[256]; ERR_error_string(ERR_get_error(), sslerrmsg); errprintf("Could not initiate SSL on connection - IP %s, service %s: %s\n", inet_ntoa(item->addr.sin_addr), item->svcinfo->svcname, sslerrmsg); item->sslrunning = 0; SSL_free(item->ssldata); SSL_CTX_free(item->sslctx); item->errcode = CONTEST_ESSL; return; } } sp = getservbyport(item->addr.sin_port, "tcp"); if (sp) { sprintf(portinfo, "%s (%d/tcp)", sp->s_name, item->addr.sin_port); } else { sprintf(portinfo, "%d/tcp", item->addr.sin_port); } if ((err = SSL_connect(item->ssldata)) != 1) { char sslerrmsg[256]; switch (SSL_get_error (item->ssldata, err)) { case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: item->sslrunning = SSLSETUP_PENDING; break; case SSL_ERROR_SYSCALL: ERR_error_string(ERR_get_error(), sslerrmsg); /* Filter out the bogus SSL error */ if (strstr(sslerrmsg, "error:00000000:") == NULL) { errprintf("IO error in SSL_connect to %s on host %s: %s\n", portinfo, inet_ntoa(item->addr.sin_addr), sslerrmsg); } item->errcode = CONTEST_ESSL; item->sslrunning = 0; SSL_free(item->ssldata); SSL_CTX_free(item->sslctx); break; case SSL_ERROR_SSL: ERR_error_string(ERR_get_error(), sslerrmsg); errprintf("Unspecified SSL error in SSL_connect to %s on host %s: %s\n", portinfo, inet_ntoa(item->addr.sin_addr), sslerrmsg); item->errcode = CONTEST_ESSL; item->sslrunning = 0; SSL_free(item->ssldata); SSL_CTX_free(item->sslctx); break; default: ERR_error_string(ERR_get_error(), sslerrmsg); errprintf("Unknown error %d in SSL_connect to %s on host %s: %s\n", err, portinfo, inet_ntoa(item->addr.sin_addr), sslerrmsg); item->errcode = CONTEST_ESSL; item->sslrunning = 0; SSL_free(item->ssldata); SSL_CTX_free(item->sslctx); break; } return; } /* If we get this far, the SSL handshake has completed. So grab the certificate */ peercert = SSL_get_peer_certificate(item->ssldata); if (!peercert) { errprintf("Cannot get peer certificate for %s on host %s\n", portinfo, inet_ntoa(item->addr.sin_addr)); item->errcode = CONTEST_ESSL; item->sslrunning = 0; SSL_free(item->ssldata); SSL_CTX_free(item->sslctx); return; } sslinfo = newstrbuffer(0); certcn = X509_NAME_oneline(X509_get_subject_name(peercert), NULL, 0); certstart = strdup(xymon_ASN1_UTCTIME(X509_get_notBefore(peercert))); certend = strdup(xymon_ASN1_UTCTIME(X509_get_notAfter(peercert))); snprintf(msglin, sizeof(msglin), "Server certificate:\n\tsubject:%s\n\tstart date: %s\n\texpire date:%s\n", certcn, certstart, certend); addtobuffer(sslinfo, msglin); item->certsubject = strdup(certcn); item->certexpires = sslcert_expiretime(certend); xfree(certcn); xfree(certstart); xfree(certend); X509_free(peercert); /* We list the available ciphers in the SSL cert data */ { int i; STACK_OF(SSL_CIPHER) *sk; addtobuffer(sslinfo, "\nAvailable ciphers:\n"); sk = SSL_get_ciphers(item->ssldata); for (i=0; i<sk_SSL_CIPHER_num(sk); i++) { int b1, b2; char *cph; b1 = SSL_CIPHER_get_bits(sk_SSL_CIPHER_value(sk,i), &b2); cph = SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk,i)); snprintf(msglin, sizeof(msglin), "Cipher %d: %s (%d bits)\n", i, cph, b1); addtobuffer(sslinfo, msglin); if ((item->mincipherbits == 0) || (b1 < item->mincipherbits)) item->mincipherbits = b1; } } item->certinfo = grabstrbuffer(sslinfo); }
SSL *SSLSocket::createSSL(SSL_CTX *ctx) { ERR_clear_error(); /* look at options in the stream and set appropriate verification flags */ if (m_context[s_verify_peer].toBoolean()) { /* turn on verification callback */ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verifyCallback); /* CA stuff */ String cafile = m_context[s_cafile].toString(); String capath = m_context[s_capath].toString(); if (!cafile.empty() || !capath.empty()) { if (!SSL_CTX_load_verify_locations(ctx, cafile.data(), capath.data())) { raise_warning("Unable to set verify locations `%s' `%s'", cafile.data(), capath.data()); return nullptr; } } int64_t depth = m_context[s_verify_depth].toInt64(); if (depth) { SSL_CTX_set_verify_depth(ctx, depth); } } else { SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, nullptr); } /* callback for the passphrase (for localcert) */ if (!m_context[s_passphrase].toString().empty()) { SSL_CTX_set_default_passwd_cb_userdata(ctx, this); SSL_CTX_set_default_passwd_cb(ctx, passwdCallback); } String cipherlist = m_context[s_ciphers].toString(); if (cipherlist.empty()) { cipherlist = "DEFAULT"; } SSL_CTX_set_cipher_list(ctx, cipherlist.data()); String certfile = m_context[s_local_cert].toString(); if (!certfile.empty()) { String resolved_path_buff = File::TranslatePath(certfile); if (!resolved_path_buff.empty()) { /* a certificate to use for authentication */ if (SSL_CTX_use_certificate_chain_file(ctx, resolved_path_buff.data()) != 1) { raise_warning("Unable to set local cert chain file `%s'; Check " "that your cafile/capath settings include details of " "your certificate and its issuer", certfile.data()); return nullptr; } if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff.data(), SSL_FILETYPE_PEM) != 1) { raise_warning("Unable to set private key file `%s'", resolved_path_buff.data()); return nullptr; } SSL *tmpssl = SSL_new(ctx); X509 *cert = SSL_get_certificate(tmpssl); if (cert) { EVP_PKEY *key = X509_get_pubkey(cert); EVP_PKEY_copy_parameters(key, SSL_get_privatekey(tmpssl)); EVP_PKEY_free(key); } SSL_free(tmpssl); if (!SSL_CTX_check_private_key(ctx)) { raise_warning("Private key does not match certificate!"); } } } SSL *ssl = SSL_new(ctx); if (ssl) { SSL_set_ex_data(ssl, GetSSLExDataIndex(), this); /* map SSL => stream */ } return ssl; }
X509* CertificateManager::loadCertificateFromFile(const char* file) { SSL_CTX *context = SSL_CTX_new(SSLv23_server_method()); SSL_CTX_use_certificate_file(context, file, SSL_FILETYPE_PEM); return SSL_get_certificate(SSL_new(context)); }
/* * Wrapper around SSL_accept, returns -1 on error, 0 on success */ static int tls_accept(struct tcp_connection *c, short *poll_events) { int ret, err; SSL *ssl; X509* cert; if ( (c->proto_flags&F_TLS_DO_ACCEPT)==0 ) { LM_BUG("invalid connection state (bug in TLS code)\n"); return -1; } ssl = (SSL *) c->extra_data; #ifndef OPENSSL_NO_KRB5 if ( ssl->kssl_ctx==NULL ) ssl->kssl_ctx = kssl_ctx_new( ); #endif ret = SSL_accept(ssl); #ifndef OPENSSL_NO_KRB5 if ( ssl->kssl_ctx ) { kssl_ctx_free( ssl->kssl_ctx ); ssl->kssl_ctx = 0; } #endif if (ret > 0) { LM_INFO("New TLS connection from %s:%d accepted\n", ip_addr2a(&c->rcv.src_ip), c->rcv.src_port); /* TLS accept done, reset the flag */ c->proto_flags &= ~F_TLS_DO_ACCEPT; LM_DBG("new TLS connection from %s:%d using %s %s %d\n", ip_addr2a(&c->rcv.src_ip), c->rcv.src_port, SSL_get_cipher_version(ssl), SSL_get_cipher_name(ssl), SSL_get_cipher_bits(ssl, 0) ); LM_DBG("local socket: %s:%d\n", ip_addr2a(&c->rcv.dst_ip), c->rcv.dst_port ); cert = SSL_get_peer_certificate(ssl); if (cert != 0) { tls_dump_cert_info("tls_accept: client TLS certificate", cert); if (SSL_get_verify_result(ssl) != X509_V_OK) { LM_WARN("TLS client certificate verification failed\n"); tls_dump_verification_failure(SSL_get_verify_result(ssl)); } X509_free(cert); } else { LM_INFO("Client did not present a TLS certificate\n"); } cert = SSL_get_certificate(ssl); if (cert != 0) { tls_dump_cert_info("tls_accept: local TLS server certificate", cert); } else { /* this should not happen, servers always present a cert */ LM_ERR("local TLS server domain has no certificate\n"); } return 0; } else { err = SSL_get_error(ssl, ret); switch (err) { case SSL_ERROR_ZERO_RETURN: LM_INFO("TLS connection from %s:%d accept failed cleanly\n", ip_addr2a(&c->rcv.src_ip), c->rcv.src_port); c->state = S_CONN_BAD; return -1; case SSL_ERROR_WANT_READ: if (poll_events) *poll_events = POLLIN; return 0; case SSL_ERROR_WANT_WRITE: if (poll_events) *poll_events = POLLOUT; return 0; default: c->state = S_CONN_BAD; if (errno == 0) { LM_ERR("New TLS connection from %s:%d failed to accept:" " rejected by client\n", ip_addr2a(&c->rcv.src_ip), c->rcv.src_port); } else { LM_ERR("New TLS connection from %s:%d failed to accept\n", ip_addr2a(&c->rcv.src_ip), c->rcv.src_port); LM_ERR("TLS error: (ret=%d, err=%d, errno=%d/%s):\n", ret, err, errno, strerror(errno)); tls_print_errstack(); } return -1; } } LM_BUG("bug\n"); return -1; }
/* * wrapper around SSL_connect, returns 0 on success, -1 on error */ static int tls_connect(struct tcp_connection *c, short *poll_events) { int ret, err; SSL *ssl; X509* cert; if ( (c->proto_flags&F_TLS_DO_CONNECT)==0 ) { LM_BUG("invalid connection state (bug in TLS code)\n"); return -1; } ssl = (SSL *) c->extra_data; ret = SSL_connect(ssl); if (ret > 0) { LM_INFO("New TLS connection to %s:%d established\n", ip_addr2a(&c->rcv.src_ip), c->rcv.src_port); c->proto_flags &= ~F_TLS_DO_CONNECT; LM_DBG("new TLS connection to %s:%d using %s %s %d\n", ip_addr2a(&c->rcv.src_ip), c->rcv.src_port, SSL_get_cipher_version(ssl), SSL_get_cipher_name(ssl), SSL_get_cipher_bits(ssl, 0) ); LM_DBG("sending socket: %s:%d \n", ip_addr2a(&c->rcv.dst_ip), c->rcv.dst_port ); cert = SSL_get_peer_certificate(ssl); if (cert != 0) { tls_dump_cert_info("tls_connect: server TLS certificate", cert); if (SSL_get_verify_result(ssl) != X509_V_OK) { LM_WARN("TLS server certificate verification failed\n"); tls_dump_verification_failure(SSL_get_verify_result(ssl)); } X509_free(cert); } else { /* this should not happen, servers always present a cert */ LM_ERR("server did not present a TLS certificate\n"); } cert = SSL_get_certificate(ssl); if (cert != 0) { tls_dump_cert_info("tls_connect: local TLS client certificate", cert); } else { LM_INFO("local TLS client domain does not have a certificate\n"); } return 0; } else { err = SSL_get_error(ssl, ret); switch (err) { case SSL_ERROR_ZERO_RETURN: LM_INFO("New TLS connection to %s:%d failed cleanly\n", ip_addr2a(&c->rcv.src_ip), c->rcv.src_port); c->state = S_CONN_BAD; return -1; case SSL_ERROR_WANT_READ: if (poll_events) *poll_events = POLLIN; return 0; case SSL_ERROR_WANT_WRITE: if (poll_events) *poll_events = POLLOUT; return 0; case SSL_ERROR_SYSCALL: LM_ERR("SSL_ERROR_SYSCALL err=%s(%d)\n", strerror(errno), errno); default: LM_ERR("New TLS connection to %s:%d failed\n", ip_addr2a(&c->rcv.src_ip), c->rcv.src_port); LM_ERR("TLS error: %d (ret=%d) err=%s(%d)\n", err,ret,strerror(errno), errno); c->state = S_CONN_BAD; tls_print_errstack(); return -1; } } LM_BUG("bug\n"); return -1; }
static int openssl_ssl_get(lua_State*L) { SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl"); int i; int top = lua_gettop(L); for (i = 2; i <= top; i++) { const char* what = luaL_checklstring(L, i, NULL); if (strcmp(what, "fd") == 0) { lua_pushinteger(L, SSL_get_fd(s)); } else if (strcmp(what, "rfd") == 0) { lua_pushinteger(L, SSL_get_rfd(s)); } else if (strcmp(what, "wfd") == 0) { lua_pushinteger(L, SSL_get_wfd(s)); } else if (strcmp(what, "client_CA_list") == 0) { STACK_OF(X509_NAME)* sn = SSL_get_client_CA_list(s); PUSH_OBJECT(sn, "openssl.sk_x509_name"); } else if (strcmp(what, "read_ahead") == 0) { lua_pushboolean(L, SSL_get_read_ahead(s)); } else if (strcmp(what, "shared_ciphers") == 0) { char buf[LUAL_BUFFERSIZE] = {0}; lua_pushstring(L, SSL_get_shared_ciphers(s, buf, sizeof(buf))); } else if (strcmp(what, "cipher_list") == 0) { //TODO FIX lua_pushstring(L, SSL_get_cipher_list(s, 0)); } else if (strcmp(what, "verify_mode") == 0) { //FIX lua_pushinteger(L, SSL_get_verify_mode(s)); } else if (strcmp(what, "verify_depth") == 0) { lua_pushinteger(L, SSL_get_verify_depth(s)); } else if (strcmp(what, "state_string") == 0) { lua_pushstring(L, SSL_state_string(s)); } else if (strcmp(what, "state_string_long") == 0) { lua_pushstring(L, SSL_state_string_long(s)); } else if (strcmp(what, "rstate_string") == 0) { lua_pushstring(L, SSL_rstate_string(s)); } else if (strcmp(what, "rstate_string_long") == 0) { lua_pushstring(L, SSL_rstate_string_long(s)); } else if (strcmp(what, "version") == 0) { lua_pushstring(L, SSL_get_version(s)); } else if (strcmp(what, "iversion") == 0) { lua_pushinteger(L, SSL_version(s)); } else if (strcmp(what, "default_timeout") == 0) { lua_pushinteger(L, SSL_get_default_timeout(s)); } else if (strcmp(what, "certificate") == 0) { X509* cert = SSL_get_certificate(s); PUSH_OBJECT(cert, "openssl.x509"); } else if (strcmp(what, "verify_result") == 0) { long l = SSL_get_verify_result(s); lua_pushinteger(L, l); } else if (strcmp(what, "version") == 0) { lua_pushstring(L, SSL_get_version(s)); } else if (strcmp(what, "state") == 0) { lua_pushinteger(L, SSL_state(s)); } else if (strcmp(what, "hostname") == 0) { lua_pushstring(L, SSL_get_servername(s, TLSEXT_NAMETYPE_host_name)); } else luaL_argerror(L, i, "can't understant"); } return top - 1; }
static int cert_stuff(struct connectdata *conn, SSL_CTX* ctx, char *cert_file, const char *cert_type, char *key_file, const char *key_type) { struct SessionHandle *data = conn->data; int file_type; if(cert_file != NULL) { SSL *ssl; X509 *x509; if(data->set.key_passwd) { #ifndef HAVE_USERDATA_IN_PWD_CALLBACK /* * If password has been given, we store that in the global * area (*shudder*) for a while: */ size_t len = strlen(data->set.key_passwd); if(len < sizeof(global_passwd)) memcpy(global_passwd, data->set.key_passwd, len+1); #else /* * We set the password in the callback userdata */ SSL_CTX_set_default_passwd_cb_userdata(ctx, data->set.key_passwd); #endif /* Set passwd callback: */ SSL_CTX_set_default_passwd_cb(ctx, passwd_callback); } file_type = do_file_type(cert_type); switch(file_type) { case SSL_FILETYPE_PEM: /* SSL_CTX_use_certificate_chain_file() only works on PEM files */ if(SSL_CTX_use_certificate_chain_file(ctx, cert_file) != 1) { failf(data, "unable to set certificate file (wrong password?)"); return 0; } break; case SSL_FILETYPE_ASN1: /* SSL_CTX_use_certificate_file() works with either PEM or ASN1, but we use the case above for PEM so this can only be performed with ASN1 files. */ if(SSL_CTX_use_certificate_file(ctx, cert_file, file_type) != 1) { failf(data, "unable to set certificate file (wrong password?)"); return 0; } break; case SSL_FILETYPE_ENGINE: failf(data, "file type ENG for certificate not implemented"); return 0; default: failf(data, "not supported file type '%s' for certificate", cert_type); return 0; } file_type = do_file_type(key_type); switch(file_type) { case SSL_FILETYPE_PEM: if(key_file == NULL) /* cert & key can only be in PEM case in the same file */ key_file=cert_file; case SSL_FILETYPE_ASN1: if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) { failf(data, "unable to set private key file: '%s' type %s\n", key_file, key_type?key_type:"PEM"); return 0; } break; case SSL_FILETYPE_ENGINE: #ifdef HAVE_OPENSSL_ENGINE_H { /* XXXX still needs some work */ EVP_PKEY *priv_key = NULL; if(conn && conn->data && conn->data->engine) { #ifdef HAVE_ENGINE_LOAD_FOUR_ARGS UI_METHOD *ui_method = UI_OpenSSL(); #endif if(!key_file || !key_file[0]) { failf(data, "no key set to load from crypto engine\n"); return 0; } /* the typecast below was added to please mingw32 */ priv_key = (EVP_PKEY *) ENGINE_load_private_key(conn->data->engine,key_file, #ifdef HAVE_ENGINE_LOAD_FOUR_ARGS ui_method, #endif data->set.key_passwd); if(!priv_key) { failf(data, "failed to load private key from crypto engine\n"); return 0; } if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) { failf(data, "unable to set private key\n"); EVP_PKEY_free(priv_key); return 0; } EVP_PKEY_free(priv_key); /* we don't need the handle any more... */ } else { failf(data, "crypto engine not set, can't load private key\n"); return 0; } } break; #else failf(data, "file type ENG for private key not supported\n"); return 0; #endif default: failf(data, "not supported file type for private key\n"); return 0; } ssl=SSL_new(ctx); x509=SSL_get_certificate(ssl); /* This version was provided by Evan Jordan and is supposed to not leak memory as the previous version: */ if(x509 != NULL) { EVP_PKEY *pktmp = X509_get_pubkey(x509); EVP_PKEY_copy_parameters(pktmp,SSL_get_privatekey(ssl)); EVP_PKEY_free(pktmp); } SSL_free(ssl); /* If we are using DSA, we can copy the parameters from * the private key */ /* Now we know that a key and cert have been set against * the SSL context */ if(!SSL_CTX_check_private_key(ctx)) { failf(data, "Private key does not match the certificate public key"); return(0); } #ifndef HAVE_USERDATA_IN_PWD_CALLBACK /* erase it now */ memset(global_passwd, 0, sizeof(global_passwd)); #endif } return(1); }
void Families::LoadCertificate (const std::string& filename) { SSL_CTX * ctx = SSL_CTX_new (TLS_method ()); int ret = SSL_CTX_use_certificate_file (ctx, filename.c_str (), SSL_FILETYPE_PEM); if (ret) { SSL * ssl = SSL_new (ctx); X509 * cert = SSL_get_certificate (ssl); if (cert) { std::shared_ptr<i2p::crypto::Verifier> verifier; // extract issuer name char name[100]; X509_NAME_oneline (X509_get_issuer_name(cert), name, 100); char * cn = strstr (name, "CN="); if (cn) { cn += 3; char * family = strstr (cn, ".family"); if (family) family[0] = 0; } auto pkey = X509_get_pubkey (cert); int keyType = EVP_PKEY_base_id (pkey); switch (keyType) { case EVP_PKEY_DSA: // TODO: break; case EVP_PKEY_EC: { EC_KEY * ecKey = EVP_PKEY_get1_EC_KEY (pkey); if (ecKey) { auto group = EC_KEY_get0_group (ecKey); if (group) { int curve = EC_GROUP_get_curve_name (group); if (curve == NID_X9_62_prime256v1) { uint8_t signingKey[64]; BIGNUM * x = BN_new(), * y = BN_new(); EC_POINT_get_affine_coordinates_GFp (group, EC_KEY_get0_public_key (ecKey), x, y, NULL); i2p::crypto::bn2buf (x, signingKey, 32); i2p::crypto::bn2buf (y, signingKey + 32, 32); BN_free (x); BN_free (y); verifier = std::make_shared<i2p::crypto::ECDSAP256Verifier>(); verifier->SetPublicKey (signingKey); } else LogPrint (eLogWarning, "Family: elliptic curve ", curve, " is not supported"); } EC_KEY_free (ecKey); } break; } default: LogPrint (eLogWarning, "Family: Certificate key type ", keyType, " is not supported"); } EVP_PKEY_free (pkey); if (verifier && cn) m_SigningKeys[cn] = verifier; } SSL_free (ssl); } else LogPrint (eLogError, "Family: Can't open certificate file ", filename); SSL_CTX_free (ctx); }