static void regress_bufferevent_openssl(void *arg) { struct basic_test_data *data = arg; struct bufferevent *bev1, *bev2; SSL *ssl1, *ssl2; X509 *cert = getcert(); EVP_PKEY *key = getkey(); const int start_open = strstr((char*)data->setup_data, "open")!=NULL; const int filter = strstr((char*)data->setup_data, "filter")!=NULL; int flags = BEV_OPT_DEFER_CALLBACKS; struct bufferevent *bev_ll[2] = { NULL, NULL }; evutil_socket_t *fd_pair = NULL; tt_assert(cert); tt_assert(key); init_ssl(); if (strstr((char*)data->setup_data, "renegotiate")) { if (SSLeay() >= 0x10001000 && SSLeay() < 0x1000104f) { /* 1.0.1 up to 1.0.1c has a bug where TLS1.1 and 1.2 * can't renegotiate with themselves. Disable. */ disable_tls_11_and_12 = 1; } renegotiate_at = 600; } ssl1 = SSL_new(get_ssl_ctx()); ssl2 = SSL_new(get_ssl_ctx()); SSL_use_certificate(ssl2, cert); SSL_use_PrivateKey(ssl2, key); if (! start_open) flags |= BEV_OPT_CLOSE_ON_FREE; if (!filter) { tt_assert(strstr((char*)data->setup_data, "socketpair")); fd_pair = data->pair; } else { bev_ll[0] = bufferevent_socket_new(data->base, data->pair[0], BEV_OPT_CLOSE_ON_FREE); bev_ll[1] = bufferevent_socket_new(data->base, data->pair[1], BEV_OPT_CLOSE_ON_FREE); } open_ssl_bufevs(&bev1, &bev2, data->base, 0, flags, ssl1, ssl2, fd_pair, bev_ll); if (!filter) { tt_int_op(bufferevent_getfd(bev1), ==, data->pair[0]); } else {
static void regress_bufferevent_openssl(void *arg) { struct basic_test_data *data = arg; struct bufferevent *bev1, *bev2; SSL *ssl1, *ssl2; X509 *cert = getcert(); EVP_PKEY *key = getkey(); const int start_open = strstr((char*)data->setup_data, "open")!=NULL; const int filter = strstr((char*)data->setup_data, "filter")!=NULL; int flags = BEV_OPT_DEFER_CALLBACKS; struct bufferevent *bev_ll[2] = { NULL, NULL }; int *fd_pair = NULL; tt_assert(cert); tt_assert(key); init_ssl(); ssl1 = SSL_new(get_ssl_ctx()); ssl2 = SSL_new(get_ssl_ctx()); SSL_use_certificate(ssl2, cert); SSL_use_PrivateKey(ssl2, key); if (! start_open) flags |= BEV_OPT_CLOSE_ON_FREE; if (strstr((char*)data->setup_data, "renegotiate")) renegotiate_at = 600; if (!filter) { tt_assert(strstr((char*)data->setup_data, "socketpair")); fd_pair = data->pair; } else { bev_ll[0] = bufferevent_socket_new(data->base, data->pair[0], BEV_OPT_CLOSE_ON_FREE); bev_ll[1] = bufferevent_socket_new(data->base, data->pair[1], BEV_OPT_CLOSE_ON_FREE); } open_ssl_bufevs(&bev1, &bev2, data->base, 0, flags, ssl1, ssl2, fd_pair, bev_ll); if (!filter) { tt_int_op(bufferevent_getfd(bev1), ==, data->pair[0]); } else {
int maxlevel(char *id, char *p, int *max) { certificate *temp=getcert(id); if (!temp) { *max=LEV_OBSPILOT; return 0; } if (!STRCASECMP(temp->password,p)) { *max=temp->level; temp->prevvisit=time(NULL); return 1; } *max=LEV_OBSPILOT; return 0; }
int servuser::execcert(char **array, int count) { certificate *c; if (count<10) return 0; configgroup *group=configman->getgroup("hosts"); configentry *entry=group?group->getentry("certificates"):(configentry*)NULL; int ok=entry?entry->inlist(array[9]):1; int level=atoi(array[7]); c=getcert(array[5]); time_t now=atoi(array[8]); switch (atoi(array[4])) { case CERT_ADD: if (!c) { if (ok) c=new certificate(array[5],array[6], level, now, array[9]); } else if (now>c->creation) { if (ok) c->configure(NULL, atoi(array[7]), now, array[9]); } else return 0; break; case CERT_DELETE: if (c) { if (ok) delete c; } else return 0; break; case CERT_MODIFY: if (c&&now>c->creation) { if (ok) c->configure(array[6],atoi(array[7]), now, array[9]); } else return 0; break; } return 1; }
void fsd::handlecidline(char *line) { certificate *tempcert; int mode, level; char *array[4], *cid, *pwd; if (line[0]==';'||line[0]=='#') return; if (breakargs(line, array, 4)<3) return; cid=array[0], level=atoi(array[2]), pwd=array[1]; tempcert=getcert(cid); if (!tempcert) { tempcert=new certificate(cid, pwd, level, mgmtime(), myserver->ident); mode=CERT_ADD; } else { tempcert->livecheck=1; if (!STRCASECMP(tempcert->password, pwd)&&level==tempcert->level) return; tempcert->configure(pwd, level, mgmtime(), myserver->ident); mode=CERT_MODIFY; } if (serverinterface) serverinterface->sendcert("*", mode, tempcert, NULL); }
int main(int argc, char *argv[]) { scep_t scep; int c, rc, bytes, fd; char filename[1024]; BIO *inbio = NULL, *outbio, *membio; char *conffile; struct tms start; /* start timekeeping */ times(&start); /* clean out the scep structure (some fields will be set by */ /* command line parsing routine) */ scep_clear(&scep); if (debug) fprintf(stderr, "%s:%d: cleared scep structure\n", __FILE__, __LINE__); /* initialize the OpenSSL library */ scepinit(); if (debug) fprintf(stderr, "%s:%d: initialized libraries\n", __FILE__, __LINE__); /* set umask to something not dangerous */ umask(022); /* read the command line arguments, if any */ while (EOF != (c = getopt(argc, argv, "df:"))) switch (c) { case 'd': debug++; break; case 'f': conffile = optarg; if (debug) fprintf(stderr, "%s:%d: config file is %s\n", __FILE__, __LINE__, conffile); break; } /* read the configuration file */ scep_config(&scep, (conffile) ? conffile : OPENSCEPDIR "/openscep.cnf"); /* initialize the LDAP backend */ scep_ldap_init(&scep); /* read the stuff from standard input and write it to a request */ /* file so that debugging becomes simpler */ inbio = BIO_new(BIO_s_file()); BIO_set_fp(inbio, stdin, BIO_NOCLOSE); membio = BIO_new(BIO_s_mem()); do { unsigned char buffer[1024]; bytes = BIO_read(inbio, buffer, sizeof(buffer)); if (bytes > 0) { BIO_write(membio, buffer, bytes); if (debug) BIO_printf(bio_err, "%s:%d: writing chunk of" "size %d\n", __FILE__, __LINE__, bytes); } else BIO_printf(bio_err, "%s:%d: no more data from inbio\n", __FILE__, __LINE__); } while (bytes > 0); BIO_flush(membio); /* the decode call does the following three things */ /* - verify the signed data PKCS#7 */ /* - extract the signed attributes */ /* - decrypt the enveloped data */ scep.request.base64 = 1; if (decode(&scep, membio) < 0) { BIO_printf(bio_err, "%s:%d: decode failed\n", __FILE__, __LINE__); syslog(LOG_ERR, "%s:%d: scepd failed to decode request", __FILE__, __LINE__); goto err; } BIO_free(membio); /* inform the debug log about the message we have received */ if (debug) { char name[1024]; BIO_printf(bio_err, "%s:%d: message with transaction id %s\n", __FILE__, __LINE__, scep.transId); X509_NAME_oneline(X509_get_subject_name((scep.selfsignedcert) ? scep.selfsignedcert : scep.clientcert), name, 1024); BIO_printf(bio_err, "%s:%d: sender is %s\n", __FILE__, __LINE__, name); } /* swap nonces and create a reply nonce */ if (scep.recipientNonce) { free(scep.recipientNonce); } scep.recipientNonce = scep.senderNonce; scep.recipientNonceLength = scep.senderNonceLength; scep.senderNonceLength = 16; scep.senderNonce = (unsigned char *)malloc(scep.senderNonceLength); RAND_bytes(scep.senderNonce, scep.senderNonceLength); /* branch according to message type */ if (scep.request.messageType == NULL) { syslog(LOG_ERR, "%s:%d: message of undefined type received", __FILE__, __LINE__); BIO_printf(bio_err, "%s:%d: undefined message type\n", __FILE__, __LINE__); goto err; } scep.reply.messageType = SCEP_MESSAGE_TYPE_CERTREP; switch (atoi(scep.request.messageType)) { case MSG_CERTREP: /* CertRep */ syslog(LOG_WARNING, "%s:%d: CertRep message, should not happen", __FILE__, __LINE__); if (debug) BIO_printf(bio_err, "%s:%d: CertRep message received\n", __FILE__, __LINE__); rc = certrep(&scep); break; case MSG_V2PROXY: /* proxy requests are checked during decoding */ /* at this point, we have an acceptable proxy request */ /* so we can fall through to a v2 request */ case MSG_V2REQUEST: /* v2 request received */ /* XXX fixme: implement version 2 */ rc = v2request(&scep); break; case MSG_PKCSREQ: /* PKCSReq */ syslog(LOG_INFO, "%s:%d: PKCSReq message received", __FILE__, __LINE__); if (debug) BIO_printf(bio_err, "%s:%d: PKCSReq message received\n", __FILE__, __LINE__); rc = pkcsreq(&scep); break; case MSG_GETCERTINITIAL: /* GetCertInitial */ syslog(LOG_INFO, "%s:%d: GetCertInitial message received", __FILE__, __LINE__); if (debug) BIO_printf(bio_err, "%s:%d: GetCertInitial message " "received\n", __FILE__, __LINE__); rc = getcertinitial(&scep); break; case MSG_GETCERT: /* GetCert */ syslog(LOG_INFO, "%s:%d: GetCert message received", __FILE__, __LINE__); if (debug) BIO_printf(bio_err, "%s:%d: GetCert message received\n", __FILE__, __LINE__); rc = getcert(&scep); break; case MSG_GETCRL: /* GetCRL */ syslog(LOG_INFO, "%s:%d: GetCRL message received", __FILE__, __LINE__); if (debug) BIO_printf(bio_err, "%s:%d: GetCRL message received\n", __FILE__, __LINE__); rc = getcrl(&scep); break; default: syslog(LOG_WARNING, "%s:%d: message of unknown type: %s", __FILE__, __LINE__, scep.request.messageType); BIO_printf(bio_err, "%s:%d: unknown message type: %s\n", __FILE__, __LINE__, scep.request.messageType); scep.reply.failinfo = SCEP_FAILURE_BADREQUEST; } prepreply: if (debug) BIO_printf(bio_err, "%s:%d: reply prepared, encoding follows\n", __FILE__, __LINE__); if (rc < 0) { /* create a failure reply by setting the failinfo field */ BIO_printf(bio_err, "%s:%d: bad return code from handler\n", __FILE__, __LINE__); scep.reply.failinfo = SCEP_FAILURE_BADREQUEST; } /* encode the reply */ if (encode(&scep) < 0) { BIO_printf(bio_err, "%s:%d: encoding failed\n", __FILE__, __LINE__); syslog(LOG_ERR, "%s:%d: scepd failed to encode the reply", __FILE__, __LINE__); goto err; } /* print a HTTP header */ if (debug) BIO_printf(bio_err, "%s:%d: preparing reply headers\n", __FILE__, __LINE__); printf("Content-Transfer-Encoding: 8bit\r\n"); printf("Content-Type: application/x-pki-message\r\n"); printf("Content-Length: %d\r\n\r\n", scep.reply.length); fflush(stdout); if (debug) BIO_printf(bio_err, "%s:%d: headers sent\n", __FILE__, __LINE__); /* return the result PKCS#7 as DER on stdout */ if (scep.reply.length != (bytes = write(fileno(stdout), scep.reply.data, scep.reply.length))) { BIO_printf(bio_err, "%s:%d: message write incomplete " "%d != %d\n", __FILE__, __LINE__, scep.reply.data, bytes); } printf("\r\n"); /* make sure message is properly closed */ if (debug) BIO_printf(bio_err, "%s:%d: %d bytes of content sent\n", __FILE__, __LINE__, bytes); /* write the same data also to a file for debugging */ if (debug) { snprintf(filename, sizeof(filename), "%s/%d.pkireply.der", tmppath, getpid()); fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0666); write(fd, scep.reply.data, scep.reply.length); close(fd); BIO_printf(bio_err, "%s:%d: reply written to file %s\n", __FILE__, __LINE__, filename); } BIO_free(outbio); /* successful completion */ ERR_print_errors(bio_err); /* just in case something is still there */ syslog(LOG_DEBUG, "%s:%d: scepd successfully completed", __FILE__, __LINE__); logtimes(&start); exit(EXIT_SUCCESS); /* but we may as well fail */ err: ERR_print_errors(bio_err); syslog(LOG_DEBUG, "%s:%d: scepd failed", __FILE__, __LINE__); logtimes(&start); exit(EXIT_FAILURE); }