static void test_fingerprint(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* both server & client with cert */ str_check(create_worker(&server, true, SERVER1, CA2, "peer-sha1=ssl/ca2_client2.crt.sha1", "peer-sha256=ssl/ca2_client2.crt.sha256", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", "peer-sha1=ssl/ca1_server1.crt.sha1", "peer-sha256=ssl/ca1_server1.crt.sha256", NULL), "OK"); str_check(run_case(client, server), "OK"); /* client without cert */ str_check(create_worker(&server, true, SERVER1, CA1, "peer-sha1=ssl/ca2_client2.crt.sha1", "peer-sha256=ssl/ca2_client2.crt.sha256", NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "C:write!=3 - S:FP-sha1-fail"); end:; }
struct eap_sm *eap_sm_init(void *eapol_ctx, struct eapol_callbacks *eapol_cb, void *msg_ctx, struct eap_config *conf) { struct eap_sm *sm; struct tls_config tlsconf; sm = malloc(sizeof(*sm)); if (sm == NULL) return NULL; memset(sm, 0, sizeof(*sm)); sm->eapol_ctx = eapol_ctx; sm->eapol_cb = eapol_cb; sm->msg_ctx = msg_ctx; sm->ClientTimeout = 60; memset(&tlsconf, 0, sizeof(tlsconf)); tlsconf.opensc_engine_path = conf->opensc_engine_path; tlsconf.pkcs11_engine_path = conf->pkcs11_engine_path; tlsconf.pkcs11_module_path = conf->pkcs11_module_path; sm->ssl_ctx = tls_init(&tlsconf); if (sm->ssl_ctx == NULL) { wpa_printf(MSG_WARNING, "SSL: Failed to initialize TLS " "context."); free(sm); return NULL; } return sm; }
static void test_verify(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* default: client checks server cert, succeeds */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); /* default: client checks server cert, fails due to bad ca */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA2, "host=example.com", NULL), "OK"); str_check(run_case(client, server), "C:certificate verify failed - S:tlsv1 alert unknown ca"); /* default: client checks server cert, fails due to bad hostname */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=example2.com", NULL), "OK"); str_check(run_case(client, server), "C:name `example2.com' not present in server certificate"); #if 0 /* client: aggressive close */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "aggressive-close=1", "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "S:bad pkt: res=-1 err=read failed: EOF,S:close error: res=-1 err=shutdown failed: Broken pipe"); /* server: aggressive close */ str_check(create_worker(&server, true, SERVER1, "aggressive-close=1", NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "C:write failed: Broken pipe,C:close error: res=-1 err=shutdown failed: Success"); #endif end:; }
void connection_init_tls() { tls_init(); CurrentConnectionState.TlsConfiguration = tls_config_new(); CurrentConnectionState.ServerContext = tls_server(); CurrentConnectionState.ClientContext = tls_client(); tls_config_set_key_file(CurrentConnectionState.TlsConfiguration, CurrentConnectionState.PrivateKey); tls_config_set_cert_file(CurrentConnectionState.TlsConfiguration, CurrentConnectionState.CertificateFile); tls_config_insecure_noverifycert(CurrentConnectionState.TlsConfiguration); if(tls_configure(CurrentConnectionState.ServerContext, CurrentConnectionState.TlsConfiguration) != 0) { printf("%s\n", tls_error(CurrentConnectionState.ServerContext)); } if(tls_configure(CurrentConnectionState.ClientContext, CurrentConnectionState.TlsConfiguration) != 0) { printf("%s\n", tls_error(CurrentConnectionState.ClientContext)); } }
int main(void) { struct AATree aatree; struct CBTree *cbtree; struct md5_ctx md5; struct Heap *heap; char buf[128]; static_assert(sizeof(int) >= 4, "unsupported int size"); heap = heap_create(heap_is_better, NULL, NULL); heap_top(heap); aatree_init(&aatree, NULL, NULL); cbtree = cbtree_create(NULL, NULL, NULL, NULL); cbtree_destroy(cbtree); daemonize(NULL, false); hash_lookup3("foo", 3); if (!event_init()) log_debug("test"); if (!parse_ini_file("foo", NULL, NULL)) log_debug("test"); log_stats("1"); file_size("foo"); md5_reset(&md5); strlcpy(buf, "foo", sizeof(buf)); printf("xmalloc: %p\n", xmalloc(128)); if (0) die("0"); csrandom(); tls_init(); return 0; }
static void test_fingerprint(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* both server & client with cert */ str_check(create_worker(&server, true, SERVER1, CA2, "verify-client=1", "peer-sha1=ssl/ca2_client2.crt.sha1", "peer-sha256=ssl/ca2_client2.crt.sha256", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", "peer-sha1=ssl/ca1_server1.crt.sha1", "peer-sha256=ssl/ca1_server1.crt.sha256", NULL), "OK"); str_check(run_case(client, server), "OK"); /* client without cert */ str_check(create_worker(&server, true, SERVER1, CA1, "verify-client=1", "peer-sha1=ssl/ca2_client2.crt.sha1", "peer-sha256=ssl/ca2_client2.crt.sha256", NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_any2(run_case(client, server), "C:sslv3 alert handshake failure - S:peer did not return a certificate", "C:sslv3 alert handshake failure,C:shutdown while in init - S:peer did not return a certificate"); end:; }
int main(int argc, char *argv[]) { static struct WSAData wsa_state; TCHAR *c, stunnel_exe_path[MAX_PATH]; tls_init(); /* initialize thread-local storage */ /* set current working directory and engine path */ GetModuleFileName(0, stunnel_exe_path, MAX_PATH); c=_tcsrchr(stunnel_exe_path, TEXT('\\')); /* last backslash */ if(c) /* found */ c[1]=TEXT('\0'); /* truncate program name */ #ifndef _WIN32_WCE if(!SetCurrentDirectory(stunnel_exe_path)) { /* log to stderr, as s_log() is not initialized */ _ftprintf(stderr, TEXT("Cannot set directory to %s"), stunnel_exe_path); return 1; } #endif _tputenv(str_tprintf(TEXT("OPENSSL_ENGINES=%s"), stunnel_exe_path)); if(WSAStartup(MAKEWORD(1, 1), &wsa_state)) return 1; resolver_init(); main_init(); if(!main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL)) daemon_loop(); main_cleanup(); return 0; }
int main(int argc, const char *argv[]) { assert(tls_init() == 0); return EXIT_SUCCESS; }
static void test_clientcert(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* ok: server checks server cert */ str_check(create_worker(&server, true, SERVER1, CA2, NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); /* fail: server rejects invalid cert */ str_check(create_worker(&server, true, SERVER1, CA1, NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "C:tlsv1 alert unknown ca - S:handshake failure"); /* noverifycert: server allow invalid cert */ str_check(create_worker(&server, true, SERVER1, CA1, "noverifycert=1", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); /* allow client without cert */ str_check(create_worker(&server, true, SERVER1, CA2, NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); end:; }
int authsrv_init(struct hostapd_data *hapd) { #ifdef EAP_TLS_FUNCS if (hapd->conf->eap_server && (hapd->conf->ca_cert || hapd->conf->server_cert || hapd->conf->dh_file)) { struct tls_connection_params params; hapd->ssl_ctx = tls_init(NULL); if (hapd->ssl_ctx == NULL) { wpa_printf(MSG_ERROR, "Failed to initialize TLS"); authsrv_deinit(hapd); return -1; } os_memset(¶ms, 0, sizeof(params)); params.ca_cert = hapd->conf->ca_cert; params.client_cert = hapd->conf->server_cert; params.private_key = hapd->conf->private_key; params.private_key_passwd = hapd->conf->private_key_passwd; params.dh_file = hapd->conf->dh_file; if (tls_global_set_params(hapd->ssl_ctx, ¶ms)) { wpa_printf(MSG_ERROR, "Failed to set TLS parameters"); authsrv_deinit(hapd); return -1; } if (tls_global_set_verify(hapd->ssl_ctx, hapd->conf->check_crl)) { wpa_printf(MSG_ERROR, "Failed to enable check_crl"); authsrv_deinit(hapd); return -1; } } #endif /* EAP_TLS_FUNCS */ #ifdef EAP_SIM_DB if (hapd->conf->eap_sim_db) { hapd->eap_sim_db_priv = eap_sim_db_init(hapd->conf->eap_sim_db, hostapd_sim_db_cb, hapd); if (hapd->eap_sim_db_priv == NULL) { wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM " "database interface"); authsrv_deinit(hapd); return -1; } } #endif /* EAP_SIM_DB */ #ifdef RADIUS_SERVER if (hapd->conf->radius_server_clients && hostapd_setup_radius_srv(hapd)) return -1; #endif /* RADIUS_SERVER */ return 0; }
int main(void) { tls_client_t client = {0}; const char *gnutls_ver = NULL; time_t start = 0; time_t end = 0; int ret = 0; int i = 0; /* initialise signal handling */ set_signal(); coap_log_set_level(COAP_LOG_DEBUG); gnutls_ver = gnutls_check_version(NULL); if (gnutls_ver == NULL) { coap_log_error("Unable to determine GnuTLS version"); return EXIT_FAILURE; } coap_log_info("GnuTLS version: %s", gnutls_ver); ret = tls_init(); if (ret != SOCK_OK) { coap_log_error("%s", sock_strerror(ret)); return EXIT_FAILURE; } ret = tls_client_create(&client, TRUST_FILE_NAME, CERT_FILE_NAME, KEY_FILE_NAME); if (ret != SOCK_OK) { coap_log_error("%s", sock_strerror(ret)); tls_deinit(); return EXIT_FAILURE; } for (i = 0; i < NUM_ITER; i++) { start = time(NULL); ret = client_run(&client); end = time(NULL); if (ret != SOCK_OK) { coap_log_error("%s", sock_strerror(ret)); tls_client_destroy(&client); tls_deinit(); return EXIT_FAILURE; } coap_log_info("Result: %s", sock_strerror(ret)); coap_log_debug("Time: %d sec", (int)(end - start)); coap_log_debug("Sleeping for %d seconds...", DELAY); sleep(DELAY); } tls_client_destroy(&client); tls_deinit(); return EXIT_SUCCESS; }
struct tls_config * tls_config_new(void) { if (tls_init() == -1) return (NULL); return tls_config_new_internal(); }
/* * Called once (from main) to initialize STM infrastructure. */ _CALLCONV void stm_init(void) { #if CM == CM_MODULAR char *s; #endif /* CM == CM_MODULAR */ #ifdef SIGNAL_HANDLER struct sigaction act; #endif /* SIGNAL_HANDLER */ PRINT_DEBUG("==> stm_init()\n"); if (_tinystm.initialized) return; PRINT_DEBUG("\tsizeof(word)=%d\n", (int)sizeof(stm_word_t)); PRINT_DEBUG("\tVERSION_MAX=0x%lx\n", (unsigned long)VERSION_MAX); COMPILE_TIME_ASSERT(sizeof(stm_word_t) == sizeof(void *)); COMPILE_TIME_ASSERT(sizeof(stm_word_t) == sizeof(atomic_t)); #ifdef EPOCH_GC gc_init(stm_get_clock); #endif /* EPOCH_GC */ #if CM == CM_MODULAR s = getenv(VR_THRESHOLD); if (s != NULL) _tinystm.vr_threshold = (int)strtol(s, NULL, 10); else _tinystm.vr_threshold = VR_THRESHOLD_DEFAULT; PRINT_DEBUG("\tVR_THRESHOLD=%d\n", _tinystm.vr_threshold); #endif /* CM == CM_MODULAR */ /* Set locks and clock but should be already to 0 */ memset((void *)_tinystm.locks, 0, LOCK_ARRAY_SIZE * sizeof(stm_word_t)); CLOCK = 0; stm_quiesce_init(); tls_init(); #ifdef SIGNAL_HANDLER if (getenv(NO_SIGNAL_HANDLER) == NULL) { /* Catch signals for non-faulting load */ act.sa_handler = signal_catcher; act.sa_flags = 0; sigemptyset(&act.sa_mask); if (sigaction(SIGBUS, &act, NULL) < 0 || sigaction(SIGSEGV, &act, NULL) < 0) { perror("sigaction"); exit(1); } } #endif /* SIGNAL_HANDLER */ _tinystm.initialized = 1; }
int main(int argc, char *argv[]) { struct tls_config *conf; struct tls *ctx; struct tls_cert_info *cert; int res; const char *host; if (argc < 2) errx(1, "give host as arg\n"); host = argv[1]; res = tls_init(); if (res < 0) errx(1, "tls_init"); conf = tls_config_new(); if (!conf) errx(1, "tls_config_new"); tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL); tls_config_set_ciphers(conf, "fast"); ctx = tls_client(); if (!ctx) errx(1, "tls_client"); res = tls_configure(ctx, conf); if (res < 0) errx(1, "tls_configure: %s", tls_error(ctx)); res = tls_connect(ctx, host, "443"); if (res < 0) errx(1, "tls_connect: %s", tls_error(ctx)); printf("connect ok\n"); res = tls_get_peer_cert(ctx, &cert); if (res < 0) errx(1, "tls_get_peer_cert: %s", tls_error(ctx)); tls_close(ctx); tls_free(ctx); tls_config_free(conf); printf(" CN='%s'\n", cert->subject.common_name); printf(" C='%s'\n", cert->subject.country_name); printf(" ST='%s'\n", cert->subject.state_or_province_name); printf(" L='%s'\n", cert->subject.locality_name); printf(" S='%s'\n", cert->subject.street_address); printf(" O='%s'\n", cert->subject.organization_name); printf(" OU='%s'\n", cert->subject.organizational_unit_name); tls_cert_free(cert); return 0; }
static void init_subsystems() { shared_init(); heap_init(); signal_init(); process_init(); tls_init(); vfs_init(); dbt_init(); }
void server() { // load Config File and Settings fprintf(stdout, "Starting fidistat Server...\n"); openlog("fidistat-server", LOG_PID, LOG_DAEMON); syslog(LOG_INFO, "Started Fidistat Server"); struct pidfh *pfh = daemon_start('s'); // Handle Signals signal(SIGTERM, handleSigterm_S); signal(SIGCHLD, handleChild); // Open Socket initConf(); tls_init(); struct tls* ctx = tls_server(); int sock = initTLS_S(ctx); sckt = sock; int connfd, pid; listen(sock, 10); // Destroy Config destroyConf(); while(!term) { connfd = accept(sock, (struct sockaddr*) NULL, NULL); if (term) { break; } pid = fork(); if (pid < 0) { syslog(LOG_ERR, "forking new Worker failed"); } else if (pid == 0) { close(sock); syslog(LOG_INFO, "New incoming connection"); worker(connfd, ctx); syslog(LOG_INFO, "Closing connection"); exit(0); } else { close(connfd); } } syslog(LOG_INFO, "Shutting down Server"); close(sock); tls_close(ctx); tls_free(ctx); tls_config_free(tlsServer_conf); pidfile_remove(pfh); syslog(LOG_INFO, "Stopped Fidistat Server"); closelog(); exit(0); }
int main(int argc, char* argv[]) { /* execution begins here 8-) */ int retval; #ifdef M_MMAP_THRESHOLD mallopt(M_MMAP_THRESHOLD, 4096); #endif tls_init(); /* initialize thread-local storage */ retval=main_unix(argc, argv); main_cleanup(); return retval; }
static void test_cipher_nego(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* server key is EC:secp384r1 - ECDHE-ECDSA */ str_check(create_worker(&server, true, "show=ciphers", SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "ciphers=AESGCM", "host=server1.com", NULL), "OK"); str_any3(run_case(client, server), "TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384/ECDH=secp384r1", "TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384/ECDH=X25519", "TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384"); /* server key is RSA - ECDHE-RSA */ str_check(create_worker(&server, true, "show=ciphers", SERVER2, NULL), "OK"); str_check(create_worker(&client, false, CA2, "ciphers=AESGCM", "host=server2.com", NULL), "OK"); str_any3(run_case(client, server), "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=prime256v1", "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=X25519", "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384"); /* server key is RSA - DHE-RSA */ str_check(create_worker(&server, true, SERVER2, "show=ciphers", "dheparams=auto", NULL), "OK"); str_check(create_worker(&client, false, CA2, "ciphers=EDH+AESGCM", "host=server2.com", NULL), "OK"); str_check(run_case(client, server), "TLSv1.2/DHE-RSA-AES256-GCM-SHA384/DH=2048"); /* server key is RSA - ECDHE-RSA */ str_check(create_worker(&server, true, SERVER2, "show=ciphers", NULL), "OK"); str_check(create_worker(&client, false, CA2, "ciphers=EECDH+AES", "host=server2.com", NULL), "OK"); str_any3(run_case(client, server), "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=prime256v1", "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=X25519", "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384"); end:; }
static void test_set_mem(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* both server & client with cert */ str_check(create_worker(&server, true, "mem=1", SERVER1, CA2, NULL), "OK"); str_check(create_worker(&client, false, "mem=1", CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); end:; }
int mutt_ssl_socket_setup (CONNECTION* conn) { if (tls_init() < 0) return -1; conn->conn_open = tls_socket_open; conn->conn_read = tls_socket_read; conn->conn_write = tls_socket_write; conn->conn_close = tls_socket_close; conn->conn_poll = raw_socket_poll; return 0; }
/** * mutt_ssl_socket_setup - Set up SSL socket mulitplexor * @param conn Connection to a server * @retval 0 Success * @retval -1 Error */ int mutt_ssl_socket_setup(struct Connection *conn) { if (tls_init() < 0) return -1; conn->conn_open = tls_socket_open; conn->conn_read = tls_socket_read; conn->conn_write = tls_socket_write; conn->conn_close = tls_socket_close; conn->conn_poll = raw_socket_poll; return 0; }
/** * mutt_ssl_starttls - Set up TLS multiplexor * @param conn Connection to a server * @retval 0 Success * @retval -1 Error */ int mutt_ssl_starttls(struct Connection *conn) { if (tls_init() < 0) return -1; if (tls_negotiate(conn) < 0) return -1; conn->conn_read = tls_socket_read; conn->conn_write = tls_socket_write; conn->conn_close = tls_starttls_close; return 0; }
int mutt_ssl_starttls (CONNECTION* conn) { if (tls_init() < 0) return -1; if (tls_negotiate (conn) < 0) return -1; conn->conn_read = tls_socket_read; conn->conn_write = tls_socket_write; conn->conn_close = tls_starttls_close; return 0; }
int ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) { Sockbuf *sb; char *host; void *ssl; if ( !conn ) return LDAP_PARAM_ERROR; sb = conn->lconn_sb; if( srv ) { host = srv->lud_host; } else { host = conn->lconn_server->lud_host; } /* avoid NULL host */ if( host == NULL ) { host = "localhost"; } (void) tls_init( tls_imp ); /* * Fortunately, the lib uses blocking io... */ if ( ldap_int_tls_connect( ld, conn ) < 0 ) { ld->ld_errno = LDAP_CONNECT_ERROR; return (ld->ld_errno); } ssl = ldap_pvt_tls_sb_ctx( sb ); assert( ssl != NULL ); /* * compare host with name(s) in certificate */ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER && ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) { ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host ); if (ld->ld_errno != LDAP_SUCCESS) { return ld->ld_errno; } } return LDAP_SUCCESS; }
static void test_clientcert(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* ok: server checks client cert */ str_check(create_worker(&server, true, SERVER1, CA2, "verify-client=1", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); /* fail: server rejects invalid cert */ str_check(create_worker(&server, true, SERVER1, CA1, "verify-client=1", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_any3(run_case(client, server), "C:tlsv1 alert unknown ca - S:no certificate returned", "C:tlsv1 alert unknown ca,C:shutdown while in init - S:certificate verify failed", "C:tlsv1 alert unknown ca - S:certificate verify failed"); /* noverifycert: server allow invalid cert */ str_check(create_worker(&server, true, SERVER1, CA1, "noverifycert=1", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); /* verify-client: don't allow client without cert */ str_check(create_worker(&server, true, SERVER1, CA2, "verify-client=1", NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_any2(run_case(client, server), "C:sslv3 alert handshake failure - S:peer did not return a certificate", "C:sslv3 alert handshake failure,C:shutdown while in init - S:peer did not return a certificate"); /* verify-client-optional: allow client without cert */ str_check(create_worker(&server, true, SERVER1, CA2, "verify-client-optional=1", NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); end:; }
static void test_cert_info(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* server shows client cert */ str_check(create_worker(&server, true, "show=peer-cert", SERVER1, CA2, "peer-sha1=ssl/ca2_client2.crt.sha1", "peer-sha256=ssl/ca2_client2.crt.sha256", "verify-client=1", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", "peer-sha1=ssl/ca1_server1.crt.sha1", "peer-sha256=ssl/ca1_server1.crt.sha256", NULL), "OK"); str_check(run_case(client, server), "Subject: /CN=client2/C=XX/ST=State2/L=City2/O=Org2" " Issuer: /CN=TestCA2" " Serial: 1387724136048036785122419970010419099185643835502" " NotBefore: 2010-01-01T08:05:00Z" " NotAfter: 2060-12-31T23:55:00Z"); /* client shows server cert - utf8 */ str_check(create_worker(&server, true, COMPLEX1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "show=peer-cert", "host=complex1.com", NULL), "OK"); str_check(run_case(client, server), "Subject: /CN=complex1.com/ST=様々な論争を引き起こしてきた。/L=Kõzzä" " Issuer: /CN=TestCA1/C=AA/ST=State1/L=City1/O=Org1" " Serial: 1113692385315072860785465640275941003895485612482" " NotBefore: 2010-01-01T08:05:00Z" " NotAfter: 2060-12-31T23:55:00Z"); /* client shows server cert - t61/bmp */ str_check(create_worker(&server, true, COMPLEX2, NULL), "OK"); str_check(create_worker(&client, false, CA2, "show=peer-cert", "host=complex2.com", NULL), "OK"); str_check(run_case(client, server), "Subject: /CN=complex2.com/ST=様々な論争を引き起こしてきた。/L=Kõzzä" " Issuer: /CN=TestCA2" " Serial: 344032136906054686761742495217219742691739762030" " NotBefore: 2010-01-01T08:05:00Z" " NotAfter: 2060-12-31T23:55:00Z"); end:; }
static void test_noverifyname(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* noverifyname: client checks server cert, ignore bad hostname */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=example2.com", "noverifyname=1", NULL), "OK"); str_check(run_case(client, server), "OK"); /* noverifyname: client checks server cert, ignore NULL hostname */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "noverifyname=1", NULL), "OK"); str_check(run_case(client, server), "OK"); end:; }
int main(int const argc, char const *const *const argv) { // Depending on how async_pool and async_fs are configured, we might be // using our own thread pool heavily or not. However, at the minimum, // uv_getaddrinfo uses the libuv thread pool, and it blocks on the // network, so don't set this number too low. if(!getenv("UV_THREADPOOL_SIZE")) putenv((char *)"UV_THREADPOOL_SIZE=4"); raiserlimit(); async_init(); int rc = tls_init(); if(rc < 0) { alogf("TLS initialization error: %s\n", strerror(errno)); return 1; } if(2 != argc || '-' == argv[1][0]) { alogf("Usage:\n\t" "%s repo\n", argv[0]); return 1; } path = argv[1]; // Even our init code wants to use async I/O. async_spawn(STACK_DEFAULT, init, NULL); uv_run(async_loop, UV_RUN_DEFAULT); async_spawn(STACK_DEFAULT, term, NULL); uv_run(async_loop, UV_RUN_DEFAULT); // cleanup is separate from term because connections might // still be active. async_spawn(STACK_DEFAULT, cleanup, NULL); uv_run(async_loop, UV_RUN_DEFAULT); async_destroy(); // TODO: Windows? if(sig) raise(sig); return 0; }
static int eap_example_server_init_tls(rlm_eap_t *inst) { struct tls_config tconf; os_memset(&tconf, 0, sizeof(tconf)); inst->tls_ctx = tls_init(&tconf); if (inst->tls_ctx == NULL) return -1; if (tls_global_set_params(inst->tls_ctx, &inst->tparams)) { radlog(L_ERR, "rlm_eap2: Failed to set TLS parameters"); return -1; } if (tls_global_set_verify(inst->tls_ctx, 0)) { radlog(L_ERR, "rlm_eap2: Failed to set check_crl"); return -1; } return 0; }
static void test_noverifycert(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* noverifycert: client ignores cert */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA2, "host=server1.com", "noverifycert=1", NULL), "OK"); str_check(run_case(client, server), "OK"); /* noverifycert: client ignores cert, but checks hostname */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA2, "host=server2.com", "noverifycert=1", NULL), "OK"); str_check(run_case(client, server), "C:name `server2.com' not present in server certificate"); /* noverifycert: client ignores both cert, hostname */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA2, "host=server2.com", "noverifycert=1", "noverifyname=1", NULL), "OK"); str_check(run_case(client, server), "OK"); /* noverifycert: client ignores both cert, hostname (=NULL) */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA2, "noverifycert=1", "noverifyname=1", NULL), "OK"); str_check(run_case(client, server), "OK"); end:; }