/* init_ssl()
*
* inputs - nothing
* output - nothing
* side effects - setups SSL context.
*/
static void
ssl_init(void)
{
#ifdef HAVE_LIBCRYPTO
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
if (!(ConfigServerInfo.server_ctx = SSL_CTX_new(SSLv23_server_method())))
{
const char *s = ERR_lib_error_string(ERR_get_error());
fprintf(stderr, "ERROR: Could not initialize the SSL Server context -- %s\n", s);
ilog(LOG_TYPE_IRCD, "ERROR: Could not initialize the SSL Server context -- %s", s);
exit(EXIT_FAILURE);
return; /* Not reached */
}
SSL_CTX_set_options(ConfigServerInfo.server_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
SSL_CTX_set_options(ConfigServerInfo.server_ctx, SSL_OP_SINGLE_DH_USE|SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_verify(ConfigServerInfo.server_ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
always_accept_verify_cb);
SSL_CTX_set_session_cache_mode(ConfigServerInfo.server_ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_cipher_list(ConfigServerInfo.server_ctx, "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL");
#if OPENSSL_VERSION_NUMBER >= 0x009080FFL && !defined(OPENSSL_NO_ECDH)
{
EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (key)
{
SSL_CTX_set_tmp_ecdh(ConfigServerInfo.server_ctx, key);
EC_KEY_free(key);
}
}
SSL_CTX_set_options(ConfigServerInfo.server_ctx, SSL_OP_SINGLE_ECDH_USE);
#endif
if (!(ConfigServerInfo.client_ctx = SSL_CTX_new(SSLv23_client_method())))
{
const char *s = ERR_lib_error_string(ERR_get_error());
fprintf(stderr, "ERROR: Could not initialize the SSL Client context -- %s\n", s);
ilog(LOG_TYPE_IRCD, "ERROR: Could not initialize the SSL Client context -- %s", s);
exit(EXIT_FAILURE);
return; /* Not reached */
}
SSL_CTX_set_options(ConfigServerInfo.client_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
SSL_CTX_set_options(ConfigServerInfo.client_ctx, SSL_OP_SINGLE_DH_USE);
SSL_CTX_set_verify(ConfigServerInfo.client_ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
always_accept_verify_cb);
SSL_CTX_set_session_cache_mode(ConfigServerInfo.client_ctx, SSL_SESS_CACHE_OFF);
#endif /* HAVE_LIBCRYPTO */
}
u2fs_rc decode_user_key(const unsigned char *data, u2fs_EC_KEY_t ** key)
{
if (key == NULL)
return U2FS_MEMORY_ERROR;
EC_GROUP *ecg = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
*key = (u2fs_EC_KEY_t *) EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
EC_POINT *point = EC_POINT_new(ecg);
point_conversion_form_t pcf = POINT_CONVERSION_UNCOMPRESSED;
EC_GROUP_set_point_conversion_form(ecg, pcf);
if (EC_POINT_oct2point(ecg, point, data, U2FS_PUBLIC_KEY_LEN, NULL) == 0) {
if (debug) {
unsigned long err = 0;
err = ERR_get_error();
fprintf(stderr, "Error: %s, %s, %s\n",
ERR_lib_error_string(err),
ERR_func_error_string(err), ERR_reason_error_string(err));
}
*key = NULL;
EC_GROUP_free(ecg);
ecg = NULL;
EC_POINT_free(point);
point = NULL;
return U2FS_CRYPTO_ERROR;
}
EC_GROUP_free(ecg);
ecg = NULL;
if (EC_KEY_set_public_key((EC_KEY *) * key, point) == 0) {
if (debug) {
unsigned long err = 0;
err = ERR_get_error();
fprintf(stderr, "Error: %s, %s, %s\n",
ERR_lib_error_string(err),
ERR_func_error_string(err), ERR_reason_error_string(err));
}
*key = NULL;
EC_POINT_free(point);
point = NULL;
return U2FS_CRYPTO_ERROR;
}
EC_POINT_free(point);
point = NULL;
return U2FS_OK;
}
int openssl_error(neo4j_logger_t *logger, uint_fast8_t level,
const char *file, unsigned int line)
{
unsigned long code = ERR_get_error();
if (code == 0)
{
neo4j_log_error(logger, "OpenSSL error not available (%s:%d)",
file, line);
return NEO4J_UNEXPECTED_ERROR;
}
if (ERR_get_error() != 0)
{
neo4j_log_error(logger, "OpenSSL error stack too deep (%s:%d)",
file, line);
return NEO4J_UNEXPECTED_ERROR;
}
char ebuf[256];
ERR_error_string_n(code, ebuf, sizeof(ebuf));
neo4j_log(logger, level, "OpenSSL error: %lu:%s:%s:%s", code,
ERR_lib_error_string(code),
ERR_func_error_string(code),
ERR_reason_error_string(code));
return NEO4J_UNEXPECTED_ERROR;
}
u2fs_rc verify_ECDSA(const unsigned char *dgst, int dgst_len,
const u2fs_ECDSA_t * sig, u2fs_EC_KEY_t * eckey)
{
if (dgst == NULL || dgst_len == 0 || sig == NULL || eckey == NULL)
return U2FS_MEMORY_ERROR;
int rc =
ECDSA_do_verify(dgst, dgst_len, (ECDSA_SIG *) sig, (EC_KEY *) eckey);
if (rc != 1) {
if (rc == -1) {
if (debug) {
unsigned long err = 0;
err = ERR_get_error();
fprintf(stderr, "Error: %s, %s, %s\n",
ERR_lib_error_string(err),
ERR_func_error_string(err), ERR_reason_error_string(err));
}
return U2FS_CRYPTO_ERROR;
} else {
return U2FS_SIGNATURE_ERROR;
}
}
return U2FS_OK;
}
void _mine_set_ssl_error(MINE *self) {
self->err = 0;
self->errstr = ERR_lib_error_string( ERR_get_error() );
if (self->errstr == NULL) {
self->errstr = "All ok";
}
}
u2fs_rc decode_ECDSA(const unsigned char *data, size_t len,
u2fs_ECDSA_t ** sig)
{
const unsigned char *p;
if (data == NULL || len == 0 || sig == NULL)
return U2FS_MEMORY_ERROR;
p = data;
*sig = (u2fs_ECDSA_t *) d2i_ECDSA_SIG(NULL, &p, len);
if (*sig == NULL) {
if (debug) {
unsigned long err = 0;
err = ERR_get_error();
fprintf(stderr, "Error: %s, %s, %s\n",
ERR_lib_error_string(err),
ERR_func_error_string(err), ERR_reason_error_string(err));
}
return U2FS_CRYPTO_ERROR;
}
return U2FS_OK;
}
/**
* Fetch OpenSSL error code and generate a string interpretation of it.
*
* @param[out] buf buffer to put string into
* @param[in] buflen size of buffer
*
* @returns buf
**/
gchar *
z_ssl_get_error_str(gchar *buf, int buflen)
{
const char *ls, *fs, *rs;
unsigned long e, l, f, r;
unsigned long new_error = 0;
gint count = -1;
do {
e = new_error;
new_error= ERR_get_error();
++count;
} while (new_error);
l = ERR_GET_LIB(e);
f = ERR_GET_FUNC(e);
r = ERR_GET_REASON(e);
ls = ERR_lib_error_string(e);
fs = ERR_func_error_string(e);
rs = ERR_reason_error_string(e);
if (count)
g_snprintf(buf, buflen, "error:%08lX:%s:lib(%lu):%s:func(%lu):%s:reason(%lu), supressed %d messages", e, ls ? ls : "(null)", l, fs ? fs : "(null)", f, rs ? rs : "(null)", r, count);
else
g_snprintf(buf, buflen, "error:%08lX:%s:lib(%lu):%s:func(%lu):%s:reason(%lu)", e, ls ? ls : "(null)", l, fs ? fs : "(null)", f, rs ? rs : "(null)", r);
return buf;
}
u2fs_rc decode_X509(const unsigned char *data, size_t len,
u2fs_X509_t ** cert)
{
const unsigned char *p;
if (data == NULL || len == 0 || cert == NULL)
return U2FS_MEMORY_ERROR;
p = data;
//Always set 1st param to NULL as per http://www.tedunangst.com/flak/post/analysis-of-d2i-X509-reuse
*cert = (u2fs_X509_t *) d2i_X509(NULL, &p, len);
if (*cert == NULL) {
if (debug) {
unsigned long err = 0;
err = ERR_get_error();
fprintf(stderr, "Error: %s, %s, %s\n",
ERR_lib_error_string(err),
ERR_func_error_string(err), ERR_reason_error_string(err));
}
return U2FS_CRYPTO_ERROR;
}
return U2FS_OK;
}
/* LCOV_EXCL_START */
static PyObject *
_setException(PyObject *exc)
{
unsigned long errcode;
const char *lib, *func, *reason;
errcode = ERR_peek_last_error();
if (!errcode) {
PyErr_SetString(exc, "unknown reasons");
return NULL;
}
ERR_clear_error();
lib = ERR_lib_error_string(errcode);
func = ERR_func_error_string(errcode);
reason = ERR_reason_error_string(errcode);
if (lib && func) {
PyErr_Format(exc, "[%s: %s] %s", lib, func, reason);
}
else if (lib) {
PyErr_Format(exc, "[%s] %s", lib, reason);
}
else {
PyErr_SetString(exc, reason);
}
return NULL;
}
SSLGeneric::SSLGeneric(){
#ifdef USE_EMBEDDED_CLASSNAMES
setClassName((char *)__xvr2_Net_SSLGeneric);
#endif
//description = (char *)_desc_SSLGeneric;
description = (char *)ERR_lib_error_string(ERR_get_error());
}
SSLContextCreation::SSLContextCreation(){
#ifdef USE_EMBEDDED_CLASSNAMES
setClassName((char *)__xvr2_Net_SSLContextCreation);
#endif
//description = _desc_SSLContextCreation;
description = (char *)ERR_lib_error_string(ERR_get_error());
}
static LUA_FUNCTION(openssl_error_string)
{
unsigned long val;
int clear, ret = 0;
if (lua_isnumber(L, 1))
{
val = (unsigned long)lua_tonumber(L, 1);
clear = lua_toboolean(L, 2);
} else
{
val = ERR_get_error();
clear = lua_toboolean(L, 1);
}
if (val)
{
lua_pushinteger(L, val);
lua_pushstring (L, ERR_reason_error_string(val));
lua_pushstring (L, ERR_lib_error_string (val));
lua_pushstring (L, ERR_func_error_string (val));
#ifdef ERR_FATAL_ERROR
lua_pushboolean(L, ERR_FATAL_ERROR (val));
ret = 5;
#else
ret = 4;
#endif
}
if (clear)
ERR_clear_error();
return ret;
}
u2fs_rc extract_EC_KEY_from_X509(const u2fs_X509_t * cert,
u2fs_EC_KEY_t ** key)
{
if (cert == NULL || key == NULL)
return U2FS_MEMORY_ERROR;
EVP_PKEY *pkey = X509_get_pubkey((X509 *) cert);
if (pkey == NULL) {
if (debug) {
unsigned long err = 0;
err = ERR_get_error();
fprintf(stderr, "Error: %s, %s, %s\n",
ERR_lib_error_string(err),
ERR_func_error_string(err), ERR_reason_error_string(err));
}
return U2FS_CRYPTO_ERROR;
}
*key = (u2fs_EC_KEY_t *) EVP_PKEY_get1_EC_KEY(pkey);
EVP_PKEY_free(pkey);
pkey = NULL;
if (*key == NULL) {
if (debug) {
unsigned long err = 0;
err = ERR_get_error();
fprintf(stderr, "Error: %s, %s, %s\n",
ERR_lib_error_string(err),
ERR_func_error_string(err), ERR_reason_error_string(err));
}
return U2FS_CRYPTO_ERROR;
}
EC_GROUP *ecg = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
EC_KEY_set_asn1_flag((EC_KEY *) * key, OPENSSL_EC_NAMED_CURVE);
EC_KEY_set_group((EC_KEY *) * key, ecg);
EC_GROUP_free(ecg);
ecg = NULL;
return U2FS_OK;
}
static void
ssl_print_error_queue(const char *msg)
{
unsigned long sslcode = ERR_get_error();
do {
yell("--- %s: SSL error: %s:%s:%s",
msg,
ERR_lib_error_string(sslcode),
ERR_func_error_string(sslcode),
ERR_reason_error_string(sslcode));
Debug(DB_SSL, "%s: SSL error: %s:%s:%s",
msg,
ERR_lib_error_string(sslcode),
ERR_func_error_string(sslcode),
ERR_reason_error_string(sslcode));
} while ((sslcode = ERR_get_error()));
}
static void
print_err(int val)
{
int err;
while ((err = ERR_get_error())) {
const char *msg = (const char*)ERR_reason_error_string(err);
const char *lib = (const char*)ERR_lib_error_string(err);
const char *func = (const char*)ERR_func_error_string(err);
}
}
static DskIOResult
dsk_ssl_sink_write (DskOctetSink *sink,
unsigned max_len,
const void *data_out,
unsigned *n_written_out,
DskError **error)
{
DskSslStream *stream = DSK_SSL_STREAM (sink->stream);
if (stream->handshaking)
return DSK_IO_RESULT_AGAIN;
int rv = SSL_write (stream->ssl, data_out, max_len);
if (rv > 0)
{
*n_written_out = rv;
return DSK_IO_RESULT_SUCCESS;
}
if (rv == 0)
{
//dsk_set_error (error, "connection closed");
return DSK_IO_RESULT_EOF;
}
stream->read_needed_to_write = 0;
switch (rv)
{
switch (SSL_get_error (stream->ssl, rv))
{
case SSL_ERROR_WANT_READ:
stream->read_needed_to_write = 1;
dsk_ssl_stream_update_traps (stream);
return DSK_IO_RESULT_AGAIN;
case SSL_ERROR_WANT_WRITE:
dsk_ssl_stream_update_traps (stream);
return DSK_IO_RESULT_AGAIN;
case SSL_ERROR_SYSCALL:
dsk_set_error (error, "Gsk-BIO interface had problems writing");
break;
case SSL_ERROR_NONE:
dsk_set_error (error, "error writing to ssl stream, but error code set to none");
break;
default:
{
unsigned long l;
l = ERR_peek_error();
dsk_set_error (error,
"error writing to ssl stream [in the '%s' library]: %s: %s [is-client=%d]",
ERR_lib_error_string(l),
ERR_func_error_string(l),
ERR_reason_error_string(l),
stream->is_client);
break;
}
}
}
return DSK_IO_RESULT_ERROR;
}
static gssize
log_transport_tls_read_method(LogTransport *s, gpointer buf, gsize buflen, LogTransportAuxData *aux)
{
LogTransportTLS *self = (LogTransportTLS *) s;
gint ssl_error;
gint rc;
/* assume that we need to poll our input for reading unless
* SSL_ERROR_WANT_WRITE is specified by libssl */
self->super.cond = G_IO_IN;
do
{
rc = SSL_read(self->tls_session->ssl, buf, buflen);
if (rc < 0)
{
ssl_error = SSL_get_error(self->tls_session->ssl, rc);
switch (ssl_error)
{
case SSL_ERROR_WANT_READ:
errno = EAGAIN;
break;
case SSL_ERROR_WANT_WRITE:
/* although we are writing this fd, libssl wants to write. This
* happens during renegotiation for example */
self->super.cond = G_IO_OUT;
errno = EAGAIN;
break;
case SSL_ERROR_SYSCALL:
/* errno is set accordingly */
break;
default:
goto tls_error;
}
}
}
while (rc == -1 && errno == EINTR);
return rc;
tls_error:
ssl_error = ERR_get_error();
msg_error("SSL error while reading stream",
evt_tag_printf("tls_error", "%s:%s:%s", ERR_lib_error_string(ssl_error), ERR_func_error_string(ssl_error), ERR_reason_error_string(ssl_error)),
NULL);
ERR_clear_error();
errno = ECONNRESET;
return -1;
}
void ERR_error_string_n(unsigned long e, char *buf, size_t len)
{
char lsbuf[64], fsbuf[64], rsbuf[64];
const char *ls, *fs, *rs;
unsigned long l, f, r;
if (len == 0)
return;
l = ERR_GET_LIB(e);
f = ERR_GET_FUNC(e);
r = ERR_GET_REASON(e);
ls = ERR_lib_error_string(e);
fs = ERR_func_error_string(e);
rs = ERR_reason_error_string(e);
if (ls == NULL)
BIO_snprintf(lsbuf, sizeof(lsbuf), "lib(%lu)", l);
if (fs == NULL)
BIO_snprintf(fsbuf, sizeof(fsbuf), "func(%lu)", f);
if (rs == NULL)
BIO_snprintf(rsbuf, sizeof(rsbuf), "reason(%lu)", r);
BIO_snprintf(buf, len, "error:%08lX:%s:%s:%s", e, ls ? ls : lsbuf,
fs ? fs : fsbuf, rs ? rs : rsbuf);
if (strlen(buf) == len - 1) {
/*
* output may be truncated; make sure we always have 5
* colon-separated fields, i.e. 4 colons ...
*/
#define NUM_COLONS 4
if (len > NUM_COLONS) { /* ... if possible */
int i;
char *s = buf;
for (i = 0; i < NUM_COLONS; i++) {
char *colon = strchr(s, ':');
if (colon == NULL || colon > &buf[len - 1] - NUM_COLONS + i) {
/*
* set colon no. i at last possible position (buf[len-1]
* is the terminating 0)
*/
colon = &buf[len - 1] - NUM_COLONS + i;
*colon = ':';
}
s = colon + 1;
}
}
}
}
static void
print_err(int val)
{
int err;
printf("Error was %d\n", val);
while ((err = ERR_get_error())) {
const char *msg = (const char*)ERR_reason_error_string(err);
const char *lib = (const char*)ERR_lib_error_string(err);
const char *func = (const char*)ERR_func_error_string(err);
printf("%s in %s %s\n", msg, lib, func);
}
}
static void
event_error_handler(struct bufferevent *bev, short what, void *ctx)
{
struct bufferevent *partner = NULL;
ssh_session_t *session = ctx;
if(session == NULL || session->owner_ptr == NULL) {
trace_err("ERROR: .....................");
} else {
partner= session->owner_ptr;
}
if (what & (BEV_EVENT_EOF|BEV_EVENT_ERROR)) {
if (what & BEV_EVENT_ERROR) {
unsigned long err;
while ((err = (bufferevent_get_openssl_error(bev)))) {
const char *msg = (const char*)ERR_reason_error_string(err);
const char *lib = (const char*)ERR_lib_error_string(err);
const char *func = (const char*)ERR_func_error_string(err);
fprintf(stderr, "%s in %s %s\n", msg, lib, func);
}
if (errno) {
trace_err("connection error");
}
}
if (partner) {
/* Flush all pending data */
data_read_handler(bev, ctx);
if (evbuffer_get_length(bufferevent_get_output(partner))) {
/* We still have to flush data from the other
* side, but when that's done, close the other
* side.
*/
bufferevent_setcb(partner,
NULL, close_on_finished_writecb,
event_error_handler, NULL);
bufferevent_disable(partner, EV_READ);
} else {
/* We have nothing left to say to the other
* side; close it.
*/
bufferevent_free(partner);
ssh_log(session, "\"%s:closed\"", SESSION_TYPE(session));
}
}
bufferevent_free(bev);
}
}
bool
parcSelfSignedCertificate_CreateRSACertificate(const char *subjectname, unsigned keylength, unsigned validityDays, X509 *cert, RSA *rsa, EVP_PKEY *private_key)
{
int res;
bool return_value = false;
BIGNUM *pub_exp;
pub_exp = BN_new();
BN_set_word(pub_exp, RSA_F4);
res = 1;
if (RSA_generate_key_ex(rsa, keylength, pub_exp, NULL)) {
if (EVP_PKEY_set1_RSA(private_key, rsa)) {
if (X509_set_version(cert, 2)) { // 2 => X509v3
return_value = true;
}
}
}
if (return_value) {
// add serial number
if (_addRandomSerial(cert) == true) {
if (_addValidityPeriod(cert, validityDays) == true) {
if (X509_set_pubkey(cert, private_key) == 1) {
if (_addSubjectName(cert, subjectname) == true) {
if (_addExtensions(cert) == true) {
if (_addKeyIdentifier(cert) == true) {
// The certificate is complete, sign it.
if (X509_sign(cert, private_key, EVP_sha256())) {
return_value = true;
} else {
printf("error: (%d) %s\n", res, ERR_lib_error_string(res));
}
}
}
}
}
}
}
}
ERR_print_errors_fp(stdout);
BN_free(pub_exp);
return return_value;
}
static void
eventcb(struct bufferevent *bev, short what, void *ctx)
{
struct bufferevent *partner = ctx;
if (what & (BEV_EVENT_EOF|BEV_EVENT_ERROR)) {
if (what & BEV_EVENT_ERROR) {
unsigned long err;
while ((err = (bufferevent_get_openssl_error(bev)))) {
const char *msg = (const char*)
ERR_reason_error_string(err);
const char *lib = (const char*)
ERR_lib_error_string(err);
const char *func = (const char*)
ERR_func_error_string(err);
fprintf(stderr,
"%s in %s %s\n", msg, lib, func);
}
if (errno)
perror("connection error");
}
if (partner) {
/* Flush all pending data */
readcb(bev, ctx);
if (evbuffer_get_length(
bufferevent_get_output(partner))) {
/* We still have to flush data from the other
* side, but when that's done, close the other
* side. */
bufferevent_setcb(partner,
NULL, close_on_finished_writecb,
eventcb, NULL);
bufferevent_disable(partner, EV_READ);
} else {
/* We have nothing left to say to the other
* side; close it. */
bufferevent_free(partner);
}
}
bufferevent_free(bev);
}
}
/* XXXX copied from crypto.c */
static void
crypto_log_errors(int severity, const char *doing)
{
unsigned long err;
const char *msg, *lib, *func;
while ((err = ERR_get_error()) != 0) {
msg = (const char*)ERR_reason_error_string(err);
lib = (const char*)ERR_lib_error_string(err);
func = (const char*)ERR_func_error_string(err);
if (!msg) msg = "(null)";
if (!lib) lib = "(null)";
if (!func) func = "(null)";
if (doing) {
log(severity, LD_CRYPTO, "crypto error while %s: %s (in %s:%s)",
doing, msg, lib, func);
} else {
log(severity, LD_CRYPTO, "crypto error: %s (in %s:%s)", msg, lib, func);
}
}
}
/* Load certificate and private key */
static void tls_certkey(SSL *_tls)
{
int ret, ret2;
if(!_tls)
{
TLSERROR("Certificate cannot be loaded.");
return;
}
if((!_key) || (!_cert) || (!_callback))
{
printf("WARNING: certificates are disabled!\n");
return;
}
SSL_CTX_set_default_passwd_cb(_tlsctx, _callback);
/*ret = SSL_CTX_load_verify_locations(_tlsctx, "/usr/lib/ssl/cacert.pem", NULL);
if(ret != 1)
{
TLSERROR("Couldn't load root CA file!");
ret2 = ERR_get_error();
printf("EXT: %s\n%s\n%s\n%s\n%s\n", tls_exterror(_tls, ret), ERR_error_string(ret2, NULL),
ERR_lib_error_string(ret2), ERR_func_error_string(ret2), ERR_reason_error_string(ret2));
}*/
ret = SSL_use_RSAPrivateKey_file(_tls, _key, SSL_FILETYPE_PEM);
if(ret != 1)
{
TLSERROR("Error loading TLS PEM private key.");
ret2 = ERR_get_error();
printf("EXT: %s\n%s\n%s\n%s\n%s\n", tls_exterror(_tls, ret), ERR_error_string(ret2, NULL),
ERR_lib_error_string(ret2), ERR_func_error_string(ret2), ERR_reason_error_string(ret2));
}
ret = SSL_use_certificate_file(_tls, _cert, SSL_FILETYPE_PEM);
if(ret != 1) TLSERROR("Error loading TLS PEM certificate.");
ret = SSL_check_private_key(_tls);
if(!ret) TLSERROR("Private key doesn't match certificate public key.");
printf("*** certificate loaded ***\n");
}
/* BAD for multi-threaded, uses a local buffer if ret == NULL */
char *ERR_error_string(unsigned long e, char *ret)
{
#ifdef NO_ERR
if(ret != NULL) {
strcpy(ret, "No Error String Info.");
}
return "No Error String info.";
#else
static char buf[256];
const char *ls,*fs,*rs;
unsigned long l,f,r;
int i;
l=ERR_GET_LIB(e);
f=ERR_GET_FUNC(e);
r=ERR_GET_REASON(e);
ls=ERR_lib_error_string(e);
fs=ERR_func_error_string(e);
rs=ERR_reason_error_string(e);
if (ret == NULL) ret=buf;
sprintf(&(ret[0]),"error:%08lX:",e);
i=strlen(ret);
if (ls == NULL)
sprintf(&(ret[i]),":lib(%lu) ",l);
else sprintf(&(ret[i]),"%s",ls);
i=strlen(ret);
if (fs == NULL)
sprintf(&(ret[i]),":func(%lu) ",f);
else sprintf(&(ret[i]),":%s",fs);
i=strlen(ret);
if (rs == NULL)
sprintf(&(ret[i]),":reason(%lu)",r);
else sprintf(&(ret[i]),":%s",rs);
return(ret);
#endif
}
/** Log TLS error(s).
*
* Log the TLS error specified by the error code @a e and all the errors in
* the queue. The error code @a e implies no error, and it is not logged.
*/
static
void tls_log_errors(unsigned level, char const *s, unsigned long e)
{
if (e == 0)
e = ERR_get_error();
if (!tport_log->log_init)
su_log_init(tport_log);
if (s == NULL) s = "tls";
for (; e != 0; e = ERR_get_error()) {
if (level <= tport_log->log_level) {
const char *error = ERR_lib_error_string(e);
const char *func = ERR_func_error_string(e);
const char *reason = ERR_reason_error_string(e);
su_llog(tport_log, level, "%s: %08lx:%s:%s:%s\n",
s, e, error, func, reason);
}
}
}
/** Log all pending tls errors at level <b>severity</b>. Use
* <b>doing</b> to describe our current activities.
*/
static void
tls_log_errors(tor_tls_t *tls, int severity, const char *doing)
{
unsigned long err;
const char *msg, *lib, *func, *addr;
addr = tls ? tls->address : NULL;
while ((err = ERR_get_error()) != 0) {
msg = (const char*)ERR_reason_error_string(err);
lib = (const char*)ERR_lib_error_string(err);
func = (const char*)ERR_func_error_string(err);
if (!msg) msg = "(null)";
if (doing) {
log(severity, LD_NET, "TLS error while %s%s%s: %s (in %s:%s)",
doing, addr?" with ":"", addr?addr:"",
msg, lib, func);
} else {
log(severity, LD_NET, "TLS error%s%s: %s (in %s:%s)",
addr?" with ":"", addr?addr:"",
msg, lib, func);
}
}
}
UtlBoolean OsEncryption::openSslError(void)
{
#if defined(OSENCRYPTION)
unsigned long err = ERR_get_error();
if (err != 0)
{
ERR_load_crypto_strings();
ERR_load_ERR_strings();
char errbuff[256];
errbuff[0] = 0;
ERR_error_string_n(err, errbuff, sizeof(errbuff));
osPrintf("OpenSLL ERROR:\n\tlib:%s\n\tfunction:%s\n\treason:%s\n",
ERR_lib_error_string(err),
ERR_func_error_string(err),
ERR_reason_error_string(err));
ERR_free_strings();
return TRUE;
}
#endif
return FALSE;
}
void ERR_error_string_n(unsigned long e, char *buf, size_t len)
{
char lsbuf[64], fsbuf[64], rsbuf[64];
const char *ls, *fs, *rs;
unsigned long l, f, r;
if (len == 0)
return;
l = ERR_GET_LIB(e);
ls = ERR_lib_error_string(e);
if (ls == NULL) {
BIO_snprintf(lsbuf, sizeof(lsbuf), "lib(%lu)", l);
ls = lsbuf;
}
fs = ERR_func_error_string(e);
f = ERR_GET_FUNC(e);
if (fs == NULL) {
BIO_snprintf(fsbuf, sizeof(fsbuf), "func(%lu)", f);
fs = fsbuf;
}
rs = ERR_reason_error_string(e);
r = ERR_GET_REASON(e);
if (rs == NULL) {
BIO_snprintf(rsbuf, sizeof(rsbuf), "reason(%lu)", r);
rs = rsbuf;
}
BIO_snprintf(buf, len, "error:%08lX:%s:%s:%s", e, ls, fs, rs);
if (strlen(buf) == len - 1) {
/* Didn't fit; use a minimal format. */
BIO_snprintf(buf, len, "err:%lx:%lx:%lx:%lx", e, l, f, r);
}
}
/*============================================================================
* OpcUa_P_OpenSSL_RSA_Private_Decrypt
*===========================================================================*/
OpcUa_StatusCode OpcUa_P_OpenSSL_RSA_Private_Decrypt(
OpcUa_CryptoProvider* a_pProvider,
OpcUa_Byte* a_pCipherText,
OpcUa_UInt32 a_cipherTextLen,
OpcUa_Key* a_privateKey,
OpcUa_Int16 a_padding,
OpcUa_Byte* a_pPlainText,
OpcUa_UInt32* a_pPlainTextLen)
{
EVP_PKEY* pPrivateKey = OpcUa_Null;
OpcUa_UInt32 keySize = 0;
OpcUa_Int32 decryptedBytes = 0;
OpcUa_UInt32 iCipherText = 0;
/* OpcUa_UInt32 iPlainTextLen = 0; */
OpcUa_UInt32 decDataSize = 0;
const char* sError = OpcUa_Null;
const unsigned char *pData;
OpcUa_InitializeStatus(OpcUa_Module_P_OpenSSL, "RSA_Private_Decrypt");
OpcUa_ReferenceParameter(a_pProvider);
OpcUa_ReturnErrorIfArgumentNull(a_pCipherText);
OpcUa_ReturnErrorIfArgumentNull(a_privateKey);
OpcUa_ReturnErrorIfArgumentNull(a_privateKey->Key.Data);
OpcUa_ReturnErrorIfArgumentNull(a_pPlainTextLen);
*a_pPlainTextLen = 0;
if(a_privateKey->Type != OpcUa_Crypto_KeyType_Rsa_Private)
{
OpcUa_GotoErrorWithStatus(OpcUa_BadInvalidArgument);
}
pData = a_privateKey->Key.Data;
pPrivateKey = d2i_PrivateKey(EVP_PKEY_RSA,OpcUa_Null, &pData, a_privateKey->Key.Length);
if (pPrivateKey == OpcUa_Null)
{
long lErr = ERR_get_error();
char *szErr = ERR_error_string(lErr, 0);
OpcUa_ReferenceParameter(szErr);
return OpcUa_BadInvalidArgument;
}
keySize = RSA_size(pPrivateKey->pkey.rsa);
if((a_cipherTextLen%keySize) != 0)
{
uStatus = OpcUa_BadInvalidArgument;
OpcUa_GotoError;
}
/* check padding type */
switch(a_padding)
{
case RSA_PKCS1_PADDING:
{
decDataSize = keySize - 11;
break;
}
case RSA_PKCS1_OAEP_PADDING:
{
decDataSize = keySize - 42;
break;
}
case RSA_NO_PADDING:
{
decDataSize = keySize;
break;
}
default:
{
OpcUa_GotoErrorWithStatus(OpcUa_BadNotSupported);
}
}
while(iCipherText < a_cipherTextLen)
{
if(a_pPlainText != OpcUa_Null)
{
decryptedBytes = RSA_private_decrypt( keySize, /* how much to decrypt */
a_pCipherText + iCipherText, /* what to decrypt */
a_pPlainText + (*a_pPlainTextLen), /* where to decrypt */
pPrivateKey->pkey.rsa, /* private key */
a_padding); /* padding mode */
/* goto error block, if decryption fails */
if(decryptedBytes == -1)
{
/* const char* serror = NULL; */
unsigned long error = ERR_get_error();
ERR_load_crypto_strings();
sError = ERR_reason_error_string(error);
sError = ERR_func_error_string(error);
sError = ERR_lib_error_string(error);
uStatus = OpcUa_Bad;
OpcUa_GotoError;
}
}
else
{
decryptedBytes = decDataSize;
}
*a_pPlainTextLen = *a_pPlainTextLen + decryptedBytes;
iCipherText = iCipherText + keySize;
}
EVP_PKEY_free(pPrivateKey);
OpcUa_ReturnStatusCode;
OpcUa_BeginErrorHandling;
if(pPrivateKey != OpcUa_Null)
{
EVP_PKEY_free(pPrivateKey);
}
*a_pPlainTextLen = (OpcUa_UInt32)-1;
OpcUa_FinishErrorHandling;
}
