/* デフォルトの証明書は 自分:/usr/local/ct/cert/tn.pem 認証局:/usr/local/ct/cert/root.pem */
int kTLSInitialize(int sessionMode,int initialmode,int timeout,char *passwd,char *rootPEM,char *myPEM,
char *dhPEM,int version,int nagle,int clientveri,int tmprsa,char *enc)
{
BIO *bio;
SSL_METHOD *meth;
RSA *rsa;
DH *dh=0;
struct stat tmp;
/* Nagleアルゴリズムの無効化フラグの保存 */
NagleFlag=nagle;
if(TLSctx){
/* 強制初期化モードがある場合 */
if(initialmode){
TLSClose(NULL,0);
kLogWrite(L_TLS, "%s: TLS ReInitialize", __FUNCTION__);
}
else
return RETURN_OK;
}
/* パラメータの取得 */
timeout = timeout<=0 ? SESSION_TIMEOUT : timeout;
TLSSessionMode = sessionMode;
kLogWrite(L_TLS,"%s: Session cache mode : %s Session timeout : %d(s)",__FUNCTION__,sessionMode?"Enable":"Disable",timeout);
rootPEM = (rootPEM && rootPEM[0]) ? rootPEM : ROOT_PEM;
myPEM = (myPEM && myPEM[0]) ? myPEM : MY_PEM;
dhPEM = (dhPEM && dhPEM[0]) ? dhPEM : DHFILE1024;
strcpy(TLSPasswd,(passwd && passwd[0]) ? passwd : PASSWORD);
if(lstat(rootPEM,&tmp)<0){
kLogWrite(L_ERROR, "%s: TLS Initialize file[%s] not exist", __FUNCTION__,rootPEM);
return(RETURN_NG);
}
if(lstat(myPEM,&tmp)<0){
kLogWrite(L_ERROR, "%s: TLS Initialize file[%s] not exist", __FUNCTION__,myPEM);
return(RETURN_NG);
}
if(lstat(dhPEM,&tmp)<0){
kLogWrite(L_ERROR, "%s: TLS Initialize file[%s] not exist", __FUNCTION__,dhPEM);
return(RETURN_NG);
}
/* SSLライブラリの初期化 */
if(!SSL_library_init()){
kLogWrite(L_ERROR, "%s: OpenSSL initialization failed!",__FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: SSL_library_init OK",__FUNCTION__);
/* エラーメッセージの視覚化 */
SSL_load_error_strings();
RAND_load_file("/dev/urandom", 1024);
kLogWrite(L_TLS,"%s: RAND_load_file OK",__FUNCTION__);
/* SSL_METHODオブジェクトの取得 */
if(version == 2)
meth=SSLv2_method();
else if(version == 3)
meth=SSLv3_method();
else if(version == 1)
meth=TLSv1_method();
else if(version == 23)
meth=SSLv23_method();
else
meth=TLSv1_method();
kLogWrite(L_TLS,"%s: SSL verion [%d] 2:SSLv2 23:SSLv23 3:SSLv3 1:TLSv1",__FUNCTION__,version);
/* SSL_CTXオブジェクトの取得 */
TLSctx=SSL_CTX_new(meth);
kLogWrite(L_TLS,"%s: SSL_CTX_new OK",__FUNCTION__);
/* SSL_CTXオブジェクトに証明書と秘密鍵を同時にロードする */
if(!(SSL_CTX_use_certificate_file(TLSctx,myPEM,SSL_FILETYPE_PEM))){
TLSClose(NULL,0);
kLogWrite(L_ERROR, "%s: Couldn't read certificate file",__FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: SSL_CTX_use_certificate_file[%s] OK",__FUNCTION__,myPEM);
/* パスフレーズのコールバック関数を登録する */
SSL_CTX_set_default_passwd_cb(TLSctx,password_cb);
if(!(SSL_CTX_use_PrivateKey_file(TLSctx,myPEM,SSL_FILETYPE_PEM))){
TLSClose(NULL,0);
kLogWrite(L_ERROR, "%s: Couldn't read key file",__FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: SSL_CTX_use_PrivateKey_file[%s] OK",__FUNCTION__,myPEM);
/* SSL_CTXオブジェクトに信頼できるCA証明書をロードする */
if(!(SSL_CTX_load_verify_locations(TLSctx,rootPEM,0))){
TLSClose(NULL,0);
kLogWrite(L_ERROR, "%s: Couldn't read CA list",__FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: SSL_CTX_load_verify_locations[%s] OK",__FUNCTION__,rootPEM);
/* 認証コールバック関数の登録 */
/* Server Key Exchange オプションを付与する (クライアント認証を行う) */
kLogWrite(L_TLS,"%s: Server Key Exchange option : %s",__FUNCTION__,clientveri?"Enable":"Disable");
SSL_CTX_set_verify(TLSctx, clientveri?SSL_VERIFY_PEER:SSL_VERIFY_NONE,VerifyCallback);
kLogWrite(L_TLS,"%s: SSL_CTX_set_verify[%s] OK",__FUNCTION__,clientveri?"PEER":"NONE");
/* 信頼できる証明書に到達するまでのチェーンの回数を指定する */
/* SSL_CTX_set_verify_depth(TLSctx,1); */
/* SSLv2を選択不可にする */
if(version != 2 && version != 23){
SSL_CTX_set_options(TLSctx,SSL_OP_NO_SSLv2);
kLogWrite(L_TLS,"%s: SSL_CTX_set_options NO_SSLv2",__FUNCTION__);
}
/* Certificate Request オプションを付与する (一時的RSAを使う ) */
kLogWrite(L_TLS,"%s: Certificate Request option : %s",__FUNCTION__,tmprsa?"Enable":"Disable");
if(tmprsa){
/* BIOオブジェクトを使ってファイルをオープンする */
if ((bio=BIO_new_file(dhPEM,"r")) == NULL){
TLSClose(NULL,0);
kLogWrite(L_ERROR, "%s: Couldn't open DH file",__FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: BIO_new_file[%s] OK",__FUNCTION__,dhPEM);
/* DHパラメータを読み込む */
dh=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
kLogWrite(L_TLS,"%s: PEM_read_bio_DHparams[%s] OK",__FUNCTION__,dhPEM);
/* ファイルをクローズする */
BIO_free(bio);
/* DHパラメータをCTXオブジェクトにロードする */
if(SSL_CTX_set_tmp_dh(TLSctx,dh)<0){
TLSClose(NULL,0);
kLogWrite(L_ERROR, "%s: Couldn't set DH parameters",__FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: SSL_CTX_set_tmp_dh OK",__FUNCTION__);
}
/* 暗号スイートの選択 */
if(enc && enc[0]){
kLogWrite(L_TLS,"%s: Encrypt suit specified",__FUNCTION__);
if(SSL_CTX_set_cipher_list(TLSctx,enc))
kLogWrite(L_TLS,"%s: SSL_CTX_set_cipher_list[%s] OK",__FUNCTION__,enc);
else
kLogWrite(L_TLS,"%s: SSL_CTX_set_cipher_list[%s] invalid",__FUNCTION__,enc);
}
/* RSA鍵のペアを生成する */
rsa=RSA_generate_key(512,RSA_F4,NULL,NULL);
kLogWrite(L_TLS,"%s: RSA_generate_key OK",__FUNCTION__);
/* RSA鍵をCTXオブジェクトにロードする */
if (!SSL_CTX_set_tmp_rsa(TLSctx,rsa)){
TLSClose(NULL,0);
kLogWrite(L_ERROR, "%s: Couldn't set RSA key", __FUNCTION__);
return(RETURN_NG);
}
kLogWrite(L_TLS,"%s: SSL_CTX_set_tmp_rsa OK",__FUNCTION__);
RSA_free(rsa);
/* セッションキャッシュを有効モードに設定する */
SSL_CTX_set_session_id_context(TLSctx,(void*)&TLSServerSessionIdContext, sizeof(TLSServerSessionIdContext));
kLogWrite(L_TLS,"%s: SSL_CTX_set_session_id_context OK", __FUNCTION__);
/* セッション削除時のコールバック設定 */
SSL_CTX_sess_set_remove_cb(TLSctx,remove_session_cb);
SSL_CTX_set_timeout(TLSctx,timeout);
kLogWrite(L_TLS,"%s: Nagle algorithm : %s",__FUNCTION__,NagleFlag?"Enable":"Disable");
return(RETURN_OK);
}
int main(int argc, char **argv){
int result=OK;
int x;
char buffer[MAX_INPUT_BUFFER];
char *env_string=NULL;
#ifdef HAVE_SSL
DH *dh;
char seedfile[FILENAME_MAX];
int i,c;
#endif
/* set some environment variables */
asprintf(&env_string,"NRPE_MULTILINESUPPORT=1");
putenv(env_string);
asprintf(&env_string,"NRPE_PROGRAMVERSION=%s",PROGRAM_VERSION);
putenv(env_string);
/* process command-line args */
result=process_arguments(argc,argv);
if(result!=OK || show_help==TRUE || show_license==TRUE || show_version==TRUE){
printf("\n");
printf("NRPE - Nagios Remote Plugin Executor\n");
printf("Copyright (c) 1999-2008 Ethan Galstad ([email protected])\n");
printf("Version: %s\n",PROGRAM_VERSION);
printf("Last Modified: %s\n",MODIFICATION_DATE);
printf("License: GPL v2 with exemptions (-l for more info)\n");
#ifdef HAVE_SSL
printf("SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required\n");
#endif
#ifdef HAVE_LIBWRAP
printf("TCP Wrappers Available\n");
#endif
printf("\n");
#ifdef ENABLE_COMMAND_ARGUMENTS
printf("***************************************************************\n");
printf("** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **\n");
printf("** Read the NRPE SECURITY file for more information **\n");
printf("***************************************************************\n");
printf("\n");
#endif
#ifndef HAVE_LIBWRAP
printf("***************************************************************\n");
printf("** POSSIBLE SECURITY RISK - TCP WRAPPERS ARE NOT AVAILABLE! **\n");
printf("** Read the NRPE SECURITY file for more information **\n");
printf("***************************************************************\n");
printf("\n");
#endif
}
if(show_license==TRUE)
display_license();
else if(result!=OK || show_help==TRUE){
printf("Usage: nrpe [-n] -c <config_file> <mode>\n");
printf("\n");
printf("Options:\n");
printf(" -n = Do not use SSL\n");
printf(" <config_file> = Name of config file to use\n");
printf(" <mode> = One of the following two operating modes:\n");
printf(" -i = Run as a service under inetd or xinetd\n");
printf(" -d = Run as a standalone daemon\n");
printf("\n");
printf("Notes:\n");
printf("This program is designed to process requests from the check_nrpe\n");
printf("plugin on the host(s) running Nagios. It can run as a service\n");
printf("under inetd or xinetd (read the docs for info on this), or as a\n");
printf("standalone daemon. Once a request is received from an authorized\n");
printf("host, NRPE will execute the command/plugin (as defined in the\n");
printf("config file) and return the plugin output and return code to the\n");
printf("check_nrpe plugin.\n");
printf("\n");
}
if(result!=OK || show_help==TRUE || show_license==TRUE || show_version==TRUE)
exit(STATE_UNKNOWN);
/* open a connection to the syslog facility */
/* facility name may be overridden later */
get_log_facility(NRPE_LOG_FACILITY);
openlog("nrpe",LOG_PID,log_facility);
/* make sure the config file uses an absolute path */
if(config_file[0]!='/'){
/* save the name of the config file */
strncpy(buffer,config_file,sizeof(buffer));
buffer[sizeof(buffer)-1]='\x0';
/* get absolute path of current working directory */
strcpy(config_file,"");
getcwd(config_file,sizeof(config_file));
/* append a forward slash */
strncat(config_file,"/",sizeof(config_file)-2);
config_file[sizeof(config_file)-1]='\x0';
/* append the config file to the path */
strncat(config_file,buffer,sizeof(config_file)-strlen(config_file)-1);
config_file[sizeof(config_file)-1]='\x0';
}
/* read the config file */
result=read_config_file(config_file);
/* exit if there are errors... */
if(result==ERROR){
syslog(LOG_ERR,"Config file '%s' contained errors, aborting...",config_file);
return STATE_CRITICAL;
}
/* generate the CRC 32 table */
generate_crc32_table();
/* initialize macros */
for(x=0;x<MAX_COMMAND_ARGUMENTS;x++)
macro_argv[x]=NULL;
#ifdef HAVE_SSL
/* initialize SSL */
if(use_ssl==TRUE){
SSL_library_init();
SSLeay_add_ssl_algorithms();
meth=SSLv23_server_method();
SSL_load_error_strings();
/* use week random seed if necessary */
if(allow_weak_random_seed && (RAND_status()==0)){
if(RAND_file_name(seedfile,sizeof(seedfile)-1))
if(RAND_load_file(seedfile,-1))
RAND_write_file(seedfile);
if(RAND_status()==0){
syslog(LOG_ERR,"Warning: SSL/TLS uses a weak random seed which is highly discouraged");
srand(time(NULL));
for(i=0;i<500 && RAND_status()==0;i++){
for(c=0;c<sizeof(seedfile);c+=sizeof(int)){
*((int *)(seedfile+c))=rand();
}
RAND_seed(seedfile,sizeof(seedfile));
}
}
}
if((ctx=SSL_CTX_new(meth))==NULL){
syslog(LOG_ERR,"Error: could not create SSL context.\n");
exit(STATE_CRITICAL);
}
/* ADDED 01/19/2004 */
/* use only TLSv1 protocol */
SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
/* use anonymous DH ciphers */
SSL_CTX_set_cipher_list(ctx,"ADH");
dh=get_dh512();
SSL_CTX_set_tmp_dh(ctx,dh);
DH_free(dh);
if(debug==TRUE)
syslog(LOG_INFO,"INFO: SSL/TLS initialized. All network traffic will be encrypted.");
}
else{
if(debug==TRUE)
syslog(LOG_INFO,"INFO: SSL/TLS NOT initialized. Network encryption DISABLED.");
}
#endif
/* if we're running under inetd... */
if(use_inetd==TRUE){
/* make sure we're not root */
check_privileges();
/* redirect STDERR to /dev/null */
close(2);
open("/dev/null",O_WRONLY);
/* handle the connection */
handle_connection(0);
}
/* else daemonize and start listening for requests... */
else if(fork()==0){
/* we're a daemon - set up a new process group */
setsid();
/* close standard file descriptors */
close(0);
close(1);
close(2);
/* redirect standard descriptors to /dev/null */
open("/dev/null",O_RDONLY);
open("/dev/null",O_WRONLY);
open("/dev/null",O_WRONLY);
chdir("/");
/*umask(0);*/
/* handle signals */
signal(SIGQUIT,sighandler);
signal(SIGTERM,sighandler);
signal(SIGHUP,sighandler);
/* log info to syslog facility */
syslog(LOG_NOTICE,"Starting up daemon");
/* write pid file */
if(write_pid_file()==ERROR)
return STATE_CRITICAL;
/* drop privileges */
drop_privileges(nrpe_user,nrpe_group);
/* make sure we're not root */
check_privileges();
do{
/* reset flags */
sigrestart=FALSE;
sigshutdown=FALSE;
/* wait for connections */
wait_for_connections();
/* free all memory we allocated */
free_memory();
if(sigrestart==TRUE){
/* read the config file */
result=read_config_file(config_file);
/* exit if there are errors... */
if(result==ERROR){
syslog(LOG_ERR,"Config file '%s' contained errors, bailing out...",config_file);
return STATE_CRITICAL;
}
}
}while(sigrestart==TRUE && sigshutdown==FALSE);
/* remove pid file */
remove_pid_file();
syslog(LOG_NOTICE,"Daemon shutdown\n");
}
#ifdef HAVE_SSL
if(use_ssl==TRUE)
SSL_CTX_free(ctx);
#endif
/* We are now running in daemon mode, or the connection handed over by inetd has
been completed, so the parent process exits */
return STATE_OK;
}
HTTPScode
https_init(const char *ikey, const char *skey,
const char *useragent, const char *cafile)
{
X509_STORE *store;
X509 *cert;
BIO *bio;
char *p;
if ((ctx = calloc(1, sizeof(*ctx))) == NULL ||
(ctx->ikey = strdup(ikey)) == NULL ||
(ctx->skey = strdup(skey)) == NULL ||
(ctx->useragent = strdup(useragent)) == NULL) {
ctx->errstr = strerror(errno);
return (HTTPS_ERR_SYSTEM);
}
/* Initialize SSL context */
#ifdef HAVE_X509_TEA_SET_STATE
/* If applicable, disable use of Apple's Trust Evaluation Agent for certificate
* validation, to enforce proper CA pinning:
* http://www.opensource.apple.com/source/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_vfy_apple.h
*/
X509_TEA_set_state(0);
#endif
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
/* XXX - ape openssl s_client -rand for testing on ancient systems */
if (!RAND_status()) {
if ((p = getenv("RANDFILE")) != NULL) {
RAND_load_file(p, 8192);
} else {
ctx->errstr = "No /dev/random, EGD, or $RANDFILE";
return (HTTPS_ERR_LIB);
}
}
if ((ctx->ssl_ctx = SSL_CTX_new(TLSv1_client_method())) == NULL) {
ctx->errstr = _SSL_strerror();
return (HTTPS_ERR_LIB);
}
/* Set up our CA cert */
if (cafile == NULL) {
/* Load default CA cert from memory */
if ((bio = BIO_new_mem_buf((void *)CACERT_PEM, -1)) == NULL ||
(store = SSL_CTX_get_cert_store(ctx->ssl_ctx)) == NULL) {
ctx->errstr = _SSL_strerror();
return (HTTPS_ERR_LIB);
}
while ((cert = PEM_read_bio_X509(bio, NULL, 0, NULL)) != NULL) {
X509_STORE_add_cert(store, cert);
X509_free(cert);
}
BIO_free_all(bio);
SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);
} else if (cafile[0] == '\0') {
/* Skip verification */
SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_NONE, NULL);
} else {
/* Load CA cert from file */
if (!SSL_CTX_load_verify_locations(ctx->ssl_ctx,
cafile, NULL)) {
SSL_CTX_free(ctx->ssl_ctx);
ctx->errstr = _SSL_strerror();
return (HTTPS_ERR_CLIENT);
}
SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);
}
/* Save our proxy config if any */
if ((p = getenv("http_proxy")) != NULL) {
if (strstr(p, "://") != NULL) {
if (strncmp(p, "http://", 7) != 0) {
ctx->errstr = "http_proxy must be HTTP";
return (HTTPS_ERR_CLIENT);
}
p += 7;
}
p = strdup(p);
if ((ctx->proxy = strchr(p, '@')) != NULL) {
*ctx->proxy++ = '\0';
ctx->proxy_auth = p;
} else {
ctx->proxy = p;
}
strtok(ctx->proxy, "/");
if ((ctx->proxy_port = strchr(ctx->proxy, ':')) != NULL) {
*ctx->proxy_port++ = '\0';
} else {
ctx->proxy_port = "80";
}
}
/* Set HTTP parser callbacks */
ctx->parse_settings.on_body = __on_body;
ctx->parse_settings.on_message_complete = __on_message_complete;
signal(SIGPIPE, SIG_IGN);
return (0);
}
int
main(int argc, char **argv)
{
int addrtype = 0;
int privtype = 128;
int regex = 0;
int caseinsensitive = 0;
int opt;
char pwbuf[128];
int platformidx = -1, deviceidx = -1;
int prompt_password = 0;
char *seedfile = NULL;
char **patterns, *pend;
int verbose = 1;
int npatterns = 0;
int nthreads = 0;
int worksize = 0;
int nrows = 0, ncols = 0;
int invsize = 0;
int remove_on_match = 1;
int only_one = 0;
int verify_mode = 0;
int safe_mode = 0;
vg_context_t *vcp = NULL;
vg_ocl_context_t *vocp = NULL;
EC_POINT *pubkey_base = NULL;
const char *result_file = NULL;
const char *key_password = NULL;
const char *pidfile = NULL;
char *devstrs[MAX_DEVS];
int ndevstrs = 0;
int opened = 0;
FILE *pattfp[MAX_FILE], *fp;
int pattfpi[MAX_FILE];
int npattfp = 0;
int pattstdin = 0;
int i;
while ((opt = getopt(argc, argv,
"vqik1NTX:eE:p:P:d:w:t:g:b:VSh?f:o:O:s:D:")) != -1) {
switch (opt) {
case 'v':
verbose = 2;
break;
case 'q':
verbose = 0;
break;
case 'i':
caseinsensitive = 1;
break;
case 'k':
remove_on_match = 0;
break;
case '1':
only_one = 1;
break;
case 'N':
addrtype = 52;
privtype = 180;
break;
case 'T':
addrtype = 111;
privtype = 239;
break;
case 'X':
addrtype = atoi(optarg);
privtype = 128 + addrtype;
break;
case 'e':
prompt_password = 1;
break;
case 'E':
key_password = optarg;
break;
case 'p':
platformidx = atoi(optarg);
break;
case 'd':
deviceidx = atoi(optarg);
break;
case 'w':
worksize = atoi(optarg);
if (worksize == 0) {
fprintf(stderr,
"Invalid work size '%s'\n", optarg);
return 1;
}
break;
case 't':
nthreads = atoi(optarg);
if (nthreads == 0) {
fprintf(stderr,
"Invalid thread count '%s'\n", optarg);
return 1;
}
break;
case 'g':
nrows = 0;
ncols = strtol(optarg, &pend, 0);
if (pend && *pend == 'x') {
nrows = strtol(pend+1, NULL, 0);
}
if (!nrows || !ncols) {
fprintf(stderr,
"Invalid grid size '%s'\n", optarg);
return 1;
}
break;
case 'b':
invsize = atoi(optarg);
if (!invsize) {
fprintf(stderr,
"Invalid modular inverse size '%s'\n",
optarg);
return 1;
}
if (invsize & (invsize - 1)) {
fprintf(stderr,
"Modular inverse size must be "
"a power of 2\n");
return 1;
}
break;
case 'V':
verify_mode = 1;
break;
case 'S':
safe_mode = 1;
break;
case 'D':
if (ndevstrs >= MAX_DEVS) {
fprintf(stderr,
"Too many OpenCL devices (limit %d)\n",
MAX_DEVS);
return 1;
}
devstrs[ndevstrs++] = optarg;
break;
case 'P': {
if (pubkey_base != NULL) {
fprintf(stderr,
"Multiple base pubkeys specified\n");
return 1;
}
EC_KEY *pkey = vg_exec_context_new_key();
pubkey_base = EC_POINT_hex2point(
EC_KEY_get0_group(pkey),
optarg, NULL, NULL);
EC_KEY_free(pkey);
if (pubkey_base == NULL) {
fprintf(stderr,
"Invalid base pubkey\n");
return 1;
}
break;
}
case 'f':
if (npattfp >= MAX_FILE) {
fprintf(stderr,
"Too many input files specified\n");
return 1;
}
if (!strcmp(optarg, "-")) {
if (pattstdin) {
fprintf(stderr, "ERROR: stdin "
"specified multiple times\n");
return 1;
}
fp = stdin;
} else {
fp = fopen(optarg, "r");
if (!fp) {
fprintf(stderr,
"Could not open %s: %s\n",
optarg, strerror(errno));
return 1;
}
}
pattfp[npattfp] = fp;
pattfpi[npattfp] = caseinsensitive;
npattfp++;
break;
case 'o':
if (result_file) {
fprintf(stderr,
"Multiple output files specified\n");
return 1;
}
result_file = optarg;
break;
case 's':
if (seedfile != NULL) {
fprintf(stderr,
"Multiple RNG seeds specified\n");
return 1;
}
seedfile = optarg;
break;
case 'O':
pidfile = optarg;
break;
case 'h': case '?': default:
usage(argv[0]);
return 1;
}
}
#if OPENSSL_VERSION_NUMBER < 0x10000000L
/* Complain about older versions of OpenSSL */
if (verbose > 0) {
fprintf(stderr,
"WARNING: Built with " OPENSSL_VERSION_TEXT "\n"
"WARNING: Use OpenSSL 1.0.0d+ for best performance\n");
}
#endif
if (caseinsensitive && regex)
fprintf(stderr,
"WARNING: case insensitive mode incompatible with "
"regular expressions\n");
if (seedfile) {
opt = -1;
#if !defined(_WIN32)
{ struct stat st;
if (!stat(seedfile, &st) &&
(st.st_mode & (S_IFBLK|S_IFCHR))) {
opt = 32;
} }
#endif
opt = RAND_load_file(seedfile, opt);
if (!opt) {
fprintf(stderr, "Could not load RNG seed %s\n", optarg);
return 1;
}
if (verbose > 0) {
fprintf(stderr,
"Read %d bytes from RNG seed file\n", opt);
}
}
if (pidfile) {
FILE *fd = fopen(pidfile, "wb");
if (!fd) {
fprintf(stderr, "Could not write pid, open file failure: %s\n", pidfile);
return 1;
}
char buf[8];
snprintf(buf, sizeof(buf), "%d", getpid());
fwrite(buf, strlen(buf), 1, fd);
fclose(fd);
}
if (regex) {
vcp = vg_regex_context_new(addrtype, privtype);
} else {
vcp = vg_prefix_context_new(addrtype, privtype,
caseinsensitive);
}
vcp->vc_verbose = verbose;
vcp->vc_result_file = result_file;
vcp->vc_remove_on_match = remove_on_match;
vcp->vc_only_one = only_one;
vcp->vc_pubkeytype = addrtype;
vcp->vc_pubkey_base = pubkey_base;
vcp->vc_output_match = vg_output_match_console;
vcp->vc_output_timing = vg_output_timing_console;
if (!npattfp) {
if (optind >= argc) {
usage(argv[0]);
return 1;
}
patterns = &argv[optind];
npatterns = argc - optind;
if (!vg_context_add_patterns(vcp,
(const char ** const) patterns,
npatterns))
return 1;
}
for (i = 0; i < npattfp; i++) {
fp = pattfp[i];
if (!vg_read_file(fp, &patterns, &npatterns)) {
fprintf(stderr, "Failed to load pattern file\n");
return 1;
}
if (fp != stdin)
fclose(fp);
if (!regex)
vg_prefix_context_set_case_insensitive(vcp, pattfpi[i]);
if (!vg_context_add_patterns(vcp,
(const char ** const) patterns,
npatterns))
return 1;
}
if (!vcp->vc_npatterns) {
fprintf(stderr, "No patterns to search\n");
return 1;
}
if (prompt_password) {
if (!vg_read_password(pwbuf, sizeof(pwbuf)))
return 1;
key_password = pwbuf;
}
vcp->vc_key_protect_pass = key_password;
if (key_password) {
if (!vg_check_password_complexity(key_password, verbose))
fprintf(stderr,
"WARNING: Protecting private keys with "
"weak password\n");
}
if ((verbose > 0) && regex && (vcp->vc_npatterns > 1))
fprintf(stderr,
"Regular expressions: %ld\n", vcp->vc_npatterns);
if (ndevstrs) {
for (opt = 0; opt < ndevstrs; opt++) {
vocp = vg_ocl_context_new_from_devstr(vcp, devstrs[opt],
safe_mode,
verify_mode);
if (!vocp) {
fprintf(stderr,
"Could not open device '%s', ignoring\n",
devstrs[opt]);
} else {
opened++;
}
}
} else {
vocp = vg_ocl_context_new(vcp, platformidx, deviceidx,
safe_mode, verify_mode,
worksize, nthreads,
nrows, ncols, invsize);
if (vocp)
opened++;
}
if (!opened) {
vg_ocl_enumerate_devices();
return 1;
}
opt = vg_context_start_threads(vcp);
if (opt)
return 1;
vg_context_wait_for_completion(vcp);
vg_ocl_context_free(vocp);
return 0;
}
/*
* Create Global context SSL and use it in every new session
*
* - Load the trusted CAs
* - Load the Private key & the certificate
* - Set the Context options & Verify options
*/
static SSL_CTX *init_tls_ctx(EAP_TLS_CONF *conf)
{
SSL_METHOD *meth;
SSL_CTX *ctx;
X509_STORE *certstore;
int verify_mode = SSL_VERIFY_NONE;
int ctx_options = 0;
int type;
/*
* Add all the default ciphers and message digests
* Create our context.
*/
SSL_library_init();
SSL_load_error_strings();
meth = TLSv1_method();
ctx = SSL_CTX_new(meth);
/*
* Identify the type of certificates that needs to be loaded
*/
if (conf->file_type) {
type = SSL_FILETYPE_PEM;
} else {
type = SSL_FILETYPE_ASN1;
}
/*
* Set the password to load private key
*/
if (conf->private_key_password) {
SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->private_key_password);
SSL_CTX_set_default_passwd_cb(ctx, cbtls_password);
}
/*
* Load our keys and certificates
*
* If certificates are of type PEM then we can make use
* of cert chain authentication using openssl api call
* SSL_CTX_use_certificate_chain_file. Please see how
* the cert chain needs to be given in PEM from
* openSSL.org
*/
if (type == SSL_FILETYPE_PEM) {
radlog(L_INFO, "rlm_eap_tls: Loading the certificate file as a chain");
if (!(SSL_CTX_use_certificate_chain_file(ctx, conf->certificate_file))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading certificate file");
return NULL;
}
} else if (!(SSL_CTX_use_certificate_file(ctx, conf->certificate_file, type))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading certificate file");
return NULL;
}
/* Load the CAs we trust */
if (!SSL_CTX_load_verify_locations(ctx, conf->ca_file, conf->ca_path)) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading Trusted root CA list");
return NULL;
}
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
if (!(SSL_CTX_use_PrivateKey_file(ctx, conf->private_key_file, type))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading private key file");
return NULL;
}
/*
* Check if the loaded private key is the right one
*/
if (!SSL_CTX_check_private_key(ctx)) {
radlog(L_ERR, "rlm_eap_tls: Private key does not match the certificate public key");
return NULL;
}
/*
* Set ctx_options
*/
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
/*
* SSL_OP_SINGLE_DH_USE must be used in order to prevent
* small subgroup attacks and forward secrecy. Always
* using
*
* SSL_OP_SINGLE_DH_USE has an impact on the computer
* time needed during negotiation, but it is not very
* large.
*/
ctx_options |= SSL_OP_SINGLE_DH_USE;
SSL_CTX_set_options(ctx, ctx_options);
/*
* TODO: Set the RSA & DH
* SSL_CTX_set_tmp_rsa_callback(ctx, cbtls_rsa);
* SSL_CTX_set_tmp_dh_callback(ctx, cbtls_dh);
*/
/*
* set the message callback to identify the type of
* message. For every new session, there can be a
* different callback argument.
*
* SSL_CTX_set_msg_callback(ctx, cbtls_msg);
*/
/* Set Info callback */
SSL_CTX_set_info_callback(ctx, cbtls_info);
/*
* Check the certificates for revocation.
*/
#ifdef X509_V_FLAG_CRL_CHECK
if (conf->check_crl) {
certstore = SSL_CTX_get_cert_store(ctx);
if (certstore == NULL) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading Certificate Store");
return NULL;
}
X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
}
#endif
/*
* Set verify modes
* Always verify the peer certificate
*/
verify_mode |= SSL_VERIFY_PEER;
verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
verify_mode |= SSL_VERIFY_CLIENT_ONCE;
SSL_CTX_set_verify(ctx, verify_mode, cbtls_verify);
if (conf->verify_depth) {
SSL_CTX_set_verify_depth(ctx, conf->verify_depth);
}
/* Load randomness */
if (!(RAND_load_file(conf->random_file, 1024*1024))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error loading randomness");
return NULL;
}
/*
* Set the cipher list if we were told to
*/
if (conf->cipher_list) {
if (!SSL_CTX_set_cipher_list(ctx, conf->cipher_list)) {
radlog(L_ERR, "rlm_eap_tls: Error setting cipher list");
return NULL;
}
}
return ctx;
}
int encodeFile(const char* filenameOut, const char* filenameIn) {
int ret = 0;
int filenameInSize = strlen(filenameIn)*sizeof(char)+1;
int filenameOutSize = strlen(filenameOut)*sizeof(char)+1;
char filename[filenameInSize];
char encFilename[filenameOutSize];
// create key, if it's uninitialized
int seedbytes = 1024;
memset(cKeyBuffer, 0, KEYSIZE );
if (!opensslIsSeeded) {
if (!RAND_load_file("/dev/urandom", seedbytes)) {
//__android_log_print(ANDROID_LOG_ERROR, TAG, "Failed to seed OpenSSL RNG");
return -1;
}
opensslIsSeeded = 1;
}
if (!RAND_bytes((unsigned char *)cKeyBuffer, KEYSIZE )) {
//__android_log_print(ANDROID_LOG_ERROR, TAG, "Faled to create OpenSSSL random integers: %ul", ERR_get_error);
}
strncpy(encFilename, filenameOut, filenameOutSize);
encFilename[filenameOutSize-1]=0;
strncpy(filename, filenameIn, filenameInSize);
filename[filenameInSize-1]=0;
EVP_CIPHER_CTX *e_ctx = EVP_CIPHER_CTX_new();
// unsigned char * key = new unsigned char[KEYSIZE];
// loadKey("key", key, KEYSIZE);
// unsigned char key[] = "01234567890123450123456789012345"; // 256-bit
FILE *orig_file, *enc_file;
printf ("filename: %s\n" ,filename );
printf ("enc filename: %s\n" ,encFilename );
orig_file = fopen( filename, "rb" );
enc_file = fopen ( encFilename, "wb" );
unsigned char *encData, *origData;
int encData_len = 0;
int len = 0;
int bytesread = 0;
/**
* ENCRYPT
*/
//if (!(EVP_EncryptInit_ex(e_ctx, EVP_aes_256_cbc(), NULL, key, iv ))) {
if (!(EVP_EncryptInit_ex(e_ctx, EVP_aes_256_cbc(), NULL, cKeyBuffer, iv ))) {
ret = -1;
printf( "ERROR: EVP_ENCRYPTINIT_EX\n");
}
// go through file, and encrypt
if ( orig_file != NULL ) {
origData = new unsigned char[aes_blocksize];
encData = new unsigned char[aes_blocksize+EVP_CIPHER_CTX_block_size(e_ctx)]; // potential for encryption to be 16 bytes longer than original
printf( "Encoding file: %s\n", filename);
bytesread = fread(origData, 1, aes_blocksize, orig_file);
// read bytes from file, then send to cipher
while ( bytesread ) {
if (!(EVP_EncryptUpdate(e_ctx, encData, &len, origData, bytesread))) {
ret = -1;
printf( "ERROR: EVP_ENCRYPTUPDATE\n");
}
encData_len = len;
fwrite(encData, 1, encData_len, enc_file );
// read more bytes
bytesread = fread(origData, 1, aes_blocksize, orig_file);
}
// last step encryption
if (!(EVP_EncryptFinal_ex(e_ctx, encData, &len))) {
ret = -1;
printf( "ERROR: EVP_ENCRYPTFINAL_EX\n");
}
encData_len = len;
fwrite(encData, 1, encData_len, enc_file );
// free cipher
EVP_CIPHER_CTX_free(e_ctx);
// close files
printf( "\t>>\n");
fclose(orig_file);
fclose(enc_file);
} else {
printf( "Unable to open files for encoding\n");
ret = -1;
return ret;
}
return ret;
}
static
int tls_init_context(tls_t *tls, tls_issues_t const *ti)
{
int verify;
static int random_loaded;
ONCE_INIT(tls_init_once);
if (!random_loaded) {
random_loaded = 1;
if (ti->randFile &&
!RAND_load_file(ti->randFile, 1024 * 1024)) {
if (ti->configured > 1) {
SU_DEBUG_3(("%s: cannot open randFile %s\n",
"tls_init_context", ti->randFile));
tls_log_errors(3, "tls_init_context", 0);
}
/* errno = EIO; */
/* return -1; */
}
}
#if HAVE_SIGPIPE
/* Avoid possible SIGPIPE when sending close_notify */
signal(SIGPIPE, SIG_IGN);
#endif
if (tls->ctx == NULL)
if (!(tls->ctx = SSL_CTX_new((SSL_METHOD*)SSLv23_method()))) {
tls_log_errors(1, "SSL_CTX_new() failed", 0);
errno = EIO;
return -1;
}
if (!(ti->version & TPTLS_VERSION_SSLv2))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv2);
if (!(ti->version & TPTLS_VERSION_SSLv3))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv3);
if (!(ti->version & TPTLS_VERSION_TLSv1))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1);
if (!(ti->version & TPTLS_VERSION_TLSv1_1))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_1);
if (!(ti->version & TPTLS_VERSION_TLSv1_2))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_2);
SSL_CTX_sess_set_remove_cb(tls->ctx, NULL);
SSL_CTX_set_timeout(tls->ctx, ti->timeout);
/* Set callback if we have a passphrase */
if (ti->passphrase != NULL) {
SSL_CTX_set_default_passwd_cb(tls->ctx, passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(tls->ctx, (void *)ti);
}
if (!SSL_CTX_use_certificate_file(tls->ctx,
ti->cert,
SSL_FILETYPE_PEM)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid local certificate: %s\n",
"tls_init_context", ti->cert));
tls_log_errors(3, "tls_init_context", 0);
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
}
if (!SSL_CTX_use_PrivateKey_file(tls->ctx,
ti->key,
SSL_FILETYPE_PEM)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid private key: %s\n",
"tls_init_context", ti->key));
tls_log_errors(3, "tls_init_context(key)", 0);
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
}
if (!SSL_CTX_check_private_key(tls->ctx)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: private key does not match the certificate public key\n",
"tls_init_context"));
}
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
if (!SSL_CTX_load_verify_locations(tls->ctx,
ti->CAfile,
ti->CApath)) {
SU_DEBUG_1(("%s: error loading CA list: %s\n",
"tls_init_context", ti->CAfile));
if (ti->configured > 0)
tls_log_errors(3, "tls_init_context(CA)", 0);
errno = EIO;
return -1;
}
/* corresponds to (enum tport_tls_verify_policy) */
tls->verify_incoming = (ti->policy & 0x1) ? 1 : 0;
tls->verify_outgoing = (ti->policy & 0x2) ? 1 : 0;
tls->verify_subj_in = (ti->policy & 0x4) ? tls->verify_incoming : 0;
tls->verify_subj_out = (ti->policy & 0x8) ? tls->verify_outgoing : 0;
tls->verify_date = (ti->verify_date) ? 1 : 0;
if (tls->verify_incoming)
verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
else
verify = SSL_VERIFY_NONE;
SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);
SSL_CTX_set_verify(tls->ctx, verify, tls_verify_cb);
if (tls_init_ecdh_curve(tls) == 0) {
SU_DEBUG_3(("%s\n", "tls: initialized ECDH"));
} else {
SU_DEBUG_3(("%s\n", "tls: failed to initialize ECDH"));
}
if (!SSL_CTX_set_cipher_list(tls->ctx, ti->ciphers)) {
SU_DEBUG_1(("%s: error setting cipher list\n", "tls_init_context"));
tls_log_errors(3, "tls_init_context", 0);
errno = EIO;
return -1;
}
return 0;
}
static void
init_prng (void)
{
char namebuf[256];
const char *random_file;
if (RAND_status ())
/* The PRNG has been seeded; no further action is necessary. */
return;
/* Seed from a file specified by the user. This will be the file
specified with --random-file, $RANDFILE, if set, or ~/.rnd, if it
exists. */
if (opt.random_file)
random_file = opt.random_file;
else
{
/* Get the random file name using RAND_file_name. */
namebuf[0] = '\0';
random_file = RAND_file_name (namebuf, sizeof (namebuf));
}
if (random_file && *random_file)
/* Seed at most 16k (apparently arbitrary value borrowed from
curl) from random file. */
RAND_load_file (random_file, 16384);
if (RAND_status ())
return;
/* Get random data from EGD if opt.egd_file was used. */
if (opt.egd_file && *opt.egd_file)
RAND_egd (opt.egd_file);
if (RAND_status ())
return;
#ifdef WINDOWS
/* Under Windows, we can try to seed the PRNG using screen content.
This may or may not work, depending on whether we'll calling Wget
interactively. */
RAND_screen ();
if (RAND_status ())
return;
#endif
#if 0 /* don't do this by default */
{
int maxrand = 500;
/* Still not random enough, presumably because neither /dev/random
nor EGD were available. Try to seed OpenSSL's PRNG with libc
PRNG. This is cryptographically weak and defeats the purpose
of using OpenSSL, which is why it is highly discouraged. */
logprintf (LOG_NOTQUIET, _("WARNING: using a weak random seed.\n"));
while (RAND_status () == 0 && maxrand-- > 0)
{
unsigned char rnd = random_number (256);
RAND_seed (&rnd, sizeof (rnd));
}
}
#endif
}
int main(int argc, char **argv) {
program_name = argv[0];
if(!parse_options(argc, argv))
return 1;
make_names();
if(show_version) {
printf("%s version %s\n", PACKAGE, VERSION);
printf("Copyright (C) 1998-2016 Ivo Timmermans, Guus Sliepen and others.\n"
"See the AUTHORS file for a complete list.\n\n"
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
"and you are welcome to redistribute it under certain conditions;\n"
"see the file COPYING for details.\n");
return 0;
}
if(show_help) {
usage(false);
return 0;
}
if(kill_tincd)
return !kill_other(kill_tincd);
openlogger("tinc", use_logfile?LOGMODE_FILE:LOGMODE_STDERR);
g_argv = argv;
if(getenv("LISTEN_PID") && atoi(getenv("LISTEN_PID")) == getpid())
do_detach = false;
#ifdef HAVE_UNSETENV
unsetenv("LISTEN_PID");
#endif
init_configuration(&config_tree);
/* Slllluuuuuuurrrrp! */
RAND_load_file("/dev/urandom", 1024);
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
OpenSSL_add_all_algorithms();
if(generate_keys) {
read_server_config();
return !keygen(generate_keys);
}
if(!read_server_config())
return 1;
#ifdef HAVE_LZO
if(lzo_init() != LZO_E_OK) {
logger(LOG_ERR, "Error initializing LZO compressor!");
return 1;
}
#endif
#ifdef HAVE_MINGW
if(WSAStartup(MAKEWORD(2, 2), &wsa_state)) {
logger(LOG_ERR, "System call `%s' failed: %s", "WSAStartup", winerror(GetLastError()));
return 1;
}
if(!do_detach || !init_service())
return main2(argc, argv);
else
return 1;
}
int main( int argc, char *argv[] )
{
const char *fn = "main()";
char f_randfile[ PATH_MAX ];
int listensd; /* socket descriptor we'll bind to */
int clientsd; /* incoming socket descriptor */
int sockaddrlen;
struct sockaddr_storage srvaddr;
struct sockaddr_storage cliaddr;
pthread_t ThreadId; /* thread id of each incoming conn */
pthread_t RecycleThread; /* used just for the recycle thread */
pthread_attr_t attr; /* generic thread attribute struct */
int rc, i, fd;
unsigned int ui;
struct linger lingerstruct; /* for the socket reuse stuff */
int flag; /* for the socket reuse stuff */
ICC_Struct *ICC_tptr;
extern char *optarg;
extern int optind;
char ConfigFile[ MAXPATHLEN ]; /* path to our config file */
char PidFile[ MAXPATHLEN ]; /* path to our pidfile */
#ifdef HAVE_LIBWRAP
struct request_info r; /* request struct for libwrap */
#endif
struct addrinfo aihints, *ai;
int gaierrnum;
flag = 1;
ConfigFile[0] = '\0';
strncpy( PidFile, DEFAULT_PID_FILE, sizeof PidFile -1 );
/*
* Ignore signals we don't want to die from but we don't care enough
* about to catch.
*/
signal( SIGPIPE, SIG_IGN );
signal( SIGHUP, SIG_IGN );
while (( i = getopt( argc, argv, "f:p:h" ) ) != EOF )
{
switch( i )
{
case 'f':
/* user specified a config filename */
strncpy( ConfigFile, optarg, sizeof ConfigFile -1 );
ConfigFile[ sizeof ConfigFile - 1 ] = '\0';
syslog( LOG_INFO, "%s: Using configuration file '%s'",
fn, ConfigFile );
break;
case 'p':
/* user specified a pidfile */
strncpy( PidFile, optarg, sizeof PidFile -1 );
PidFile[ sizeof PidFile - 1 ] = '\0';
syslog( LOG_INFO, "%s: Using pidfile '%s'",
fn, PidFile );
break;
case 'h':
Usage();
exit( 0 );
case '?':
Usage();
exit( 1 );
}
}
/*
* Make sure we know which config file to use and then set our config
* options.
*/
if ( ! ConfigFile[0] )
{
strncpy( ConfigFile, DEFAULT_CONFIG_FILE, sizeof ConfigFile -1 );
ConfigFile[ sizeof ConfigFile - 1 ] = '\0';
syslog( LOG_INFO, "%s: Using default configuration file '%s'.",
fn, ConfigFile );
}
SetDefaultConfigValues(&PC_Struct);
SetConfigOptions( ConfigFile );
SetLogOptions();
/*
* Just for logging purposes, are we doing SELECT caching or not?
*/
if ( PC_Struct.enable_select_cache )
syslog( LOG_INFO, "%s: SELECT caching is enabled", fn );
else
syslog( LOG_INFO, "%s: SELECT caching is disabled", fn );
/*
* Just for logging purposes, are the admin commands enabled or not?
*/
if ( PC_Struct.enable_admin_commands )
syslog( LOG_INFO, "%s: Internal admin commands are enabled", fn );
else
syslog( LOG_INFO, "%s: Internal admin commands are disabled", fn );
#ifdef HAVE_LIBWRAP
/*
* Set our tcpd service name
*/
if (service = strrchr(argv[0], '/'))
service++;
else
service = argv[0];
#endif
/*
* Initialize some stuff.
*/
rc = pthread_mutex_init(&mp, NULL);
if ( rc )
{
syslog(LOG_ERR, "%s: pthread_mutex_init() returned error [%d] initializing main mutex. Exiting.", fn, rc );
exit( 1 );
}
rc = pthread_mutex_init(&trace, NULL);
if ( rc )
{
syslog(LOG_ERR, "%s: pthread_mutex_init() returned error [%d] initializing trace mutex. Exiting.", fn, rc );
exit( 1 );
}
TraceUser[0] = '\0';
syslog( LOG_INFO, "%s: Allocating %d IMAP connection structures.",
fn, PC_Struct.cache_size );
ICC_free = (ICC_Struct *)malloc( ( sizeof ( ICC_Struct ) )
* PC_Struct.cache_size );
if ( ! ICC_free )
{
syslog(LOG_ERR, "%s: malloc() failed to allocate [%d] IMAPConnectionContext structures: %s", fn, PC_Struct.cache_size, strerror( errno ) );
exit( 1 );
}
memset( ICC_free, 0, sizeof ( ICC_Struct ) * PC_Struct.cache_size );
ICC_tptr = ICC_free;
/*
* Bug fixed by Gary Mills <*****@*****.**>. I was pre-incrementing
* ICC_tptr and then assigning. I guess gcc evaluates the expression
* incorrectly, since I never had a problem with this. Gary had the
* problem with cc, so it's fixed here.
*/
for ( ui = 0; ui < PC_Struct.cache_size - 1; ui++ )
{
ICC_tptr->next = ICC_tptr + 1;
ICC_tptr++;
}
memset( ICC_HashTable, 0, sizeof ICC_HashTable );
#if HAVE_LIBSSL
/* Initialize SSL_CTX */
syslog( LOG_INFO, "%s: Enabling openssl library.", fn );
SSL_library_init();
/* Set up OpenSSL thread protection */
ssl_thread_setup(fn);
/* Need to seed PRNG, too! */
if ( RAND_egd( ( RAND_file_name( f_randfile, sizeof( f_randfile ) ) == f_randfile ) ? f_randfile : "/.rnd" ) )
{
/* Not an EGD, so read and write it. */
if ( RAND_load_file( f_randfile, -1 ) )
RAND_write_file( f_randfile );
}
SSL_load_error_strings();
tls_ctx = SSL_CTX_new( TLSv1_client_method() );
if ( tls_ctx == NULL )
{
syslog(LOG_ERR, "%s: Failed to create new SSL_CTX. Exiting.", fn);
exit( 1 );
}
/* Work around all known bugs */
SSL_CTX_set_options( tls_ctx, SSL_OP_ALL );
if ( PC_Struct.tls_ca_file != NULL || PC_Struct.tls_ca_path != NULL )
{
rc = SSL_CTX_load_verify_locations( tls_ctx,
PC_Struct.tls_ca_file,
PC_Struct.tls_ca_path );
}
else
{
rc = SSL_CTX_set_default_verify_paths( tls_ctx );
}
if ( rc == 0 )
{
syslog(LOG_ERR, "%s: Failed to load CA data. Exiting.", fn);
exit( 1 );
}
if ( ! set_cert_stuff( tls_ctx,
PC_Struct.tls_cert_file,
PC_Struct.tls_key_file ) )
{
syslog(LOG_ERR, "%s: Failed to load cert/key data. Exiting.", fn);
exit( 1 );
}
SSL_CTX_set_verify(tls_ctx, SSL_VERIFY_NONE, verify_callback);
#endif /* HAVE_LIBSSL */
ServerInit();
/* Daemonize() would go here */
SetBannerAndCapability();
/*
* We don't need to check PC_Struct.support_starttls since we
* probably have refetched the capability list after a STARTTLS
* if we did one; it won't ever be supported at this point.
*
* It also makes no difference to check PC_Struct.force_tls now
* because we've either done a STARTTLS or we haven't - all that
* matters is if we got LOGINDISABLED or not.
*
* Note that all these things *ARE* tested when checking the
* server capabilities (in fact, the following check is probably
* a duplicate).
*/
if ( PC_Struct.login_disabled )
{
/* We're screwed! We can't login */
syslog(LOG_ERR,
"%s: IMAP server has LOGINDISABLED. Exiting.",
fn);
exit( 1 );
}
memset( &aihints, 0, sizeof aihints );
aihints.ai_family = AF_UNSPEC;
aihints.ai_socktype = SOCK_STREAM;
aihints.ai_flags = AI_PASSIVE;
if ( ( gaierrnum = getaddrinfo( PC_Struct.listen_addr,
PC_Struct.listen_port,
&aihints, &ai ) ) )
{
syslog( LOG_ERR, "%s: bad bind address: '%s' specified in config file. Exiting.", fn, PC_Struct.listen_addr );
exit( 1 );
}
syslog( LOG_INFO, "%s: Binding to tcp %s:%s", fn,
PC_Struct.listen_addr ? PC_Struct.listen_addr : "*",
PC_Struct.listen_port );
for ( ; ai != NULL; ai = ai->ai_next )
{
listensd = socket( ai->ai_family, ai->ai_socktype, ai->ai_protocol );
if ( listensd == -1 )
{
syslog(LOG_WARNING, "%s: socket() failed: %s", fn, strerror(errno));
continue;
}
setsockopt(listensd, SOL_SOCKET, SO_REUSEADDR, (void *)&flag,
sizeof(flag));
lingerstruct.l_onoff = 1;
lingerstruct.l_linger = 5;
setsockopt(listensd, SOL_SOCKET, SO_LINGER, (void *)&lingerstruct,
sizeof(lingerstruct));
if ( PC_Struct.send_tcp_keepalives )
{
lingerstruct.l_onoff = 1;
syslog( LOG_INFO, "%s: Enabling SO_KEEPALIVE.", fn );
setsockopt( listensd, SOL_SOCKET, SO_KEEPALIVE, (void *)&lingerstruct.l_onoff, sizeof lingerstruct.l_onoff );
}
memcpy( &srvaddr, ai->ai_addr, ai->ai_addrlen );
if ( bind( listensd, (struct sockaddr *)&srvaddr, ai->ai_addrlen ) < 0 )
{
syslog(LOG_WARNING, "%s: bind() failed: %s", fn, strerror(errno) );
continue;
}
else break;
}
if ( ai == NULL )
{
syslog( LOG_ERR, "%s: no useable addresses to bind to", fn );
exit( EXIT_FAILURE);
}
/*
* Create and mmap() our stat file while we're still root. Since it's
* configurable, we want to make sure we do this as root so there's the
* greatest possibility that we'll have permission to write where we
* need to.
*/
syslog( LOG_INFO, "%s: Using global statistics file '%s'", fn,
PC_Struct.stat_filename );
fd = open( PC_Struct.stat_filename, O_RDWR | O_CREAT, S_IREAD | S_IWRITE );
if ( fd == -1 )
{
syslog(LOG_ERR, "%s: open() failed for '%s': %s -- Exiting.", fn,
PC_Struct.stat_filename, strerror( errno ) );
exit( 1 );
}
if ( ( ftruncate( fd, sizeof( IMAPCounter_Struct ) ) ) == -1 )
{
syslog(LOG_ERR, "%s: ftruncate() failed: %s -- Exiting.",
fn, strerror( errno ) );
exit( 1 );
}
IMAPCount = ( IMAPCounter_Struct *)mmap( 0, sizeof( IMAPCounter_Struct ),
PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0 );
if ( IMAPCount == MAP_FAILED )
{
syslog(LOG_ERR, "%s: mmap() failed: %s -- Exiting.",
fn, strerror( errno ) );
exit( 1 );
}
memset( IMAPCount, 0, sizeof( IMAPCounter_Struct ) );
IMAPCount->StartTime = time( 0 );
IMAPCount->CountTime = time( 0 );
/*
* Daemonize as late as possible, so that connection failures can be caught
* and startup aborted before dettaching from parent
*/
Daemonize( PidFile );
if ( BecomeNonRoot() )
exit( 1 );
/* some misc thread setup */
rc = pthread_attr_init( &attr );
if ( rc )
{
syslog(LOG_ERR, "%s: pthread_attr_init() failed: [%d]\n", fn, rc);
exit( 1 );
}
rc = pthread_attr_setdetachstate( &attr, PTHREAD_CREATE_DETACHED );
if ( rc )
{
syslog(LOG_ERR, "%s: pthread_attr_setdetachstate() failed: [%d]\n",
fn, rc);
exit( 1 );
}
/* launch a recycle thread before we loop */
pthread_create( &RecycleThread, &attr, (void *)ICC_Recycle_Loop, NULL );
syslog(LOG_INFO, "%s: Launched ICC recycle thread with id %d",
fn, (int)RecycleThread );
/*
* Now start listening and accepting connections.
*/
if ( listen(listensd, MAX_CONN_BACKLOG) < 0)
{
syslog( LOG_ERR, "%s: listen() failed: %s -- Exiting",
fn, strerror(errno));
exit( 1 );
}
syslog( LOG_INFO, "%s: squirrelmail-imap_proxy version %s normal server startup.", fn, IMAP_PROXY_VERSION );
/*
* Main server loop
*/
for ( ;; )
{
/*
* Bug fixed by Gary Mills <*****@*****.**>. I forgot
* to initialize sockaddrlen.
*/
sockaddrlen = sizeof cliaddr;
clientsd = accept( listensd, (struct sockaddr *)&cliaddr,
&sockaddrlen );
if ( clientsd == -1 )
{
syslog(LOG_WARNING, "%s: accept() failed: %s -- retrying",
fn, strerror(errno));
sleep( 1 );
continue;
}
#ifdef HAVE_LIBWRAP
request_init(&r, RQ_DAEMON, service, 0);
request_set(&r, RQ_FILE, clientsd, 0);
sock_host(&r);
if (!hosts_access(&r))
{
shutdown(clientsd, SHUT_RDWR);
close(clientsd);
syslog(deny_severity, "refused connection from %s", eval_client(&r));
continue;
}
#endif
IMAPCount->TotalClientConnectionsAccepted++;
IMAPCount->CurrentClientConnections++;
if ( IMAPCount->CurrentClientConnections >
IMAPCount->PeakClientConnections )
IMAPCount->PeakClientConnections = IMAPCount->CurrentClientConnections;
rc = pthread_create( &ThreadId, &attr, (void *)HandleRequest, (void *)clientsd );
if (rc != 0) {
syslog(LOG_ERR, "%s: pthread_create() returned error [%d] for HandleRequest.", fn, rc );
close(clientsd);
}
}
}
int main(void)
{
BIO *sbio;
SSL *ssl;
SSL_CTX *ctx;
int ret = 0;
SSL_library_init();
RAND_load_file("/dev/urandom", 1024);
ctx = setup_client_ctx();
/* Now doing standard connect stuff */
char sendline[MAXLINE + 1], recvline[MAXLINE + 1];
char password[MAXLINE + 1];
int sockfd;
struct sockaddr_in servaddr;
char **pptr;
//********** You can change. Put any values here *******
char *hname = "smtp.gmail.com";
//*******************************************************
char str[50];
struct hostent *hptr;
if ((hptr = gethostbyname(hname)) == NULL) {
fprintf(stderr, " gethostbyname error for host: %s: %s",
hname, hstrerror(h_errno));
exit(1);
}
printf("hostname: %s\n", hptr->h_name);
if (hptr->h_addrtype == AF_INET
&& (pptr = hptr->h_addr_list) != NULL) {
printf("address: %s\n",
inet_ntop(hptr->h_addrtype, *pptr, str,
sizeof(str)));
} else {
fprintf(stderr, "Error call inet_ntop \n");
}
sockfd = socket(AF_INET, SOCK_STREAM, 0);
bzero(&servaddr, sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(25);
inet_pton(AF_INET, str, &servaddr.sin_addr);
connect(sockfd, (SA *) & servaddr, sizeof(servaddr));
fprintf(stderr, "%s\n", socket_read(sockfd,recvline));
socket_write(sockfd,"EHLO big.mchirico.org\r\n");
fprintf(stderr, "ehlo response:%s<-\n", socket_read(sockfd,recvline));
socket_write(sockfd, "STARTTLS\r\n");
fprintf(stderr, "response to starttls:%s<-\n", socket_read(sockfd,recvline));
sbio = BIO_new_socket(sockfd, BIO_NOCLOSE);
ssl = SSL_new(ctx);
SSL_set_bio(ssl, sbio, sbio);
SSL_set_connect_state(ssl);
/* Circuit Breaker - NO encrypted connection */
if (SSL_do_handshake(ssl) == 1) {
fprintf(stderr, "SSL_do_handshake(ssl)=%d\n", 1);
} else {
fprintf(stderr, "SSL handshake error= %d\n",
SSL_get_error(ssl, ret));
fprintf(stderr,
"Cannot establish an encrypted connection\nExiting\n\n");
return -1;
}
SSL_socket_write(ssl,"EHLO mchirico.org\r\n");
fprintf(stderr,"k: %s",SSL_socket_read(ssl,recvline));
get_password("password_smtp_64", password, MAXLINE);
snprintf(sendline, MAXLINE, "AUTH PLAIN %s\r\n", password);
fprintf(stderr,"password: ->%s<-\n",password);
SSL_socket_write(ssl,sendline);
fprintf(stderr, "login res: %s<-",SSL_socket_read(ssl,recvline));
SSL_socket_write(ssl,"MAIL FROM: <*****@*****.**>\r\n");
fprintf(stderr, "2:%s",SSL_socket_read(ssl,recvline));
SSL_socket_write(ssl,"RCPT TO: <*****@*****.**>\r\n");
fprintf(stderr, "3:%s", SSL_socket_read(ssl,recvline));
SSL_socket_write(ssl,"RCPT TO: <*****@*****.**>\r\n");
fprintf(stderr, "3:%s", SSL_socket_read(ssl,recvline));
SSL_socket_write(ssl,
"DATA\r\nFrom: [email protected]\r\n"
"To: [email protected]\r\n"
"To: [email protected]\r\n"
"subject: Example using tlssmtp.c\r\n"
"\r\nTest Send from tlssmtp.c"
"\r\n.\r\n");
fprintf(stderr, "4:%s", SSL_socket_read(ssl,recvline));
fprintf(stderr, "5:%s", SSL_socket_read(ssl,recvline));
SSL_shutdown(ssl);
SSL_clear(ssl);
fprintf(stderr, "SSL Connection closed\n");
SSL_free(ssl);
SSL_CTX_free(ctx);
return 0;
}
void seed_prng(void)
{
RAND_load_file("/dev/urandom", 1024);
}
int main(int argc,char **argv)
{
printf("\tFIPS-mode test application\n\n");
/* Load entropy from external file, if any */
RAND_load_file(".rnd", 1024);
if (argv[1]) {
/* Corrupted KAT tests */
if (!strcmp(argv[1], "aes")) {
FIPS_corrupt_aes();
printf("AES encryption/decryption with corrupted KAT...\n");
} else if (!strcmp(argv[1], "des")) {
FIPS_corrupt_des();
printf("DES-ECB encryption/decryption with corrupted KAT...\n");
} else if (!strcmp(argv[1], "dsa")) {
FIPS_corrupt_dsa();
printf("DSA key generation and signature validation with corrupted KAT...\n");
} else if (!strcmp(argv[1], "rsa")) {
FIPS_corrupt_rsa();
printf("RSA key generation and encryption/decryption with corrupted KAT...\n");
} else if (!strcmp(argv[1], "sha1")) {
FIPS_corrupt_sha1();
printf("SHA-1 hash with corrupted KAT...\n");
} else if (!strcmp(argv[1], "rng")) {
FIPS_corrupt_rng();
printf("RNG test with corrupted KAT...\n");
} else {
printf("Bad argument \"%s\"\n", argv[1]);
exit(1);
}
if (!FIPS_mode_set(1))
{
ERR_load_crypto_strings();
ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
printf("Power-up self test failed\n");
exit(1);
}
printf("Power-up self test successful\n");
exit(0);
}
/* Non-Approved cryptographic operation
*/
printf("1. Non-Approved cryptographic operation test...\n");
printf("\ta. Excluded algorithm (MD5)...");
printf( md5_test() ? "successful\n" : Fail("FAILED!\n") );
printf("\tb. Included algorithm (D-H)...");
printf( dh_test() ? "successful\n" : Fail("FAILED!\n") );
/* Power-up self test
*/
ERR_clear_error();
printf("2. Automatic power-up self test...");
if (!FIPS_mode_set(1))
{
ERR_load_crypto_strings();
ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
printf(Fail("FAILED!\n"));
exit(1);
}
printf("successful\n");
/* AES encryption/decryption
*/
printf("3. AES encryption/decryption...");
printf( FIPS_aes_test() ? "successful\n" : Fail("FAILED!\n") );
/* RSA key generation and encryption/decryption
*/
printf("4. RSA key generation and encryption/decryption...");
printf( FIPS_rsa_test() ? "successful\n" : Fail("FAILED!\n") );
/* DES-CBC encryption/decryption
*/
printf("5. DES-ECB encryption/decryption...");
printf( FIPS_des_test() ? "successful\n" : Fail("FAILED!\n") );
/* DSA key generation and signature validation
*/
printf("6. DSA key generation and signature validation...");
printf( FIPS_dsa_test() ? "successful\n" : Fail("FAILED!\n") );
/* SHA-1 hash
*/
printf("7a. SHA-1 hash...");
printf( FIPS_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
/* SHA-256 hash
*/
printf("7b. SHA-256 hash...");
printf( FIPS_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
/* SHA-512 hash
*/
printf("7c. SHA-512 hash...");
printf( FIPS_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
/* HMAC-SHA-1 hash
*/
printf("7d. SHA-1 hash...");
printf( FIPS_hmac_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
/* HMAC-SHA-224 hash
*/
printf("7e. SHA-224 hash...");
printf( FIPS_hmac_sha224_test() ? "successful\n" : Fail("FAILED!\n") );
/* HMAC-SHA-256 hash
*/
printf("7f. SHA-256 hash...");
printf( FIPS_hmac_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
/* HMAC-SHA-384 hash
*/
printf("7g. SHA-384 hash...");
printf( FIPS_hmac_sha384_test() ? "successful\n" : Fail("FAILED!\n") );
/* HMAC-SHA-512 hash
*/
printf("7h. SHA-512 hash...");
printf( FIPS_hmac_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
/* Non-Approved cryptographic operation
*/
printf("8. Non-Approved cryptographic operation test...\n");
printf("\ta. Excluded algorithm (MD5)...");
printf( md5_test() ? Fail("passed INCORRECTLY!\n")
: "failed as expected\n" );
printf("\tb. Included algorithm (D-H)...");
printf( dh_test() ? "successful as expected\n"
: Fail("failed INCORRECTLY!\n") );
/* Zeroization
*/
printf("9. Zero-ization...\n");
Zeroize();
printf("\nAll tests completed with %d errors\n", Error);
return 0;
}
static void RandomSeed(void)
{
/* 1. Seed the weak C PRNGs. */
/* Mix various stuff. */
pid_t pid = getpid();
size_t fqdn_len = strlen(VFQNAME) > 0 ? strlen(VFQNAME) : 1;
time_t start_time = CFSTARTTIME;
time_t now = time(NULL);
srand((unsigned) pid * fqdn_len * start_time * now);
srand48((long) (pid * fqdn_len * start_time * now));
/* 2. Seed the strong OpenSSL PRNG. */
/* randseed file is written by cf-key. */
char randfile[CF_BUFSIZE];
snprintf(randfile, CF_BUFSIZE, "%s%crandseed",
CFWORKDIR, FILE_SEPARATOR);
Log(LOG_LEVEL_VERBOSE, "Looking for a source of entropy in '%s'",
randfile);
if (!RAND_load_file(randfile, -1))
{
Log(LOG_LEVEL_VERBOSE,
"Could not read sufficient randomness from '%s'", randfile);
}
#ifndef __MINGW32__ /* windows may hang */
RAND_poll();
#else
RAND_screen();
#endif
/* We should have had enough entropy by now. Else we print a message and
* use non-crypto-safe random data. */
if (RAND_status() != 1)
{
/* TODO raise to LOG_LEVEL_WARNING? */
Log(LOG_LEVEL_INFO,
"PRNG hasn't been seeded enough, using some pseudo-random bytes for seed!");
Log(LOG_LEVEL_INFO,
"A workaround is to copy 1KB of random bytes to '%s'",
randfile);
unsigned char rand_buf[128];
for (size_t i = 0; i < sizeof(rand_buf); i++)
{
rand_buf[i] = rand() % 256;
}
RAND_seed(rand_buf, sizeof(rand_buf));
/* If we *still* not have enough entropy, then things will be failing
* all over the place. Should never happen because of the rand()
* buffer above which should be enough for all cases. */
if (RAND_status() != 1)
{
UnexpectedError("Low entropy, crypto operations will fail! "
"See verbose log and report which platform you are using.");
}
}
}
/*
Open the SSL module
*/
PUBLIC int sslOpen()
{
RandBuf randBuf;
X509_STORE *store;
uchar resume[16];
char *ciphers;
trace(7, "Initializing SSL");
randBuf.now = time(0);
randBuf.pid = getpid();
RAND_seed((void*) &randBuf, sizeof(randBuf));
#if ME_UNIX_LIKE
trace(6, "OpenSsl: Before calling RAND_load_file");
RAND_load_file("/dev/urandom", 256);
trace(6, "OpenSsl: After calling RAND_load_file");
#endif
CRYPTO_malloc_init();
#if !ME_WIN_LIKE
OpenSSL_add_all_algorithms();
#endif
SSL_library_init();
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
if ((sslctx = SSL_CTX_new(SSLv23_server_method())) == 0) {
error("Unable to create SSL context");
return -1;
}
/*
Set the server certificate and key files
*/
if (*ME_GOAHEAD_SSL_KEY && sslSetKeyFile(ME_GOAHEAD_SSL_KEY) < 0) {
sslClose();
return -1;
}
if (*ME_GOAHEAD_SSL_CERTIFICATE && sslSetCertFile(ME_GOAHEAD_SSL_CERTIFICATE) < 0) {
sslClose();
return -1;
}
if (ME_GOAHEAD_SSL_VERIFY_PEER) {
SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verifyClientCertificate);
SSL_CTX_set_verify_depth(sslctx, VERIFY_DEPTH);
} else {
SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, verifyClientCertificate);
}
/*
Set the client certificate verification locations
*/
if (ME_GOAHEAD_SSL_AUTHORITY && *ME_GOAHEAD_SSL_AUTHORITY) {
if ((!SSL_CTX_load_verify_locations(sslctx, ME_GOAHEAD_SSL_AUTHORITY, NULL)) ||
(!SSL_CTX_set_default_verify_paths(sslctx))) {
error("Unable to read cert verification locations");
sslClose();
return -1;
}
/*
Define the list of CA certificates to send to the client before they send their client
certificate for validation
*/
SSL_CTX_set_client_CA_list(sslctx, SSL_load_client_CA_file(ME_GOAHEAD_SSL_AUTHORITY));
}
if (ME_GOAHEAD_SSL_REVOKE && *ME_GOAHEAD_SSL_REVOKE) {
store = SSL_CTX_get_cert_store(sslctx);
if (!X509_STORE_load_locations(store, ME_GOAHEAD_SSL_REVOKE, 0)) {
error("Cannot load certificate revoke list: %s", ME_GOAHEAD_SSL_REVOKE);
sslClose();
return -1;
}
}
/*
Configure DH parameters
*/
dhKey = getDhKey();
SSL_CTX_set_tmp_dh_callback(sslctx, dhcallback);
/*
Configure cipher suite
*/
if (ME_GOAHEAD_SSL_CIPHERS && *ME_GOAHEAD_SSL_CIPHERS) {
ciphers = ME_GOAHEAD_SSL_CIPHERS;
} else {
ciphers = OPENSSL_DEFAULT_CIPHERS;
}
ciphers = mapCipherNames(ciphers);
trace(5, "Using OpenSSL ciphers: %s", ciphers);
if (SSL_CTX_set_cipher_list(sslctx, ciphers) != 1) {
error("Unable to set cipher list \"%s\"", ciphers);
sslClose();
wfree(ciphers);
return -1;
}
wfree(ciphers);
/*
Define default OpenSSL options
*/
SSL_CTX_set_options(sslctx, SSL_OP_ALL);
/*
Ensure we generate a new private key for each connection
*/
SSL_CTX_set_options(sslctx, SSL_OP_SINGLE_DH_USE);
/*
Define a session reuse context
*/
RAND_bytes(resume, sizeof(resume));
SSL_CTX_set_session_id_context(sslctx, resume, sizeof(resume));
/*
Elliptic Curve initialization
*/
#if SSL_OP_SINGLE_ECDH_USE
#ifdef SSL_CTX_set_ecdh_auto
SSL_CTX_set_ecdh_auto(sslctx, 1);
#else
{
EC_KEY *ecdh;
cchar *name;
int nid;
name = ME_GOAHEAD_SSL_CURVE;
if ((nid = OBJ_sn2nid(name)) == 0) {
error("Unknown curve name \"%s\"", name);
sslClose();
return -1;
}
if ((ecdh = EC_KEY_new_by_curve_name(nid)) == 0) {
error("Unable to create curve \"%s\"", name);
sslClose();
return -1;
}
SSL_CTX_set_options(sslctx, SSL_OP_SINGLE_ECDH_USE);
SSL_CTX_set_tmp_ecdh(sslctx, ecdh);
EC_KEY_free(ecdh);
}
#endif
#endif
SSL_CTX_set_mode(sslctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_AUTO_RETRY | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
SSL_CTX_set_options(sslctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
#endif
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(sslctx, SSL_MODE_RELEASE_BUFFERS);
#endif
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
SSL_CTX_set_mode(sslctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
#endif
/*
Select the required protocols
Disable both SSLv2 and SSLv3 by default - they are insecure
*/
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv3);
#if defined(SSL_OP_NO_TLSv1) && ME_GOAHEAD_SSL_NO_V1
SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1);
#endif
#if defined(SSL_OP_NO_TLSv1_1) && ME_GOAHEAD_SSL_NO_V1_1
SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_1);
#endif
#if defined(SSL_OP_NO_TLSv1_2) && ME_GOAHEAD_SSL_NO_V1_2
SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_2);
#endif
#if defined(SSL_OP_NO_TICKET)
/*
Ticket based session reuse is enabled by default
*/
#if defined(ME_GOAHEAD_SSL_TICKET)
if (ME_GOAHEAD_SSL_TICKET) {
SSL_CTX_clear_options(sslctx, SSL_OP_NO_TICKET);
} else {
SSL_CTX_set_options(sslctx, SSL_OP_NO_TICKET);
}
#else
SSL_CTX_clear_options(sslctx, SSL_OP_NO_TICKET);
#endif
#endif
#if defined(SSL_OP_NO_COMPRESSION)
/*
CRIME attack targets compression
*/
SSL_CTX_clear_options(sslctx, SSL_OP_NO_COMPRESSION);
#endif
#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
/*
Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers.
Defaults to true.
*/
#if defined(ME_GOAHEAD_SSL_EMPTY_FRAGMENTS)
if (ME_GOAHEAD_SSL_EMPTY_FRAGMENTS) {
/* SSL_OP_ALL disables empty fragments. Only needed for ancient browsers like IE-6 on SSL-3.0/TLS-1.0 */
SSL_CTX_clear_options(sslctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
} else {
SSL_CTX_set_options(sslctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
}
#else
SSL_CTX_set_options(sslctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
#endif
#endif
#if defined(ME_GOAHEAD_SSL_CACHE)
/*
Set the number of sessions supported. Default in OpenSSL is 20K.
*/
SSL_CTX_sess_set_cache_size(sslctx, ME_GOAHEAD_SSL_CACHE);
#else
SSL_CTX_sess_set_cache_size(sslctx, 256);
#endif
return 0;
}
int main(int argc, char **argv)
{
int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
int bad_rsa = 0, bad_dsa = 0;
int do_rng_stick = 0;
int no_exit = 0;
printf("\tFIPS-mode test application\n\n");
/* Load entropy from external file, if any */
RAND_load_file(".rnd", 1024);
if (argv[1]) {
/* Corrupted KAT tests */
if (!strcmp(argv[1], "aes")) {
FIPS_corrupt_aes();
printf("AES encryption/decryption with corrupted KAT...\n");
} else if (!strcmp(argv[1], "des")) {
FIPS_corrupt_des();
printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
} else if (!strcmp(argv[1], "dsa")) {
FIPS_corrupt_dsa();
printf
("DSA key generation and signature validation with corrupted KAT...\n");
} else if (!strcmp(argv[1], "rsa")) {
FIPS_corrupt_rsa();
printf
("RSA key generation and signature validation with corrupted KAT...\n");
} else if (!strcmp(argv[1], "rsakey")) {
printf
("RSA key generation and signature validation with corrupted key...\n");
bad_rsa = 1;
no_exit = 1;
} else if (!strcmp(argv[1], "rsakeygen")) {
do_corrupt_rsa_keygen = 1;
no_exit = 1;
printf
("RSA key generation and signature validation with corrupted keygen...\n");
} else if (!strcmp(argv[1], "dsakey")) {
printf
("DSA key generation and signature validation with corrupted key...\n");
bad_dsa = 1;
no_exit = 1;
} else if (!strcmp(argv[1], "dsakeygen")) {
do_corrupt_dsa_keygen = 1;
no_exit = 1;
printf
("DSA key generation and signature validation with corrupted keygen...\n");
} else if (!strcmp(argv[1], "sha1")) {
FIPS_corrupt_sha1();
printf("SHA-1 hash with corrupted KAT...\n");
} else if (!strcmp(argv[1], "rng")) {
FIPS_corrupt_rng();
} else if (!strcmp(argv[1], "rngstick")) {
do_rng_stick = 1;
no_exit = 1;
printf("RNG test with stuck continuous test...\n");
} else {
printf("Bad argument \"%s\"\n", argv[1]);
exit(1);
}
if (!no_exit) {
if (!FIPS_mode_set(1)) {
do_print_errors();
printf("Power-up self test failed\n");
exit(1);
}
printf("Power-up self test successful\n");
exit(0);
}
}
/* Non-Approved cryptographic operation
*/
printf("1. Non-Approved cryptographic operation test...\n");
printf("\ta. Included algorithm (D-H)...");
printf(dh_test()? "successful\n" : Fail("FAILED!\n"));
/* Power-up self test
*/
ERR_clear_error();
printf("2. Automatic power-up self test...");
if (!FIPS_mode_set(1)) {
do_print_errors();
printf(Fail("FAILED!\n"));
exit(1);
}
printf("successful\n");
if (do_corrupt_dsa_keygen)
FIPS_corrupt_dsa_keygen();
if (do_corrupt_rsa_keygen)
FIPS_corrupt_rsa_keygen();
if (do_rng_stick)
FIPS_rng_stick();
/* AES encryption/decryption
*/
printf("3. AES encryption/decryption...");
printf(FIPS_aes_test()? "successful\n" : Fail("FAILED!\n"));
/* RSA key generation and encryption/decryption
*/
printf("4. RSA key generation and encryption/decryption...");
printf(FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n"));
/* DES-CBC encryption/decryption
*/
printf("5. DES-ECB encryption/decryption...");
printf(FIPS_des3_test()? "successful\n" : Fail("FAILED!\n"));
/* DSA key generation and signature validation
*/
printf("6. DSA key generation and signature validation...");
printf(FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n"));
/* SHA-1 hash
*/
printf("7a. SHA-1 hash...");
printf(FIPS_sha1_test()? "successful\n" : Fail("FAILED!\n"));
/* SHA-256 hash
*/
printf("7b. SHA-256 hash...");
printf(FIPS_sha256_test()? "successful\n" : Fail("FAILED!\n"));
/* SHA-512 hash
*/
printf("7c. SHA-512 hash...");
printf(FIPS_sha512_test()? "successful\n" : Fail("FAILED!\n"));
/* HMAC-SHA-1 hash
*/
printf("7d. HMAC-SHA-1 hash...");
printf(FIPS_hmac_sha1_test()? "successful\n" : Fail("FAILED!\n"));
/* HMAC-SHA-224 hash
*/
printf("7e. HMAC-SHA-224 hash...");
printf(FIPS_hmac_sha224_test()? "successful\n" : Fail("FAILED!\n"));
/* HMAC-SHA-256 hash
*/
printf("7f. HMAC-SHA-256 hash...");
printf(FIPS_hmac_sha256_test()? "successful\n" : Fail("FAILED!\n"));
/* HMAC-SHA-384 hash
*/
printf("7g. HMAC-SHA-384 hash...");
printf(FIPS_hmac_sha384_test()? "successful\n" : Fail("FAILED!\n"));
/* HMAC-SHA-512 hash
*/
printf("7h. HMAC-SHA-512 hash...");
printf(FIPS_hmac_sha512_test()? "successful\n" : Fail("FAILED!\n"));
/* Non-Approved cryptographic operation
*/
printf("8. Non-Approved cryptographic operation test...\n");
printf("\ta. Included algorithm (D-H)...");
printf(dh_test()? "successful as expected\n"
: Fail("failed INCORRECTLY!\n"));
/* Zeroization
*/
printf("9. Zero-ization...\n");
printf(Zeroize()? "\tsuccessful as expected\n"
: Fail("\tfailed INCORRECTLY!\n"));
printf("\nAll tests completed with %d errors\n", Error);
return Error ? 1 : 0;
}
int
main(int argc, char **argv)
{
int addrtype = 0;
int scriptaddrtype = 5;
int privtype = 128;
int pubkeytype;
enum vg_format format = VCF_PUBKEY;
int regex = 0;
int caseinsensitive = 0;
int verbose = 1;
int simulate = 0;
int remove_on_match = 1;
int only_one = 0;
int prompt_password = 0;
int opt;
char *seedfile = NULL;
char pwbuf[128];
const char *result_file = NULL;
const char *key_password = NULL;
char **patterns;
int npatterns = 0;
int nthreads = 0;
vg_context_t *vcp = NULL;
EC_POINT *pubkey_base = NULL;
FILE *pattfp[MAX_FILE], *fp;
int pattfpi[MAX_FILE];
int npattfp = 0;
int pattstdin = 0;
int i;
while ((opt = getopt(argc, argv, "vqnrik1eE:P:NTc:X:F:t:h?f:o:s:")) != -1) {
switch (opt) {
case 'v':
verbose = 2;
break;
case 'q':
verbose = 0;
break;
case 'n':
simulate = 1;
break;
case 'r':
regex = 1;
break;
case 'i':
caseinsensitive = 1;
break;
case 'k':
remove_on_match = 0;
break;
case '1':
only_one = 1;
break;
case 'N':
addrtype = 52;
privtype = 180;
scriptaddrtype = -1;
break;
case 'T':
addrtype = 111;
privtype = 239;
scriptaddrtype = 196;
break;
case 'c':
if(!strcmp((optarg), "NEOS"))
{
addrtype = 0x35;
privtype = 0xB1;
scriptaddrtype = 0x05;
}
else
{
fprintf(stderr, "Unknown coin.\n");
return(1);
}
break;
case 'X':
addrtype = atoi(optarg);
privtype = 128 + addrtype;
scriptaddrtype = addrtype;
break;
case 'F':
if (!strcmp(optarg, "script"))
format = VCF_SCRIPT;
else
if (strcmp(optarg, "pubkey")) {
fprintf(stderr,
"Invalid format '%s'\n", optarg);
return 1;
}
break;
case 'P': {
if (pubkey_base != NULL) {
fprintf(stderr,
"Multiple base pubkeys specified\n");
return 1;
}
EC_KEY *pkey = vg_exec_context_new_key();
pubkey_base = EC_POINT_hex2point(
EC_KEY_get0_group(pkey),
optarg, NULL, NULL);
EC_KEY_free(pkey);
if (pubkey_base == NULL) {
fprintf(stderr,
"Invalid base pubkey\n");
return 1;
}
break;
}
case 'e':
prompt_password = 1;
break;
case 'E':
key_password = optarg;
break;
case 't':
nthreads = atoi(optarg);
if (nthreads == 0) {
fprintf(stderr,
"Invalid thread count '%s'\n", optarg);
return 1;
}
break;
case 'f':
if (npattfp >= MAX_FILE) {
fprintf(stderr,
"Too many input files specified\n");
return 1;
}
if (!strcmp(optarg, "-")) {
if (pattstdin) {
fprintf(stderr, "ERROR: stdin "
"specified multiple times\n");
return 1;
}
fp = stdin;
} else {
fp = fopen(optarg, "r");
if (!fp) {
fprintf(stderr,
"Could not open %s: %s\n",
optarg, strerror(errno));
return 1;
}
}
pattfp[npattfp] = fp;
pattfpi[npattfp] = caseinsensitive;
npattfp++;
break;
case 'o':
if (result_file) {
fprintf(stderr,
"Multiple output files specified\n");
return 1;
}
result_file = optarg;
break;
case 's':
if (seedfile != NULL) {
fprintf(stderr,
"Multiple RNG seeds specified\n");
return 1;
}
seedfile = optarg;
break;
default:
usage(argv[0]);
return 1;
}
}
#if OPENSSL_VERSION_NUMBER < 0x10000000L
/* Complain about older versions of OpenSSL */
if (verbose > 0) {
fprintf(stderr,
"WARNING: Built with " OPENSSL_VERSION_TEXT "\n"
"WARNING: Use OpenSSL 1.0.0d+ for best performance\n");
}
#endif
if (caseinsensitive && regex)
fprintf(stderr,
"WARNING: case insensitive mode incompatible with "
"regular expressions\n");
pubkeytype = addrtype;
if (format == VCF_SCRIPT)
{
if (scriptaddrtype == -1)
{
fprintf(stderr,
"Address type incompatible with script format\n");
return 1;
}
addrtype = scriptaddrtype;
}
if (seedfile) {
opt = -1;
#if !defined(_WIN32)
{ struct stat st;
if (!stat(seedfile, &st) &&
(st.st_mode & (S_IFBLK|S_IFCHR))) {
opt = 32;
} }
#endif
opt = RAND_load_file(seedfile, opt);
if (!opt) {
fprintf(stderr, "Could not load RNG seed %s\n", optarg);
return 1;
}
if (verbose > 0) {
fprintf(stderr,
"Read %d bytes from RNG seed file\n", opt);
}
}
if (regex) {
vcp = vg_regex_context_new(addrtype, privtype);
} else {
vcp = vg_prefix_context_new(addrtype, privtype,
caseinsensitive);
}
vcp->vc_verbose = verbose;
vcp->vc_result_file = result_file;
vcp->vc_remove_on_match = remove_on_match;
vcp->vc_only_one = only_one;
vcp->vc_format = format;
vcp->vc_pubkeytype = pubkeytype;
vcp->vc_pubkey_base = pubkey_base;
vcp->vc_output_match = vg_output_match_console;
vcp->vc_output_timing = vg_output_timing_console;
if (!npattfp) {
if (optind >= argc) {
usage(argv[0]);
return 1;
}
patterns = &argv[optind];
npatterns = argc - optind;
if (!vg_context_add_patterns(vcp,
(const char ** const) patterns,
npatterns))
return 1;
}
for (i = 0; i < npattfp; i++) {
fp = pattfp[i];
if (!vg_read_file(fp, &patterns, &npatterns)) {
fprintf(stderr, "Failed to load pattern file\n");
return 1;
}
if (fp != stdin)
fclose(fp);
if (!regex)
vg_prefix_context_set_case_insensitive(vcp, pattfpi[i]);
if (!vg_context_add_patterns(vcp,
(const char ** const) patterns,
npatterns))
return 1;
}
if (!vcp->vc_npatterns) {
fprintf(stderr, "No patterns to search\n");
return 1;
}
if (prompt_password) {
if (!vg_read_password(pwbuf, sizeof(pwbuf)))
return 1;
key_password = pwbuf;
}
vcp->vc_key_protect_pass = key_password;
if (key_password) {
if (!vg_check_password_complexity(key_password, verbose))
fprintf(stderr,
"WARNING: Protecting private keys with "
"weak password\n");
}
if ((verbose > 0) && regex && (vcp->vc_npatterns > 1))
fprintf(stderr,
"Regular expressions: %ld\n", vcp->vc_npatterns);
if (simulate)
return 0;
if (!start_threads(vcp, nthreads))
return 1;
return 0;
}
void init_crypto(void)
{
RAND_load_file("/dev/urandom", 1024);
ERR_load_crypto_strings();
}
PUBLIC int sslOpen()
{
RandBuf randBuf;
trace(7, "Initializing SSL");
randBuf.now = time(0);
randBuf.pid = getpid();
RAND_seed((void*) &randBuf, sizeof(randBuf));
#if BIT_UNIX_LIKE
trace(6, "OpenSsl: Before calling RAND_load_file");
RAND_load_file("/dev/urandom", 256);
trace(6, "OpenSsl: After calling RAND_load_file");
#endif
CRYPTO_malloc_init();
#if !BIT_WIN_LIKE
OpenSSL_add_all_algorithms();
#endif
SSL_library_init();
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
if ((sslctx = SSL_CTX_new(SSLv23_server_method())) == 0) {
error("Unable to create SSL context");
return -1;
}
/*
Set the client certificate verification locations
*/
if (*BIT_GOAHEAD_CA) {
if ((!SSL_CTX_load_verify_locations(sslctx, BIT_GOAHEAD_CA, NULL)) || (!SSL_CTX_set_default_verify_paths(sslctx))) {
error("Unable to read cert verification locations");
sslClose();
return -1;
}
}
/*
Set the server certificate and key files
*/
if (*BIT_GOAHEAD_KEY && sslSetKeyFile(BIT_GOAHEAD_KEY) < 0) {
sslClose();
return -1;
}
if (*BIT_GOAHEAD_CERTIFICATE && sslSetCertFile(BIT_GOAHEAD_CERTIFICATE) < 0) {
sslClose();
return -1;
}
SSL_CTX_set_tmp_rsa_callback(sslctx, rsaCallback);
#if VERIFY_CLIENT
if (verifyPeer) {
SSL_CTX_set_verify(context, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verifyX509Certificate);
#if FUTURE && KEEP
SSL_CTX_set_verify_depth(context, VERIFY_DEPTH);
#endif
} else {
SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, verifyX509Certificate);
}
#else
SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, verifyX509Certificate);
#endif
/*
Set the certificate authority list for the client
*/
if (BIT_GOAHEAD_CA && *BIT_GOAHEAD_CA) {
SSL_CTX_set_client_CA_list(sslctx, SSL_load_client_CA_file(BIT_GOAHEAD_CA));
}
SSL_CTX_set_cipher_list(sslctx, BIT_GOAHEAD_CIPHERS);
SSL_CTX_set_options(sslctx, SSL_OP_ALL);
SSL_CTX_sess_set_cache_size(sslctx, 128);
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(sslctx, SSL_OP_NO_TICKET);
#endif
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
SSL_CTX_set_options(sslctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
#endif
SSL_CTX_set_mode(sslctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_AUTO_RETRY);
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2);
/*
Ensure we generate a new private key for each connection
*/
SSL_CTX_set_options(sslctx, SSL_OP_SINGLE_DH_USE);
return 0;
}
static void setup_ssl(tcptest_t *item)
{
static int ssl_init_complete = 0;
struct servent *sp;
char portinfo[100];
X509 *peercert;
char *certcn, *certstart, *certend;
int err;
strbuffer_t *sslinfo;
char msglin[2048];
item->sslrunning = 1;
if (!ssl_init_complete) {
/* Setup entropy */
if (RAND_status() != 1) {
char path[PATH_MAX]; /* Path for the random file */
/* load entropy from files */
RAND_load_file(RAND_file_name(path, sizeof (path)), -1);
/* load entropy from egd sockets */
RAND_egd("/var/run/egd-pool");
RAND_egd("/dev/egd-pool");
RAND_egd("/etc/egd-pool");
RAND_egd("/var/spool/prngd/pool");
/* shuffle $RANDFILE (or ~/.rnd if unset) */
RAND_write_file(RAND_file_name(path, sizeof (path)));
if (RAND_status() != 1) {
errprintf("Failed to find enough entropy on your system");
item->errcode = CONTEST_ESSL;
return;
}
}
SSL_load_error_strings();
SSL_library_init();
ssl_init_complete = 1;
}
if (item->sslctx == NULL) {
switch (item->ssloptions->sslversion) {
case SSLVERSION_V2:
item->sslctx = SSL_CTX_new(SSLv2_client_method()); break;
case SSLVERSION_V3:
item->sslctx = SSL_CTX_new(SSLv3_client_method()); break;
case SSLVERSION_TLS1:
item->sslctx = SSL_CTX_new(TLSv1_client_method()); break;
default:
item->sslctx = SSL_CTX_new(SSLv23_client_method()); break;
}
if (!item->sslctx) {
char sslerrmsg[256];
ERR_error_string(ERR_get_error(), sslerrmsg);
errprintf("Cannot create SSL context - IP %s, service %s: %s\n",
inet_ntoa(item->addr.sin_addr), item->svcinfo->svcname, sslerrmsg);
item->sslrunning = 0;
item->errcode = CONTEST_ESSL;
return;
}
/* Workaround SSL bugs */
SSL_CTX_set_options(item->sslctx, SSL_OP_ALL);
SSL_CTX_set_quiet_shutdown(item->sslctx, 1);
/* Limit set of ciphers, if user wants to */
if (item->ssloptions->cipherlist)
SSL_CTX_set_cipher_list(item->sslctx, item->ssloptions->cipherlist);
if (item->ssloptions->clientcert) {
int status;
char certfn[PATH_MAX];
SSL_CTX_set_default_passwd_cb(item->sslctx, cert_password_cb);
SSL_CTX_set_default_passwd_cb_userdata(item->sslctx, item);
sprintf(certfn, "%s/certs/%s", xgetenv("XYMONHOME"), item->ssloptions->clientcert);
status = SSL_CTX_use_certificate_chain_file(item->sslctx, certfn);
if (status == 1) {
status = SSL_CTX_use_PrivateKey_file(item->sslctx, certfn, SSL_FILETYPE_PEM);
}
if (status != 1) {
char sslerrmsg[256];
ERR_error_string(ERR_get_error(), sslerrmsg);
errprintf("Cannot load SSL client certificate/key %s: %s\n",
item->ssloptions->clientcert, sslerrmsg);
item->sslrunning = 0;
item->errcode = CONTEST_ESSL;
return;
}
}
}
if (item->ssldata == NULL) {
item->ssldata = SSL_new(item->sslctx);
if (!item->ssldata) {
char sslerrmsg[256];
ERR_error_string(ERR_get_error(), sslerrmsg);
errprintf("SSL_new failed - IP %s, service %s: %s\n",
inet_ntoa(item->addr.sin_addr), item->svcinfo->svcname, sslerrmsg);
item->sslrunning = 0;
SSL_CTX_free(item->sslctx);
item->errcode = CONTEST_ESSL;
return;
}
/* Verify that the client certificate is working */
if (item->ssloptions->clientcert) {
X509 *x509;
x509 = SSL_get_certificate(item->ssldata);
if(x509 != NULL) {
EVP_PKEY *pktmp = X509_get_pubkey(x509);
EVP_PKEY_copy_parameters(pktmp,SSL_get_privatekey(item->ssldata));
EVP_PKEY_free(pktmp);
}
if (!SSL_CTX_check_private_key(item->sslctx)) {
errprintf("Private/public key mismatch for certificate %s\n", item->ssloptions->clientcert);
item->sslrunning = 0;
item->errcode = CONTEST_ESSL;
return;
}
}
/* SSL setup is done. Now attach the socket FD to the SSL protocol handler */
if (SSL_set_fd(item->ssldata, item->fd) != 1) {
char sslerrmsg[256];
ERR_error_string(ERR_get_error(), sslerrmsg);
errprintf("Could not initiate SSL on connection - IP %s, service %s: %s\n",
inet_ntoa(item->addr.sin_addr), item->svcinfo->svcname, sslerrmsg);
item->sslrunning = 0;
SSL_free(item->ssldata);
SSL_CTX_free(item->sslctx);
item->errcode = CONTEST_ESSL;
return;
}
}
sp = getservbyport(item->addr.sin_port, "tcp");
if (sp) {
sprintf(portinfo, "%s (%d/tcp)", sp->s_name, item->addr.sin_port);
}
else {
sprintf(portinfo, "%d/tcp", item->addr.sin_port);
}
if ((err = SSL_connect(item->ssldata)) != 1) {
char sslerrmsg[256];
switch (SSL_get_error (item->ssldata, err)) {
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
item->sslrunning = SSLSETUP_PENDING;
break;
case SSL_ERROR_SYSCALL:
ERR_error_string(ERR_get_error(), sslerrmsg);
/* Filter out the bogus SSL error */
if (strstr(sslerrmsg, "error:00000000:") == NULL) {
errprintf("IO error in SSL_connect to %s on host %s: %s\n",
portinfo, inet_ntoa(item->addr.sin_addr), sslerrmsg);
}
item->errcode = CONTEST_ESSL;
item->sslrunning = 0; SSL_free(item->ssldata); SSL_CTX_free(item->sslctx);
break;
case SSL_ERROR_SSL:
ERR_error_string(ERR_get_error(), sslerrmsg);
errprintf("Unspecified SSL error in SSL_connect to %s on host %s: %s\n",
portinfo, inet_ntoa(item->addr.sin_addr), sslerrmsg);
item->errcode = CONTEST_ESSL;
item->sslrunning = 0; SSL_free(item->ssldata); SSL_CTX_free(item->sslctx);
break;
default:
ERR_error_string(ERR_get_error(), sslerrmsg);
errprintf("Unknown error %d in SSL_connect to %s on host %s: %s\n",
err, portinfo, inet_ntoa(item->addr.sin_addr), sslerrmsg);
item->errcode = CONTEST_ESSL;
item->sslrunning = 0; SSL_free(item->ssldata); SSL_CTX_free(item->sslctx);
break;
}
return;
}
/* If we get this far, the SSL handshake has completed. So grab the certificate */
peercert = SSL_get_peer_certificate(item->ssldata);
if (!peercert) {
errprintf("Cannot get peer certificate for %s on host %s\n",
portinfo, inet_ntoa(item->addr.sin_addr));
item->errcode = CONTEST_ESSL;
item->sslrunning = 0; SSL_free(item->ssldata); SSL_CTX_free(item->sslctx);
return;
}
sslinfo = newstrbuffer(0);
certcn = X509_NAME_oneline(X509_get_subject_name(peercert), NULL, 0);
certstart = strdup(xymon_ASN1_UTCTIME(X509_get_notBefore(peercert)));
certend = strdup(xymon_ASN1_UTCTIME(X509_get_notAfter(peercert)));
snprintf(msglin, sizeof(msglin),
"Server certificate:\n\tsubject:%s\n\tstart date: %s\n\texpire date:%s\n",
certcn, certstart, certend);
addtobuffer(sslinfo, msglin);
item->certsubject = strdup(certcn);
item->certexpires = sslcert_expiretime(certend);
xfree(certcn); xfree(certstart); xfree(certend);
X509_free(peercert);
/* We list the available ciphers in the SSL cert data */
{
int i;
STACK_OF(SSL_CIPHER) *sk;
addtobuffer(sslinfo, "\nAvailable ciphers:\n");
sk = SSL_get_ciphers(item->ssldata);
for (i=0; i<sk_SSL_CIPHER_num(sk); i++) {
int b1, b2;
char *cph;
b1 = SSL_CIPHER_get_bits(sk_SSL_CIPHER_value(sk,i), &b2);
cph = SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk,i));
snprintf(msglin, sizeof(msglin), "Cipher %d: %s (%d bits)\n", i, cph, b1);
addtobuffer(sslinfo, msglin);
if ((item->mincipherbits == 0) || (b1 < item->mincipherbits)) item->mincipherbits = b1;
}
}
item->certinfo = grabstrbuffer(sslinfo);
}
static
int random_the_seed(struct SessionHandle *data)
{
char *buf = data->state.buffer; /* point to the big buffer */
int nread=0;
/* Q: should we add support for a random file name as a libcurl option?
A: Yes, it is here */
#ifndef RANDOM_FILE
/* if RANDOM_FILE isn't defined, we only perform this if an option tells
us to! */
if(data->set.ssl.random_file)
#define RANDOM_FILE "" /* doesn't matter won't be used */
#endif
{
/* let the option override the define */
nread += RAND_load_file((data->set.ssl.random_file?
data->set.ssl.random_file:RANDOM_FILE),
16384);
if(seed_enough(nread))
return nread;
}
#if defined(HAVE_RAND_EGD)
/* only available in OpenSSL 0.9.5 and later */
/* EGD_SOCKET is set at configure time or not at all */
#ifndef EGD_SOCKET
/* If we don't have the define set, we only do this if the egd-option
is set */
if(data->set.ssl.egdsocket)
#define EGD_SOCKET "" /* doesn't matter won't be used */
#endif
{
/* If there's an option and a define, the option overrides the
define */
int ret = RAND_egd(data->set.ssl.egdsocket?
data->set.ssl.egdsocket:EGD_SOCKET);
if(-1 != ret) {
nread += ret;
if(seed_enough(nread))
return nread;
}
}
#endif
/* If we get here, it means we need to seed the PRNG using a "silly"
approach! */
#ifdef HAVE_RAND_SCREEN
/* This one gets a random value by reading the currently shown screen */
RAND_screen();
nread = 100; /* just a value */
#else
{
int len;
char *area;
/* Changed call to RAND_seed to use the underlying RAND_add implementation
* directly. Do this in a loop, with the amount of additional entropy
* being dependent upon the algorithm used by Curl_FormBoundary(): N bytes
* of a 7-bit ascii set. -- Richard Gorton, March 11 2003.
*/
do {
area = Curl_FormBoundary();
if(!area)
return 3; /* out of memory */
len = (int)strlen(area);
RAND_add(area, len, (len >> 1));
free(area); /* now remove the random junk */
} while (!RAND_status());
}
#endif
/* generates a default path for the random seed file */
buf[0]=0; /* blank it first */
RAND_file_name(buf, BUFSIZE);
if(buf[0]) {
/* we got a file name to try */
nread += RAND_load_file(buf, 16384);
if(seed_enough(nread))
return nread;
}
infof(data, "libcurl is now using a weak random seed!\n");
return nread;
}
int main( int argc, char *argv[] )
{
char *fn = "main()";
char f_randfile[ PATH_MAX ];
int listensd; /* socket descriptor we'll bind to */
int clientsd; /* incoming socket descriptor */
int addrlen;
struct sockaddr_in srvaddr;
struct sockaddr_in cliaddr;
pthread_t ThreadId; /* thread id of each incoming conn */
pthread_t RecycleThread; /* used just for the recycle thread */
pthread_attr_t attr; /* generic thread attribute struct */
int rc, i, fd;
unsigned int ui;
pid_t pid; /* used just for a fork call */
struct linger lingerstruct; /* for the socket reuse stuff */
int flag; /* for the socket reuse stuff */
ICC_Struct *ICC_tptr;
extern char *optarg;
extern int optind;
char ConfigFile[ MAXPATHLEN ]; /* path to our config file */
#ifdef HAVE_LIBWRAP
struct request_info r; /* request struct for libwrap */
#endif
flag = 1;
ConfigFile[0] = '\0';
/*
* Ignore signals we don't want to die from but we don't care enough
* about to catch.
*/
signal( SIGPIPE, SIG_IGN );
signal( SIGHUP, SIG_IGN );
while (( i = getopt( argc, argv, "f:h" ) ) != EOF )
{
switch( i )
{
case 'f':
/* user specified a config filename */
strncpy( ConfigFile, optarg, sizeof ConfigFile -1 );
ConfigFile[ sizeof ConfigFile - 1 ] = '\0';
syslog( LOG_INFO, "%s: Using configuration file '%s'",
fn, ConfigFile );
break;
case 'h':
Usage();
exit( 0 );
case '?':
Usage();
exit( 1 );
}
}
/*
* Make sure we know which config file to use and then set our config
* options.
*/
if ( ! ConfigFile[0] )
{
strncpy( ConfigFile, DEFAULT_CONFIG_FILE, sizeof ConfigFile -1 );
ConfigFile[ sizeof ConfigFile - 1 ] = '\0';
syslog( LOG_INFO, "%s: Using default configuration file '%s'.",
fn, ConfigFile );
}
SetConfigOptions( ConfigFile );
SetLogOptions();
/*
* Just for logging purposes, are we doing SELECT caching or not?
*/
if ( PC_Struct.enable_select_cache )
syslog( LOG_INFO, "%s: SELECT caching is enabled", fn );
else
syslog( LOG_INFO, "%s: SELECT caching is disabled", fn );
#ifdef HAVE_LIBWRAP
/*
* Set our tcpd service name
*/
if (service = strrchr(argv[0], '/'))
service++;
else
service = argv[0];
#endif
/*
* Initialize some stuff.
*/
rc = pthread_mutex_init(&mp, NULL);
if ( rc )
{
syslog(LOG_ERR, "%s: pthread_mutex_init() returned error [%d] initializing main mutex. Exiting.", fn, rc );
exit( 1 );
}
rc = pthread_mutex_init(&trace, NULL);
if ( rc )
{
syslog(LOG_ERR, "%s: pthread_mutex_init() returned error [%d] initializing trace mutex. Exiting.", fn, rc );
exit( 1 );
}
TraceUser[0] = '\0';
syslog( LOG_INFO, "%s: Allocating %d IMAP connection structures.",
fn, PC_Struct.cache_size );
ICC_free = (ICC_Struct *)malloc( ( sizeof ( ICC_Struct ) )
* PC_Struct.cache_size );
if ( ! ICC_free )
{
syslog(LOG_ERR, "%s: malloc() failed to allocate [%d] IMAPConnectionContext structures: %s", fn, PC_Struct.cache_size, strerror( errno ) );
exit( 1 );
}
memset( ICC_free, 0, sizeof ( ICC_Struct ) * PC_Struct.cache_size );
ICC_tptr = ICC_free;
/*
* Bug fixed by Gary Mills <*****@*****.**>. I was pre-incrementing
* ICC_tptr and then assigning. I guess gcc evaluates the expression
* incorrectly, since I never had a problem with this. Gary had the
* problem with cc, so it's fixed here.
*/
for ( ui = 0; ui < PC_Struct.cache_size - 1; ui++ )
{
ICC_tptr->next = ICC_tptr + 1;
ICC_tptr++;
}
memset( ICC_HashTable, 0, sizeof ICC_HashTable );
ServerInit();
/* detach from our parent if necessary */
if (! (getppid() == 1) && ( ! PC_Struct.foreground_mode ) )
{
syslog( LOG_INFO, "%s: Configured to run in background mode.", fn );
if ( (pid = fork()) < 0)
{
syslog(LOG_ERR, "%s: initial call to fork() failed: %s", fn, strerror(errno));
exit( 1 );
}
else if ( pid > 0)
{
exit( 0 );
}
if (setsid() == -1)
{
syslog(LOG_WARNING, "%s: setsid() failed: %s",
fn, strerror(errno));
}
if ( (pid = fork()) < 0)
{
syslog(LOG_ERR, "%s: secondary call to fork() failed: %s", fn,
strerror(errno));
exit( 1 );
}
else if ( pid > 0)
{
exit( 0 );
}
}
else
{
syslog( LOG_INFO, "%s: Configured to run in foreground mode.", fn );
}
SetBannerAndCapability();
if ( PC_Struct.login_disabled || PC_Struct.force_tls )
{
syslog( LOG_INFO, "%s: Enabling STARTTLS.", fn );
#if HAVE_LIBSSL
if ( PC_Struct.support_starttls )
{
/* Initialize SSL_CTX */
SSL_library_init();
/* Need to seed PRNG, too! */
if ( RAND_egd( ( RAND_file_name( f_randfile, sizeof( f_randfile ) ) == f_randfile ) ? f_randfile : "/.rnd" ) )
{
/* Not an EGD, so read and write it. */
if ( RAND_load_file( f_randfile, -1 ) )
RAND_write_file( f_randfile );
}
SSL_load_error_strings();
tls_ctx = SSL_CTX_new( TLSv1_client_method() );
if ( tls_ctx == NULL )
{
syslog(LOG_ERR, "%s: Failed to create new SSL_CTX. Exiting.", fn);
exit( 1 );
}
/* Work around all known bugs */
SSL_CTX_set_options( tls_ctx, SSL_OP_ALL );
if ( ! SSL_CTX_load_verify_locations( tls_ctx,
PC_Struct.tls_ca_file,
PC_Struct.tls_ca_path ) ||
! SSL_CTX_set_default_verify_paths( tls_ctx ) )
{
syslog(LOG_ERR, "%s: Failed to load CA data. Exiting.", fn);
exit( 1 );
}
if ( ! set_cert_stuff( tls_ctx,
PC_Struct.tls_cert_file,
PC_Struct.tls_key_file ) )
{
syslog(LOG_ERR, "%s: Failed to load cert/key data. Exiting.", fn);
exit( 1 );
}
SSL_CTX_set_verify(tls_ctx, SSL_VERIFY_NONE, verify_callback);
}
else
#endif /* HAVE_LIBSSL */
{
/* We're screwed! We won't be able to login without SASL */
syslog(LOG_ERR, "%s: IMAP server has LOGINDISABLED and we can't do STARTTLS. Exiting.", fn);
exit( 1 );
}
}
memset( (char *) &srvaddr, 0, sizeof srvaddr );
srvaddr.sin_family = PF_INET;
if ( !PC_Struct.listen_addr )
{
srvaddr.sin_addr.s_addr = htonl(INADDR_ANY);
}
else
{
srvaddr.sin_addr.s_addr = inet_addr( PC_Struct.listen_addr );
if ( srvaddr.sin_addr.s_addr == -1 )
{
syslog( LOG_ERR, "%s: bad bind address: '%s' specified in config file. Exiting.", fn, PC_Struct.listen_addr );
exit( 1 );
}
}
syslog(LOG_INFO, "%s: Binding to tcp %s:%d", fn, PC_Struct.listen_addr ?
PC_Struct.listen_addr : "*", PC_Struct.listen_port );
srvaddr.sin_port = htons(PC_Struct.listen_port);
listensd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if ( listensd == -1 )
{
syslog(LOG_ERR, "%s: socket() failed: %s", fn, strerror(errno));
exit( 1 );
}
setsockopt(listensd, SOL_SOCKET, SO_REUSEADDR, (void *)&flag,
sizeof(flag));
lingerstruct.l_onoff = 1;
lingerstruct.l_linger = 5;
setsockopt(listensd, SOL_SOCKET, SO_LINGER, (void *)&lingerstruct,
sizeof(lingerstruct));
if ( PC_Struct.send_tcp_keepalives )
{
lingerstruct.l_onoff = 1;
syslog( LOG_INFO, "%s: Enabling SO_KEEPALIVE.", fn );
setsockopt( listensd, SOL_SOCKET, SO_KEEPALIVE, (void *)&lingerstruct.l_onoff, sizeof lingerstruct.l_onoff );
}
if ( bind(listensd, (struct sockaddr *)&srvaddr, sizeof( srvaddr ) ) < 0 )
{
syslog(LOG_ERR, "%s: bind() failed: %s", fn, strerror(errno) );
exit( 1 );
}
/*
* Create and mmap() our stat file while we're still root. Since it's
* configurable, we want to make sure we do this as root so there's the
* greatest possibility that we'll have permission to write where we
* need to.
*/
syslog( LOG_INFO, "%s: Using global statistics file '%s'", fn,
PC_Struct.stat_filename );
fd = open( PC_Struct.stat_filename, O_RDWR | O_CREAT, S_IREAD | S_IWRITE );
if ( fd == -1 )
{
syslog(LOG_ERR, "%s: open() failed for '%s': %s -- Exiting.", fn,
PC_Struct.stat_filename, strerror( errno ) );
exit( 1 );
}
if ( ( ftruncate( fd, sizeof( IMAPCounter_Struct ) ) ) == -1 )
{
syslog(LOG_ERR, "%s: ftruncate() failed: %s -- Exiting.",
fn, strerror( errno ) );
exit( 1 );
}
IMAPCount = ( IMAPCounter_Struct *)mmap( 0, sizeof( IMAPCounter_Struct ),
PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0 );
if ( IMAPCount == MAP_FAILED )
{
syslog(LOG_ERR, "%s: mmap() failed: %s -- Exiting.",
fn, strerror( errno ) );
exit( 1 );
}
memset( IMAPCount, 0, sizeof( IMAPCounter_Struct ) );
IMAPCount->StartTime = time( 0 );
IMAPCount->CountTime = time( 0 );
if ( BecomeNonRoot() )
exit( 1 );
/* some misc thread setup */
rc = pthread_attr_init( &attr );
if ( rc )
{
syslog(LOG_ERR, "%s: pthread_attr_init() failed: [%d]\n", fn, rc);
exit( 1 );
}
rc = pthread_attr_setdetachstate( &attr, PTHREAD_CREATE_DETACHED );
if ( rc )
{
syslog(LOG_ERR, "%s: pthread_attr_setdetachstate() failed: [%d]\n",
fn, rc);
exit( 1 );
}
/* launch a recycle thread before we loop */
pthread_create( &RecycleThread, &attr, (void *)ICC_Recycle_Loop, NULL );
syslog(LOG_INFO, "%s: Launched ICC recycle thread with id %d",
fn, RecycleThread );
/*
* Now start listening and accepting connections.
*/
if ( listen(listensd, MAX_CONN_BACKLOG) < 0)
{
syslog( LOG_ERR, "%s: listen() failed: %s -- Exiting",
fn, strerror(errno));
exit( 1 );
}
syslog( LOG_INFO, "%s: Normal server startup.", fn );
/*
* Main server loop
*/
for ( ;; )
{
/*
* Bug fixed by Gary Mills <*****@*****.**>. I forgot
* to initialize addrlen.
*/
addrlen = sizeof cliaddr;
clientsd = accept( listensd, (struct sockaddr *)&cliaddr, &addrlen );
if ( clientsd == -1 )
{
syslog(LOG_WARNING, "%s: accept() failed: %s -- retrying",
fn, strerror(errno));
sleep( 1 );
continue;
}
#ifdef HAVE_LIBWRAP
request_init(&r, RQ_DAEMON, service, 0);
request_set(&r, RQ_FILE, clientsd, 0);
sock_host(&r);
if (!hosts_access(&r))
{
shutdown(clientsd, SHUT_RDWR);
close(clientsd);
syslog(deny_severity, "refused connection from %s", eval_client(&r));
continue;
}
#endif
IMAPCount->TotalClientConnectionsAccepted++;
IMAPCount->CurrentClientConnections++;
if ( IMAPCount->CurrentClientConnections >
IMAPCount->PeakClientConnections )
IMAPCount->PeakClientConnections = IMAPCount->CurrentClientConnections;
pthread_create( &ThreadId, &attr, (void *)HandleRequest, (void *)clientsd );
}
}
/*
* Create Global context SSL and use it in every new session
*
* - Load the trusted CAs
* - Load the Private key & the certificate
* - Set the Context options & Verify options
*/
static SSL_CTX *init_tls_ctx(EAP_TLS_CONF *conf)
{
SSL_METHOD *meth;
SSL_CTX *ctx;
X509_STORE *certstore;
int verify_mode = SSL_VERIFY_NONE;
int ctx_options = 0;
int type;
/*
* Add all the default ciphers and message digests
* Create our context.
*/
SSL_library_init();
SSL_load_error_strings();
/*
* SHA256 is in all versions of OpenSSL, but isn't
* initialized by default. It's needed for WiMAX
* certificates.
*/
#ifdef HAVE_OPENSSL_EVP_SHA256
EVP_add_digest(EVP_sha256());
#endif
meth = TLSv1_method();
ctx = SSL_CTX_new(meth);
/*
* Identify the type of certificates that needs to be loaded
*/
if (conf->file_type) {
type = SSL_FILETYPE_PEM;
} else {
type = SSL_FILETYPE_ASN1;
}
/*
* Set the password to load private key
*/
if (conf->private_key_password) {
SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->private_key_password);
SSL_CTX_set_default_passwd_cb(ctx, cbtls_password);
}
/*
* Load our keys and certificates
*
* If certificates are of type PEM then we can make use
* of cert chain authentication using openssl api call
* SSL_CTX_use_certificate_chain_file. Please see how
* the cert chain needs to be given in PEM from
* openSSL.org
*/
if (type == SSL_FILETYPE_PEM) {
if (!(SSL_CTX_use_certificate_chain_file(ctx, conf->certificate_file))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading certificate file %s", conf->certificate_file);
return NULL;
}
} else if (!(SSL_CTX_use_certificate_file(ctx, conf->certificate_file, type))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading certificate file %s", conf->certificate_file);
return NULL;
}
/* Load the CAs we trust */
if (conf->ca_file || conf->ca_path) {
if (!SSL_CTX_load_verify_locations(ctx, conf->ca_file, conf->ca_path)) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading Trusted root CA list %s",conf->ca_file );
return NULL;
}
}
if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
if (!(SSL_CTX_use_PrivateKey_file(ctx, conf->private_key_file, type))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading private key file %s", conf->private_key_file);
return NULL;
}
/*
* Check if the loaded private key is the right one
*/
if (!SSL_CTX_check_private_key(ctx)) {
radlog(L_ERR, "rlm_eap_tls: Private key does not match the certificate public key");
return NULL;
}
/*
* Set ctx_options
*/
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
/*
* SSL_OP_SINGLE_DH_USE must be used in order to prevent
* small subgroup attacks and forward secrecy. Always
* using
*
* SSL_OP_SINGLE_DH_USE has an impact on the computer
* time needed during negotiation, but it is not very
* large.
*/
ctx_options |= SSL_OP_SINGLE_DH_USE;
/*
* SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS to work around issues
* in Windows Vista client.
* http://www.openssl.org/~bodo/tls-cbc.txt
* http://www.nabble.com/(RADIATOR)-Radiator-Version-3.16-released-t2600070.html
*/
ctx_options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
SSL_CTX_set_options(ctx, ctx_options);
/*
* TODO: Set the RSA & DH
* SSL_CTX_set_tmp_rsa_callback(ctx, cbtls_rsa);
* SSL_CTX_set_tmp_dh_callback(ctx, cbtls_dh);
*/
/*
* set the message callback to identify the type of
* message. For every new session, there can be a
* different callback argument.
*
* SSL_CTX_set_msg_callback(ctx, cbtls_msg);
*/
/* Set Info callback */
SSL_CTX_set_info_callback(ctx, cbtls_info);
/*
* Callbacks, etc. for session resumption.
*/
if (conf->session_cache_enable) {
SSL_CTX_sess_set_new_cb(ctx, cbtls_new_session);
SSL_CTX_sess_set_get_cb(ctx, cbtls_get_session);
SSL_CTX_sess_set_remove_cb(ctx, cbtls_remove_session);
SSL_CTX_set_quiet_shutdown(ctx, 1);
}
/*
* Check the certificates for revocation.
*/
#ifdef X509_V_FLAG_CRL_CHECK
if (conf->check_crl) {
certstore = SSL_CTX_get_cert_store(ctx);
if (certstore == NULL) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading Certificate Store");
return NULL;
}
X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
}
#endif
/*
* Set verify modes
* Always verify the peer certificate
*/
verify_mode |= SSL_VERIFY_PEER;
verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
verify_mode |= SSL_VERIFY_CLIENT_ONCE;
SSL_CTX_set_verify(ctx, verify_mode, cbtls_verify);
if (conf->verify_depth) {
SSL_CTX_set_verify_depth(ctx, conf->verify_depth);
}
/* Load randomness */
if (!(RAND_load_file(conf->random_file, 1024*1024))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error loading randomness");
return NULL;
}
/*
* Set the cipher list if we were told to
*/
if (conf->cipher_list) {
if (!SSL_CTX_set_cipher_list(ctx, conf->cipher_list)) {
radlog(L_ERR, "rlm_eap_tls: Error setting cipher list");
return NULL;
}
}
/*
* Setup session caching
*/
if (conf->session_cache_enable) {
/*
* Create a unique context Id per EAP-TLS configuration.
*/
if (conf->session_id_name) {
snprintf(conf->session_context_id,
sizeof(conf->session_context_id),
"FreeRADIUS EAP-TLS %s",
conf->session_id_name);
} else {
snprintf(conf->session_context_id,
sizeof(conf->session_context_id),
"FreeRADIUS EAP-TLS %p", conf);
}
/*
* Cache it, and DON'T auto-clear it.
*/
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR);
SSL_CTX_set_session_id_context(ctx,
(unsigned char *) conf->session_context_id,
(unsigned int) strlen(conf->session_context_id));
/*
* Our timeout is in hours, this is in seconds.
*/
SSL_CTX_set_timeout(ctx, conf->session_timeout * 3600);
/*
* Set the maximum number of entries in the
* session cache.
*/
SSL_CTX_sess_set_cache_size(ctx, conf->session_cache_size);
} else {
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
}
/*
* Register the application indices. We can't use
* hard-coded "0" and "1" as before, because we need to
* set up a "free" handler for the cached session
* information.
*/
if (eaptls_handle_idx < 0) {
eaptls_handle_idx = SSL_get_ex_new_index(0, "eaptls_handle_idx",
NULL, NULL, NULL);
}
if (eaptls_conf_idx < 0) {
eaptls_conf_idx = SSL_get_ex_new_index(0, "eaptls_conf_idx",
NULL, NULL, NULL);
}
if (eaptls_session_idx < 0) {
eaptls_session_idx = SSL_get_ex_new_index(0, "eaptls_session_idx",
NULL, NULL,
eaptls_session_free);
}
return ctx;
}
static
int tls_init_context(tls_t *tls, tls_issues_t const *ti)
{
int verify;
static int random_loaded;
ONCE_INIT(tls_init_once);
if (!random_loaded) {
random_loaded = 1;
if (ti->randFile &&
!RAND_load_file(ti->randFile, 1024 * 1024)) {
if (ti->configured > 1) {
SU_DEBUG_3(("%s: cannot open randFile %s\n",
"tls_init_context", ti->randFile));
tls_log_errors(3, "tls_init_context", 0);
}
/* errno = EIO; */
/* return -1; */
}
}
#if HAVE_SIGPIPE
/* Avoid possible SIGPIPE when sending close_notify */
signal(SIGPIPE, SIG_IGN);
#endif
if (tls->ctx == NULL) {
const SSL_METHOD *meth;
/* meth = SSLv3_method(); */
/* meth = SSLv23_method(); */
if (ti->version)
meth = TLSv1_method();
else
meth = SSLv23_method();
tls->ctx = SSL_CTX_new((SSL_METHOD*)meth);
}
if (tls->ctx == NULL) {
tls_log_errors(1, "tls_init_context", 0);
errno = EIO;
return -1;
}
if (!SSL_CTX_use_certificate_file(tls->ctx,
ti->cert,
SSL_FILETYPE_PEM)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid local certificate: %s\n",
"tls_init_context", ti->cert));
tls_log_errors(3, "tls_init_context", 0);
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
}
if (!SSL_CTX_use_PrivateKey_file(tls->ctx,
ti->key,
SSL_FILETYPE_PEM)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid private key: %s\n",
"tls_init_context", ti->key));
tls_log_errors(3, "tls_init_context(key)", 0);
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
}
if (!SSL_CTX_check_private_key(tls->ctx)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: private key does not match the certificate public key\n",
"tls_init_context"));
}
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
if (!SSL_CTX_load_verify_locations(tls->ctx,
ti->CAfile,
ti->CApath)) {
SU_DEBUG_1(("%s: error loading CA list: %s\n",
"tls_init_context", ti->CAfile));
if (ti->configured > 0)
tls_log_errors(3, "tls_init_context(CA)", 0);
errno = EIO;
return -1;
}
/* corresponds to (enum tport_tls_verify_policy) */
tls->verify_incoming = (ti->policy & 0x1) ? 1 : 0;
tls->verify_outgoing = (ti->policy & 0x2) ? 1 : 0;
tls->verify_subj_in = (ti->policy & 0x4) ? tls->verify_incoming : 0;
tls->verify_subj_out = (ti->policy & 0x8) ? tls->verify_outgoing : 0;
tls->verify_date = (ti->verify_date) ? 1 : 0;
if (tls->verify_incoming)
verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
else
verify = SSL_VERIFY_NONE;
SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);
SSL_CTX_set_verify(tls->ctx, verify, tls_verify_cb);
if (!SSL_CTX_set_cipher_list(tls->ctx, ti->cipher)) {
SU_DEBUG_1(("%s: error setting cipher list\n", "tls_init_context"));
tls_log_errors(3, "tls_init_context", 0);
errno = EIO;
return -1;
}
return 0;
}
