C++ (Cpp) load_dh_params примеры использования

Пример #1

Файл: eventer_SSL_fd_opset.c Проект: esproul/libmtev

static int
generate_dh_params(eventer_t e, int mask, void *cl, struct timeval *now) {
  int bits = (int)(intptr_t)cl;
  if(mask != EVENTER_ASYNCH_WORK) return 0;
  switch(bits) {
  case 1024:
    if(!dh1024_tmp) dh1024_tmp = load_dh_params(dh1024_file);
    if(!dh1024_tmp) {
      mtevL(mtev_notice, "Generating 1024 bit DH parameters.\n");
      dh1024_tmp = DH_generate_parameters(1024, 2, NULL, NULL);
      mtevL(mtev_notice, "Finished generating 1024 bit DH parameters.\n");
      save_dh_params(dh1024_tmp, dh1024_file);
    }
    break;
  case 2048:
    if(!dh2048_tmp) dh2048_tmp = load_dh_params(dh2048_file);
    if(!dh2048_tmp) {
      mtevL(mtev_notice, "Generating 2048 bit DH parameters.\n");
      dh2048_tmp = DH_generate_parameters(2048, 2, NULL, NULL);
      mtevL(mtev_notice, "Finished generating 2048 bit DH parameters.\n");
      save_dh_params(dh2048_tmp, dh2048_file);
    }
    break;
  default:
    mtevFatal(mtev_error, "Unexpected DH parameter request: %d\n", bits);
  }
  return 0;
}

Пример #2

Файл: certificatemanager.cpp Проект: Kaligule/gobby

Gobby::CertificateManager::CertificateManager(Preferences& preferences):
	m_preferences(preferences),
	m_dh_params(NULL), m_key(NULL), m_certificates(NULL),
	m_credentials(NULL), m_key_error(NULL), m_certificate_error(NULL),
	m_trust_error(NULL)
{
	m_conn_key_file = m_preferences.security.key_file.
		signal_changed().connect(sigc::mem_fun(
			*this, &CertificateManager::on_key_file_changed));
	m_conn_certificate_file = m_preferences.security.certificate_file.
		signal_changed().connect(sigc::mem_fun(
			*this,
			 &CertificateManager::on_certificate_file_changed));
	m_preferences.security.use_system_trust.signal_changed().connect(
		sigc::mem_fun(
			*this, &CertificateManager::on_trusted_cas_changed));
	m_preferences.security.trusted_cas.signal_changed().connect(
		sigc::mem_fun(
			*this, &CertificateManager::on_trusted_cas_changed));

	m_preferences.security.authentication_enabled.
		signal_changed().connect(
			sigc::mem_fun(
				*this,
				 &CertificateManager::
					on_authentication_enabled_changed));

	// TODO: Load these only on request, to improve the startup time
	load_dh_params();
	load_key();
	load_certificate();
	load_trust();

	make_credentials();
}

Пример #3

Файл: rlm_eap_tls.c Проект: SunshineAllWay/CPAchecker

/*
 *	Attach the EAP-TLS module.
 */
static int eaptls_attach(CONF_SECTION *cs, void **instance)
{
	EAP_TLS_CONF	 *conf;
	eap_tls_t 	 *inst;

	/* Store all these values in the data structure for later references */
	inst = (eap_tls_t *)malloc(sizeof(*inst));
	if (!inst) {
		radlog(L_ERR, "rlm_eap_tls: out of memory");
		return -1;
	}
	memset(inst, 0, sizeof(*inst));

	/*
	 *	Parse the config file & get all the configured values
	 */
	conf = (EAP_TLS_CONF *)malloc(sizeof(*conf));
	if (conf == NULL) {
		radlog(L_ERR, "rlm_eap_tls: out of memory");
		return -1;
	}
	memset(conf, 0, sizeof(*conf));

	inst->conf = conf;
	if (cf_section_parse(cs, conf, module_config) < 0) {
		eaptls_detach(inst);
		return -1;
	}


	/*
	 *	Initialize TLS
	 */
	inst->ctx = init_tls_ctx(conf);
	if (inst->ctx == NULL) {
		eaptls_detach(inst);
		return -1;
	}

	if (load_dh_params(inst->ctx, conf->dh_file) < 0) {
		eaptls_detach(inst);
		return -1;
	}
	if (generate_eph_rsa_key(inst->ctx) < 0) {
		eaptls_detach(inst);
		return -1;
	}

	*instance = inst;

	return 0;
}

Пример #4

Файл: rlm_eap_tls.c Проект: PeterSteiert/freeradius-server

/*
 *	Attach the EAP-TLS module.
 */
static int eaptls_attach(CONF_SECTION *cs, void **instance)
{
	EAP_TLS_CONF	 *conf;
	eap_tls_t 	 *inst;

	/* Store all these values in the data structure for later references */
	inst = (eap_tls_t *)malloc(sizeof(*inst));
	if (!inst) {
		radlog(L_ERR, "rlm_eap_tls: out of memory");
		return -1;
	}
	memset(inst, 0, sizeof(*inst));

	/*
	 *	Parse the config file & get all the configured values
	 */
	conf = (EAP_TLS_CONF *)malloc(sizeof(*conf));
	if (conf == NULL) {
		free(inst);
		radlog(L_ERR, "rlm_eap_tls: out of memory");
		return -1;
	}
	memset(conf, 0, sizeof(*conf));

	inst->conf = conf;
	if (cf_section_parse(cs, conf, module_config) < 0) {
		eaptls_detach(inst);
		return -1;
	}

	/*
	 *	The EAP RFC's say 1020, but we're less picky.
	 */
	if (conf->fragment_size < 100) {
		radlog(L_ERR, "rlm_eap_tls: Fragment size is too small.");
		eaptls_detach(inst);
		return -1;
	}

	/*
	 *	The maximum size for a RADIUS packet is 4096,
	 *	minus the header (20), Message-Authenticator (18),
	 *	and State (18), etc. results in about 4000 bytes of data
	 *	that can be devoted *solely* to EAP.
	 */
	if (conf->fragment_size > 4000) {
		radlog(L_ERR, "rlm_eap_tls: Fragment size is too large.");
		eaptls_detach(inst);
		return -1;
	}

	/*
	 *	Account for the EAP header (4), and the EAP-TLS header
	 *	(6), as per Section 4.2 of RFC 2716.  What's left is
	 *	the maximum amount of data we read from a TLS buffer.
	 */
	conf->fragment_size -= 10;

	/*
	 *	This magic makes the administrators life HUGELY easier
	 *	on initial deployments.
	 *
	 *	If the server starts up in debugging mode, AND the
	 *	bootstrap command is configured, AND it exists, AND
	 *	there is no server certificate
	 */
	if (conf->make_cert_command && (debug_flag >= 2)) {
		struct stat buf;

		if ((stat(conf->make_cert_command, &buf) == 0) &&
		    (stat(conf->certificate_file, &buf) < 0) &&
		    (errno == ENOENT) &&
		    (radius_exec_program(conf->make_cert_command, NULL, 1,
					 NULL, 0, NULL, NULL, 0) != 0)) {
			eaptls_detach(inst);
			return -1;
		}
	}


	/*
	 *	Initialize TLS
	 */
	inst->ctx = init_tls_ctx(conf);
	if (inst->ctx == NULL) {
		eaptls_detach(inst);
		return -1;
	}

#ifdef HAVE_OPENSSL_OCSP_H
	/*
	 * 	Initialize OCSP Revocation Store
	 */
	if (conf->ocsp_enable) {
		inst->store = init_revocation_store(conf);
		if (inst->store == NULL) {
			eaptls_detach(inst);
		  return -1;
		}
	}
#endif HAVE_OPENSSL_OCSP_H

	if (load_dh_params(inst->ctx, conf->dh_file) < 0) {
		eaptls_detach(inst);
		return -1;
	}

        if (generate_eph_rsa_key(inst->ctx) < 0) {
		eaptls_detach(inst);
                return -1;
        }

	if (conf->verify_tmp_dir) {
		if (chmod(conf->verify_tmp_dir, S_IRWXU) < 0) {
			radlog(L_ERR, "rlm_eap_tls: Failed changing permissions on %s: %s", conf->verify_tmp_dir, strerror(errno));
			eaptls_detach(inst);
			return -1;
		}
	}

	if (conf->verify_client_cert_cmd && !conf->verify_tmp_dir) {
		radlog(L_ERR, "rlm_eap_tls: You MUST set the verify directory in order to use verify_client_cmd");
		eaptls_detach(inst);
		return -1;
	}

	*instance = inst;

	return 0;
}

Пример #5

int main(int argc, char** argv)
{
	if(argc<4) {
		printf("Usage: ./wserver cert-file priv-key-file pub-key-file.\n");
		exit(0);
	}
	else {
		CERTFILE = argv[1];
		KEYFILE = argv[2];
		PUBFILE = argv[3];
		const char* PROMPT = "Enter password for Old Key file: ";
		if(argc == 5) {
			OLDKEY = argv[4];
			PASSWORD = getpass(PROMPT);
			OLDPASS = (char*) calloc(1, strlen(PASSWORD)+1);
			strcpy(OLDPASS, PASSWORD);
		}
		PROMPT = "Enter password for Key file: ";
		PASSWORD = getpass(PROMPT);
	}

    int sock,s;
    BIO *sbio;
    SSL_CTX *ctx;
    SSL *ssl;
    int r;
    pid_t pid;
    char buf[BUFSIZZ];
	char *owner = (char*) calloc(1,256);

    ctx=initialize_ctx(CERTFILE,KEYFILE,PASSWORD);
    load_dh_params(ctx,DHFILE);    

    sock=tcp_listen();
	if((s=accept(sock,0,0))<0) err_exit("Problem accepting");
	sbio=BIO_new_socket(s,BIO_NOCLOSE);
	ssl=SSL_new(ctx);
	SSL_set_bio(ssl,sbio,sbio);
	SSL_set_verify(ssl,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);        
	if((r=SSL_accept(ssl)<=0)) berr_exit("SSL accept error");
	if(check_cert(ssl, ctx, &owner)<=0) {
		send_data(ssl, "Revoked");
		printf("Connection Closed.\n");
		close_SSL(ssl, sock);
		destroy_ctx(ctx);
		exit(0);
	}
	send_data(ssl, "Approved");
	printf("User connected: %s\n", owner);

	if((pid=fork())){
		close(s);
	}
	else {
		if(argc == 5) {recrypt();}
		while(1){
			memset((void*)buf, 0, BUFSIZZ);
			if(rec_data(buf, ssl)>0)
			{
				printf("Command received: %s\n", buf);
				if(starts_with(buf, "PUT")){
					put_file(ssl, buf, owner);
				}
				else if(starts_with(buf, "GET")){
					get_file(ssl, buf, owner);
				}
				else if(starts_with(buf, "DELEGATE")){
					delegate(ssl, buf, owner);
				}
				else if(starts_with(buf, "END")){
					close_SSL(ssl, sock);
					break;
				}
				else {
					printf("Command not recognized\n");
				}
			}
			else{
				perror("Error receiving command\n");
				break;
			}
		}
	}
    destroy_ctx(ctx);
    exit(0);
  }

Пример #6

Файл: wserver.c Проект: tecknicaltom/ciphersuites.com

void server(int protocol)
{
	int sock,s;
	BIO *sbio;
	SSL_CTX *ctx;
	SSL *ssl;
	int r;
	pid_t pid;

	/* Build our SSL context*/
	ctx=initialize_ctx(KEYFILE,PASSWORD);
	load_dh_params(ctx,DHFILE);
	SSL_CTX_set_cipher_list(ctx,"ALL");
	long options = SSL_OP_NO_TICKET | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
	int port;
	switch (protocol)
	{
	case SSL2_VERSION:
		options |= SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
		port = 4434;
		break;
	case SSL3_VERSION:
		options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
		port = 4435;
		break;
	case TLS1_VERSION:
		options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
		port = 4436;
		break;
	case TLS1_1_VERSION:
		options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2;
		port = 4437;
		break;
	case TLS1_2_VERSION:
		options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
		port = 4438;
		break;
	default:
		err_exit("Unexpected protocol value");
	}
	SSL_CTX_set_options(ctx, options);

	sock=tcp_listen(port);

	while(1){
		if((s=accept(sock,0,0))<0)
			err_exit("Problem accepting");

		if((pid=fork())){
			close(s);
		}
		else {
			sbio=BIO_new_socket(s,BIO_NOCLOSE);
			ssl=SSL_new(ctx);
			SSL_set_bio(ssl,sbio,sbio);

			if((r=SSL_accept(ssl)<=0))
				berr_exit("SSL accept error");

			http_serve(ssl,s);
			exit(0);
		}
	}
	destroy_ctx(ctx);
}

Пример #7

Файл: obsidian.c Проект: digination/obsidian

int main(int argc, char** argv) {


    extern dexpd_config conf0;
    int socknum = 0;
    int sock_id = 0;

    int wd = 0;
    int notify_fd = 0;
    int option_index = 0;

    char *peer_str;
    char c;
    int peer_num;

    pthread_t notify_th;
    pthread_t reconnect_th;
    pthread_t listenv6;

    struct sockaddr_in peer_addr;

    static struct option long_options[] = {
        {"dennis",no_argument,0, 'T'},
        {0, 0, 0, 0}
    };

    c = getopt_long (argc, argv, "T",long_options, &option_index);

    switch(c) {

    case 'T':

        dennis_tribute();
        break;

    default:

        break;

    }



    socklen_t addr_len = sizeof(peer_addr);

    printf ("\n");

    printf ("        /\\\n");
    printf ("       /01\\\n");
    printf ("      /0011\\\n");
    printf ("     /000111\\     [[ Obsidian 0.1 == Clement Game 2011 ]]\n");
    printf ("    /00001111\\\n");
    printf ("   /0000011000\\\n");
    printf ("   \\0000000000/\n\n");


    init_config();


    if (conf0.use_tls) {
        printf("initializing TLS config...\n");
        conf0.ctx=(SSL_CTX*)initialize_ctx(conf0.tls_server_cert,"password");
        load_dh_params(conf0.ctx,conf0.tls_server_dh);
    }

    printf("Loading catalog from %s...\n",conf0.data_dir);

    load_catalog(conf0.data_dir);
    printf("starting inotify events listener...\n");

    //inotify init functions on datadir;
    notify_fd = inotify_init();
    wd = inotify_add_watch(notify_fd, conf0.data_dir, IN_CLOSE_WRITE|IN_MOVED_TO);

    //starting a new thread for inotify events read
    pthread_create(&notify_th,NULL,notify_thread,&notify_fd);


    printf("initating connections with peers...\n");
    connectAll();
    pthread_create(&reconnect_th,NULL,reconnect_loop,NULL);

    printf("listening on %s:%d...\n",conf0.listening_addr,conf0.listening_port);

    socknum  = create_socket(conf0.listening_addr,conf0.listening_port);

    if (conf0.use_ipv6) {

        printf("listening on %s:%d...\n",conf0.ipv6_listening_addr,conf0.listening_port);
        pthread_create(&listenv6,NULL,listen_v6,NULL);

    }



    while(1) {

        if((sock_id = accept(socknum,(struct sockaddr*)&peer_addr,&addr_len))<0) {

            fprintf(stderr,"ERROR: CANNOT ACCEPT NEW CONNECTION ON %s:%d",conf0.listening_addr,conf0.listening_port);

        }

        else {

            peer_str = inet_ntoa(peer_addr.sin_addr);
            printf("New Connection From %s\n",peer_str);

            //gerer la notion de public ici
            if ( (peer_num = isPeer(peer_str,sock_id)) < 0 && conf0.pub == 0) {

                fprintf(stderr,"ERROR: REMOTE HOST NOT In PEERS LIST\n");
                close(sock_id);

            }

            else if (conf0.pub == 1) {

                printf("Notice: Accepting public connection for host %s\n",peer_str);
                createPeer(peer_str,sock_id,1);

            }

            else {

                conf0.peers[peer_num].ssl = NULL;
                pthread_create(&conf0.peers[peer_num].ioth,NULL,dexp_serv_ioth,(void*)&conf0.peers[peer_num]);


            }



        }



    }


}

Пример #8

Файл: wserver2.c Проект: tecknicaltom/ciphersuites.com

int main(int argc, char **argv)
{
	int sock,s;
	BIO *sbio;
	SSL_CTX *ctx;
	SSL *ssl;
	int r;
	pid_t pid;
	extern char *optarg;
	int c;

	while((c=getopt(argc,argv,"cCxna:"))!=-1){
		switch(c){
		case 'c':
			client_auth=CLIENT_AUTH_REQUEST;
			break;
		case 'C':
			client_auth=CLIENT_AUTH_REQUIRE;
			break;
		case 'x':
			client_auth=CLIENT_AUTH_REHANDSHAKE;
			break;
		case 'n':
			fork_child=0;
			break;
		case 'a':
			if(!(ciphers=strdup(optarg)))
				err_exit("Out of memory");
			break;
		}
	}

	/* Build our SSL context*/
	ctx=initialize_ctx(KEYFILE,PASSWORD);
	load_dh_params(ctx,DHFILE);

	SSL_CTX_set_session_id_context(ctx,
		(void*)&s_server_session_id_context,
		sizeof s_server_session_id_context); 

	/* Set our cipher list */
	if(ciphers){
		SSL_CTX_set_cipher_list(ctx,ciphers);
	}

	switch(client_auth){
	case CLIENT_AUTH_REQUEST:
		SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,0);
		break;
	case CLIENT_AUTH_REQUIRE:
		SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER |
			SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
		break;
	case CLIENT_AUTH_REHANDSHAKE:
		/* Do nothing */
		break;
	}

	sock=tcp_listen();

	while(1){
		if((s=accept(sock,0,0))<0)
			err_exit("Problem accepting");

		if(fork_child && (pid=fork())){
			close(s);
		}
		else {
			sbio=BIO_new_socket(s,BIO_NOCLOSE);
			ssl=SSL_new(ctx);
			SSL_set_bio(ssl,sbio,sbio);

			if((r=SSL_accept(ssl)<=0))
				berr_exit("SSL accept error");

			http_serve(ssl,s);

			if(fork_child)
				exit(0);
		}
	}
	destroy_ctx(ctx);
	exit(0);
}