BOOL CUsersDlgGeneral::SaveUser(t_user & user)
{
user.nEnabled = m_nEnabled;
if (!m_bNeedpass)
user.password = _T("");
else if (m_cPass.GetModify() && m_Pass != _T("")) {
user.generateSalt();
auto saltedPassword = ConvToNetwork(m_Pass + user.salt);
CAsyncSslSocketLayer ssl(0);
user.password = ConvFromNetwork(ssl.SHA512(reinterpret_cast<unsigned char const*>(saltedPassword.c_str()), saltedPassword.size()).c_str());
if (user.password.IsEmpty()) {
// Something went very wrong, disable user.
user.nEnabled = false;
}
}
user.nBypassUserLimit = m_nMaxUsersBypass;
user.nUserLimit = _ttoi(m_MaxConnCount);
user.nIpLimit = _ttoi(m_IpLimit);
if (m_cGroup.GetCurSel()<=0)
user.group = _T("");
else
m_cGroup.GetLBText(m_cGroup.GetCurSel(), user.group);
user.comment = m_Comments;
user.forceSsl = m_nForceSsl;
return TRUE;
}
//*****************************************************************************
//
//! Main
//!
//! \param none
//!
//! \return None
//!
//*****************************************************************************
void main()
{
long lRetVal = -1;
//
// Initialize board configuration
//
BoardInit();
PinMuxConfig();
#ifndef NOTERM
InitTerm();
#endif
lRetVal = ssl();
if(lRetVal < 0)
{
ERR_PRINT(lRetVal);
}
//
// power off network processor
//
sl_Stop(SL_STOP_TIMEOUT);
LOOP_FOREVER();
}
void SSLContextTest::verifySSLCipherList(const vector<string>& ciphers) {
int i = 0;
ssl::SSLUniquePtr ssl(ctx.createSSL());
for (auto& cipher : ciphers) {
ASSERT_STREQ(cipher.c_str(), SSL_get_cipher_list(ssl.get(), i++));
}
ASSERT_EQ(nullptr, SSL_get_cipher_list(ssl.get(), i));
}
bool httpclient::open(const lyramilk::data::string& rawurl)
{
int port = -1;
lyramilk::data::string scheme;
{
std::size_t scheme_sep = rawurl.find(":");
if(scheme_sep != rawurl.npos && rawurl.size() > scheme_sep+2 && rawurl.compare(scheme_sep,3,"://") == 0){
scheme = rawurl.substr(0,scheme_sep);
std::size_t host_sep = rawurl.find("/",scheme_sep+3);
host = rawurl.substr(scheme_sep+3,host_sep - scheme_sep - 3);
std::size_t port_sep = host.find_last_of(":");
if(port_sep != host.npos){
char *tmp;
port = strtoll(host.c_str() + port_sep + 1,&tmp,10);
host = host.substr(0,port_sep);
}
url = rawurl.substr(host_sep);
}
}
if(scheme == "https"){
if(port == -1) port = 443;
}else if(scheme == "http"){
if(port == -1) port = 80;
}else{
return false;
}
if(scheme == "https"){
init_ssl();
ssl(true);
}
COUT << "raw=" << rawurl << ",scheme=" << scheme << ",host=" << host << ",port=" << port << ",url=" << url << "," << std::endl;
return lyramilk::netio::client::open(host.c_str(),(lyramilk::data::uint16)port);
}
bool AccessCert::download( bool noCard )
{
if( noCard )
{
QDesktopServices::openUrl( QUrl( tr("http://www.id.ee/kehtivuskinnitus") ) );
return false;
}
QMessageBox d( QMessageBox::Information, tr("Server access certificate"),
tr("Hereby I agree to terms and conditions of validity confirmation service and "
"will use the service in extent of 10 signatures per month. If you going to "
"exceed the limit of 10 signatures per month or/and will use the service for "
"commercial purposes, please refer to IT support of your company. Additional "
"information is available from <a href=\"%1\">%1</a> or phone 1777")
.arg( tr("http://www.id.ee/kehtivuskinnitus") ),
QMessageBox::Help, m_parent );
d.addButton( tr("Agree"), QMessageBox::AcceptRole );
if( QLabel *label = d.findChild<QLabel*>() )
label->setOpenExternalLinks( true );
if( d.exec() == QMessageBox::Help )
{
QDesktopServices::openUrl( QUrl( tr("http://www.id.ee/kehtivuskinnitus") ) );
return false;
}
QSigner *s = qApp->signer();
QPKCS11 *p = s->handle();
s->lock();
TokenData token;
bool retry = false;
do
{
retry = false;
token = p->selectSlot( s->token().card(), SslCertificate::DataEncipherment );
QPKCS11::PinStatus status = p->login( token );
switch( status )
{
case QPKCS11::PinOK: break;
case QPKCS11::PinCanceled:
s->unlock();
return false;
case QPKCS11::PinIncorrect:
showWarning( QPKCS11::errorString( status ) );
retry = true;
break;
default:
showWarning( tr("Error downloading server access certificate!") + "\n" + QPKCS11::errorString( status ) );
s->unlock();
return false;
}
}
while( retry );
QScopedPointer<SSLConnect> ssl( new SSLConnect );
ssl->setToken( token.cert(), p->key() );
QByteArray result = ssl->getUrl( SSLConnect::AccessCert );
if( !ssl->errorString().isEmpty() )
{
showWarning( tr("Error downloading server access certificate!") + "\n" + ssl->errorString() );
return false;
}
s->unlock();
if( result.isEmpty() )
{
showWarning( tr("Empty result!") );
return false;
}
QString status, cert, pass, message;
QXmlStreamReader xml( result );
while( xml.readNext() != QXmlStreamReader::Invalid )
{
if( !xml.isStartElement() )
continue;
if( xml.name() == "StatusCode" )
status = xml.readElementText();
else if( xml.name() == "MessageToDisplay" )
message = xml.readElementText();
else if( xml.name() == "TokenData" )
cert = xml.readElementText();
else if( xml.name() == "TokenPassword" )
pass = xml.readElementText();
}
if( status.isEmpty() )
{
showWarning( tr("Error parsing server access certificate result!") );
return false;
}
switch( status.toInt() )
{
case 1: //need to order cert manually from SK web
QDesktopServices::openUrl( QUrl( tr("http://www.id.ee/kehtivuskinnitus") ) );
return false;
case 2: //got error, show message from MessageToDisplay element
showWarning( tr("Error downloading server access certificate!\n%1").arg( message ) );
return false;
default: break; //ok
}
if ( cert.isEmpty() )
{
showWarning( tr("Error reading server access certificate - empty content!") );
return false;
}
QString path = QDesktopServices::storageLocation( QDesktopServices::DataLocation );
if ( !QDir( path ).exists() )
QDir().mkpath( path );
QFile f( QString( "%1/%2.p12" ).arg( path,
SslCertificate( qApp->signer()->token().cert() ).subjectInfo( "serialNumber" ) ) );
if ( !f.open( QIODevice::WriteOnly|QIODevice::Truncate ) )
{
showWarning( tr("Failed to save server access certificate file to %1!\n%2")
.arg( f.fileName() )
.arg( f.errorString() ) );
return false;
}
f.write( QByteArray::fromBase64( cert.toLatin1() ) );
Application::setConfValue( Application::PKCS12Cert, m_cert = QDir::toNativeSeparators( f.fileName() ) );
Application::setConfValue( Application::PKCS12Pass, m_pass = pass );
return true;
}
int main(int argc, char* argv[])
{
try
{
log_init();
cxxtools::Arg<std::string> ip(argc, argv, 'i');
cxxtools::Arg<unsigned short> port(argc, argv, 'p', 1234);
cxxtools::Arg<unsigned> bufsize(argc, argv, 'b', 8192);
cxxtools::Arg<bool> listen(argc, argv, 'l');
cxxtools::Arg<bool> read_reply(argc, argv, 'r');
cxxtools::Arg<bool> ssl(argc, argv, 's');
cxxtools::Arg<std::string> cert(argc, argv, "--cert");
cxxtools::Arg<std::string> ca(argc, argv, "--CA");
if (listen)
{
// I'm a server
// listen to a port
cxxtools::net::TcpServer server(ip.getValue(), port);
// accept a connetion
cxxtools::net::TcpStream worker(server, bufsize);
if (ssl)
{
if (cert.isSet())
worker.loadSslCertificateFile(cert);
if (ca.isSet())
worker.setSslVerify(2, ca);
worker.sslAccept();
}
// copy to stdout
std::cout << worker.rdbuf();
}
else
{
// I'm a client
// connect to server
cxxtools::net::TcpStream peer(ip, port, bufsize);
if (ssl)
{
if (cert.isSet())
peer.loadSslCertificateFile(cert);
peer.sslConnect();
}
if (argc > 1)
{
for (int a = 1; a < argc; ++a)
{
std::ifstream in(argv[a]);
peer << in.rdbuf() << std::flush;
}
}
else
{
// copy stdin to server
peer << std::cin.rdbuf() << std::flush;
}
if (read_reply)
// copy answer to stdout
std::cout << peer.rdbuf() << std::flush;
}
}
catch (const std::exception& e)
{
std::cerr << e.what() << std::endl;
}
}
signed int
main(signed int ac, char** av)
{
SSL_CTX* ctx(nullptr);
SSL_METHOD* meth(nullptr);
SSL* ssl(nullptr);
signed long sflags(0);
signed int sockfd(-1);
signed int retval(-1);
std::string host("");
std::string port("");
std::string key("");
std::string cert("");
std::string store("");
std::string root("");
::SSL_library_init();
::OpenSSL_add_all_algorithms();
::SSL_load_error_strings();
sflags = ( SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
SSL_OP_NO_TLSv1_1 | SSL_OP_CIPHER_SERVER_PREFERENCE |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION );
if (7 != ac) {
std::cerr << "Usage: " << av[0] << " <host> <port> <certificate> <key> <root certificate> <certificate store>" << std::endl;
return EXIT_FAILURE;
}
host = av[1];
port = av[2];
cert = av[3];
key = av[4];
root = av[5];
store = av[6];
meth = const_cast< SSL_METHOD* >(::TLSv1_2_client_method());
ctx = ::SSL_CTX_new(meth);
if (nullptr == meth) {
::ERR_print_errors_fp(stderr);
return EXIT_FAILURE;
}
::SSL_CTX_set_options(ctx, sflags);
if (0 >= ::SSL_CTX_use_certificate_file(ctx, cert.c_str(), SSL_FILETYPE_PEM)) {
::ERR_print_errors_fp(stderr);
return EXIT_FAILURE;
}
if (0 >= ::SSL_CTX_use_PrivateKey_file(ctx, key.c_str(), SSL_FILETYPE_PEM)) {
::ERR_print_errors_fp(stderr);
return EXIT_FAILURE;
}
if (! ::SSL_CTX_check_private_key(ctx)) {
std::cerr << "Private key does not match certificate" << std::endl;
return EXIT_FAILURE;
}
if (! ::SSL_CTX_load_verify_locations(ctx, root.c_str(), store.c_str())) {
std::cerr << "Load certificate store location failure" << std::endl;
return EXIT_FAILURE;
}
::SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr); //&verify_cb);
::SSL_CTX_set_verify_depth(ctx, 5);
std::cout << "Connecting to: " << host << ":" << port << std::endl;
sockfd = open_connection(host, port);
if (0 > sockfd)
return EXIT_FAILURE;
ssl = SSL_new(ctx);
::SSL_set_fd(ssl, sockfd);
do {
retval = ::ERR_get_error();
if (0 != retval)
std::cerr << "SSL ERR: " << ::ERR_reason_error_string(retval) << std::endl;
} while (0 != retval);
retval = ::SSL_connect(ssl);
if (1 != retval) {
std::cerr << "Error in SSL_connect()" << std::endl;
::ERR_print_errors_fp(stderr);
} else {
X509* ccert(::SSL_get_peer_certificate(ssl));
char* line(nullptr);
char buf[4096] = {0};
signed int len(-1);
struct in_addr ia;
struct in6_addr i6a;
std::vector< ip_addr_t > avec;
std::vector< port_t > pvec;
//message_t msg(OP_SCAN_STATUS, 0x4141414141414141);
if (0 >= ::inet_pton(AF_INET, "127.0.0.0", &ia)) {
std::cerr << "inet_pton() error: " << ::strerror(errno) << std::endl;
return EXIT_FAILURE;
}
avec.push_back(ip_addr_t(ia, 24));
if (0 >= ::inet_pton(AF_INET, "192.0.0.0", &ia)) {
std::cerr << "inet_pton() error: " << ::strerror(errno) << std::endl;
return EXIT_FAILURE;
}
avec.push_back(ip_addr_t(ia, 8));
if (0 >= ::inet_pton(AF_INET6, "fe80:20c:29ff:feee:4b72::1", &i6a)) {
std::cerr << "inet_pton() error: " << ::strerror(errno) << std::endl;
return EXIT_FAILURE;
}
avec.push_back(ip_addr_t(i6a, 120));
if (0 >= ::inet_pton(AF_INET, "10.0.0.1", &ia)) {
std::cerr << "inet_pton() error: " << ::strerror(errno) << std::endl;
return EXIT_FAILURE;
}
avec.push_back(ip_addr_t(ia));
if (0 >= ::inet_pton(AF_INET6, "::1", &i6a)) {
std::cerr << "inet_pton() error: " << ::strerror(errno) << std::endl;
return EXIT_FAILURE;
}
avec.push_back(ip_addr_t(i6a));
pvec.push_back(port_t(PORT_PROTO_TCP, 80));
pvec.push_back(port_t(PORT_PROTO_TCP, 443));
pvec.push_back(port_t(PORT_PROTO_TCP, 143));
pvec.push_back(port_t(PORT_PROTO_TCP, 22));
pvec.push_back(port_t(PORT_PROTO_TCP, 139));
pvec.push_back(port_t(PORT_PROTO_TCP, 31336));
pvec.push_back(port_t(PORT_PROTO_TCP, 15));
message_t msg(avec, pvec);
if (X509_V_OK != ::SSL_get_verify_result(ssl))
std::cout << "Certificate validation failed" << std::endl;
else
std::cout << "Certificate successfully validated" << std::endl;
std::cout << "Connected with " << ::SSL_get_cipher(ssl) << " encryption." << std::endl;
if (nullptr == ccert) {
std::cerr << "ccert is nullptr" << std::endl;
return EXIT_FAILURE;
}
line = ::X509_NAME_oneline(::X509_get_subject_name(ccert), 0, 0);
std::cout << "Subject: " << line << std::endl;
::free(line);
line = ::X509_NAME_oneline(::X509_get_issuer_name(ccert), 0, 0);
std::cout << "Issuer: " << line << std::endl;
::free(line);
std::cout << "Version: " << ::X509_get_version(ccert) << std::endl;
::X509_free(ccert);
len = ::SSL_read(ssl, buf, sizeof(buf));
if (0 < len && 4096 > len) {
buf[len] = 0;
std::cout << "buf: " << buf << std::endl;
}
std::vector< uint8_t > d(msg.data());
::SSL_write(ssl, d.data(), d.size());
}
::close(sockfd);
::SSL_CTX_free(ctx);
return EXIT_SUCCESS;
}
bool AccessCert::download( bool noCard )
{
if( noCard )
{
QDesktopServices::openUrl( QUrl( "http://www.sk.ee/toend/" ) );
return false;
}
QMessageBox d( QMessageBox::Information, tr("Server access certificate"),
tr("Hereby I agree to terms and conditions of validity confirmation service and "
"will use the service in extent of 10 signatures per month. If you going to "
"exceed the limit of 10 signatures per month or/and will use the service for "
"commercial purposes, please refer to IT support of your company. Additional "
"information is available from <a href=\"http://www.sk.ee/kehtivuskinnitus\">"
"http://www.sk.ee/kehtivuskinnitus</a> or phone 1777"),
QMessageBox::Help, m_parent );
d.addButton( tr("Agree"), QMessageBox::AcceptRole );
if( QLabel *label = d.findChild<QLabel*>() )
label->setOpenExternalLinks( true );
if( d.exec() == QMessageBox::Help )
{
QDesktopServices::openUrl( QUrl( "http://www.sk.ee/kehtivuskinnitus" ) );
return false;
}
qApp->signer()->lock();
QScopedPointer<SSLConnect> ssl( new SSLConnect() );
ssl->setPKCS11( Application::confValue( Application::PKCS11Module ), false );
ssl->setCard( qApp->signer()->token().card() );
bool retry = false;
do
{
retry = false;
if( ssl->flags() & TokenData::PinLocked )
{
showWarning( tr("Error downloading server access certificate!\nPIN1 is blocked" ) );
qApp->signer()->unlock();
return false;
}
ssl->waitForFinished( SSLConnect::AccessCert );
switch( ssl->error() )
{
case SSLConnect::PinCanceledError:
qApp->signer()->unlock();
return false;
case SSLConnect::PinInvalidError:
showWarning( ssl->errorString() );
retry = true;
break;
default:
if( !ssl->errorString().isEmpty() )
{
showWarning( tr("Error downloading server access certificate!\n%1").arg( ssl->errorString() ) );
qApp->signer()->unlock();
return false;
}
break;
}
}
while( retry );
QByteArray result = ssl->result();
qApp->signer()->unlock();
if( result.isEmpty() )
{
showWarning( tr("Empty result!") );
return false;
}
QDomDocument domDoc;
if( !domDoc.setContent( QString::fromUtf8( result ) ) )
{
showWarning( tr("Error parsing server access certificate result!") );
return false;
}
QDomElement e = domDoc.documentElement();
QDomNodeList status = e.elementsByTagName( "StatusCode" );
if( status.isEmpty() )
{
showWarning( tr("Error parsing server access certificate result!") );
return false;
}
switch( status.item(0).toElement().text().toInt() )
{
case 1: //need to order cert manually from SK web
QDesktopServices::openUrl( QUrl( "http://www.sk.ee/toend/" ) );
return false;
case 2: //got error, show message from MessageToDisplay element
showWarning( tr("Error downloading server access certificate!\n%1")
.arg( e.elementsByTagName( "MessageToDisplay" ).item(0).toElement().text() ) );
return false;
default: break; //ok
}
QString cert = e.elementsByTagName( "TokenData" ).item(0).toElement().text();
if ( cert.isEmpty() )
{
showWarning( tr("Error reading server access certificate - empty content!") );
return false;
}
QString path = QDesktopServices::storageLocation( QDesktopServices::DataLocation );
if ( !QDir( path ).exists() )
QDir().mkpath( path );
QFile f( QString( "%1/%2.p12" ).arg( path, SslCertificate( qApp->signer()->token().cert() ).subjectInfo( "serialNumber" ) ) );
if ( !f.open( QIODevice::WriteOnly|QIODevice::Truncate ) )
{
showWarning( tr("Failed to save server access certificate file to %1!\n%2")
.arg( f.fileName() )
.arg( f.errorString() ) );
return false;
}
f.write( QByteArray::fromBase64( cert.toLatin1() ) );
Application::setConfValue( Application::PKCS12Cert, m_cert = f.fileName() );
Application::setConfValue( Application::PKCS12Pass, m_pass = e.elementsByTagName( "TokenPassword" ).item(0).toElement().text() );
return true;
}
