12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439 |
- char *cksslv = "SSL/TLS support, 9.0.233, 24 Dec 2015";
- /*
- C K _ S S L . C -- OpenSSL Interface for C-Kermit
- Copyright (C) 1985, 2017,
- Trustees of Columbia University in the City of New York.
- All rights reserved. See the C-Kermit COPYING.TXT file or the
- copyright text in the ckcmai.c module for disclaimer and permissions.
- Author: Jeffrey E Altman (jaltman@secure-endpoints.com)
- Secure Endpoints Inc., New York City
- Provides:
- . Telnet Auth SSL option compatible with Tim Hudson's hack.
- . Telnet START_TLS option
- . Configuration of certificate and key files
- . Certificate verification and revocation list checks
- . Client certificate to user id routine
- Note: This code is written to be compatible with OpenSSL 0.9.6[abcdefgh]
- and 0.9.7 beta 5 and later, and (since July 2012) 1.0.x.
- It will also compile with version 0.9.5 although that is discouraged
- due to security weaknesses in that release.
- Adapted for LibreSSL by Bernard Spil, December 2015 (search "Spil")
- */
- #include "ckcsym.h"
- #include "ckcdeb.h"
- #ifdef CK_SSL
- #include "ckcnet.h"
- #include "ckuath.h"
- #include <stdlib.h>
- #include <string.h>
- #ifdef UNIX
- #include <netinet/in.h>
- #ifndef FREEBSD4
- #include <arpa/inet.h>
- #endif /* FREEBSD4 */
- #endif /* UNIX */
- #ifdef DEC_TCPIP
- #include <time.h>
- #include <inet.h>
- #endif /* DEC_TCPIP */
- #ifdef OS2
- extern char exedir[];
- #ifdef NT
- char * GetAppData(int);
- #endif
- #endif /* OS2 */
- extern int quiet; /* fdc - Mon Nov 28 11:44:15 2005 */
- static int ssl_installed = 1;
- #endif /* CK_SSL */
- int
- ck_ssh_is_installed()
- {
- #ifdef SSHBUILTIN
- #ifdef SSLDLL
- #ifdef NT
- extern HINSTANCE hCRYPTO;
- #else /* NT */
- extern HMODULE hCRYPTO;
- #endif /* NT */
- debug(F111,"ck_ssh_is_installed","hCRYPTO",hCRYPTO);
- return(ssl_installed && (hCRYPTO != NULL));
- #else /* SSLDLL */
- return(ssl_installed);
- #endif /* SSLDLL */
- #else
- return 0;
- #endif
- }
- int
- #ifdef CK_ANSIC
- ck_ssleay_is_installed(void)
- #else
- ck_ssleay_is_installed()
- #endif
- {
- #ifdef CK_SSL
- #ifdef SSLDLL
- #ifdef NT
- extern HINSTANCE hSSL, hCRYPTO;
- #else /* NT */
- extern HMODULE hSSL, hCRYPTO;
- #endif /* NT */
- debug(F111,"ck_ssleay_is_installed","hSSL",hSSL);
- debug(F111,"ck_ssleay_is_installed","hCRYPTO",hCRYPTO);
- return(ssl_installed && (hSSL != NULL) && (hCRYPTO != NULL));
- #else /* SSLDLL */
- return(ssl_installed);
- #endif /* SSLDLL */
- #else /* CK_SSL */
- return(0);
- #endif /* CK_SSL */
- }
- #ifdef CK_SSL
- #include "ckcker.h"
- #include "ckucmd.h" /* For struct keytab */
- #include "ckctel.h"
- #include "ck_ssl.h"
- #ifdef UNIX
- #include <pwd.h> /* Password file for home directory */
- #endif /* UNIX */
- #ifdef OS2
- #include <process.h>
- #endif /* OS2 */
- #ifdef OS2ONLY
- #include "ckotcp.h"
- #endif /* OS2ONLY */
- #ifdef SSLDLL
- int ssl_finished_messages = 0;
- #else /* SSLDLL */
- #ifdef OPENSSL_VERSION_NUMBER
- int ssl_finished_messages = (OPENSSL_VERSION_NUMBER >= 0x0090581fL);
- #else
- !ERROR This module requires OpenSSL 0.9.5a or higher
- #endif /* OPENSSL_VERSION_NUMBER */
- #endif /* SSLDLL */
- static int auth_ssl_valid = 0;
- static char *auth_ssl_name = 0; /* this holds the oneline name */
- char ssl_err[SSL_ERR_BFSZ]="";
- BIO *bio_err=NULL;
- X509_STORE *crl_store = NULL;
- #ifndef NOFTP
- #ifndef SYSFTP
- SSL *ssl_ftp_con = NULL;
- SSL_CTX *ssl_ftp_ctx = NULL;
- SSL *ssl_ftp_data_con = NULL;
- int ssl_ftp_active_flag = 0;
- int ssl_ftp_data_active_flag = 0;
- #endif /* SYSFTP */
- #endif /* NOFTP */
- #ifndef NOHTTP
- SSL *tls_http_con = NULL;
- SSL_CTX *tls_http_ctx = NULL;
- int tls_http_active_flag = 0;
- int ssl_http_initialized = 0;
- #endif /* NOHTTP */
- SSL_CTX *ssl_ctx = NULL;
- SSL *ssl_con = NULL;
- int ssl_debug_flag = 0;
- int ssl_verbose_flag = 0;
- int ssl_only_flag = 0;
- int ssl_raw_flag = 0;
- int ssl_active_flag = 0;
- int ssl_verify_flag = SSL_VERIFY_PEER;
- int ssl_certsok_flag = 0;
- char *ssl_rsa_cert_file = NULL;
- char *ssl_rsa_cert_chain_file = NULL;
- char *ssl_rsa_key_file = NULL;
- char *ssl_dsa_cert_file = NULL;
- char *ssl_dsa_cert_chain_file = NULL;
- char *ssl_dh_key_file = NULL;
- char *ssl_crl_file = NULL;
- char *ssl_crl_dir = NULL;
- char *ssl_verify_file = NULL;
- char *ssl_verify_dir = NULL;
- char *ssl_dh_param_file = NULL;
- char *ssl_cipher_list = NULL;
- char *ssl_rnd_file = NULL;
- SSL_CTX *tls_ctx = NULL;
- SSL *tls_con = NULL;
- int tls_only_flag = 0;
- int tls_raw_flag = 0;
- int tls_active_flag = 0;
- int ssl_initialized = 0;
- int ssl_verify_depth = -1; /* used to track depth in verify routines */
- /* compile this set to 1 to negotiate SSL/TLS but not actually start it */
- int ssl_dummy_flag=0;
- extern int inserver;
- extern int debses;
- extern int accept_complete;
- extern char szHostName[], szUserNameRequested[], szUserNameAuthenticated[];
- _PROTOTYP(int X509_to_user,(X509 *, char *, int));
- static int verbosity = 0; /* Message control */
- static VOID
- setverbosity() {
- verbosity = ssl_verbose_flag;
- if (quiet) verbosity = 0;
- }
- int
- #ifdef CK_ANSIC
- ssl_server_verify_callback(int ok, X509_STORE_CTX * ctx)
- #else /* CK_ANSIC */
- ssl_server_verify_callback(ok, ctx)
- int ok;
- X509_STORE_CTX *ctx;
- #endif /* CK_ANSIC */
- {
- static char *saved_subject=NULL;
- char *subject=NULL, *issuer=NULL;
- int depth,error;
- X509 *xs = NULL;
- if ( ssl_certsok_flag )
- return(1);
- setverbosity();
- error=X509_STORE_CTX_get_error(ctx);
- depth=X509_STORE_CTX_get_error_depth(ctx);
- xs=X509_STORE_CTX_get_current_cert(ctx);
- if (depth==0) {
- /* clear things */
- if (saved_subject!=NULL) {
- free(saved_subject);
- saved_subject=NULL;
- }
- if (auth_ssl_name!=NULL) {
- free(auth_ssl_name);
- auth_ssl_name=NULL;
- }
- }
- if (ssl_debug_flag && !inserver) {
- printf("ssl:server_verify_callback:depth=%d ok=%d err=%d-%s\r\n",
- depth,ok,error,X509_verify_cert_error_string(error));
- }
- /* first thing is to have a meaningful name for the current
- * certificate that is being verified ... and if we cannot
- * determine that then something is seriously wrong!
- */
- makestr(&subject,
- (char *)X509_NAME_oneline(X509_get_subject_name(xs),NULL,0));
- makestr(&issuer,
- (char *)X509_NAME_oneline(X509_get_issuer_name(xs),NULL,0));
- if (!subject || !subject[0] || !issuer || !issuer[0]) {
- ok = 0;
- goto return_time;
- }
- if (verbosity && !inserver && depth != ssl_verify_depth) {
- printf("[%d] Certificate Subject:\r\n%s\r\n",depth,subject);
- printf("[%d] Certificate Issuer:\r\n%s\r\n",depth,issuer);
- ssl_verify_depth = depth;
- }
- /* make sure that the certificate that has been presented */
- /* has not been revoked (if we have been given a CRL. */
- ok = ssl_verify_crl(ok, ctx);
- /* if we have any form of error in secure mode we reject the connection */
- if (error!=X509_V_OK) {
- if (inserver) {
- #ifdef CKSYSLOG
- if (ckxsyslog >= SYSLG_LI && ckxlogging) {
- cksyslog(SYSLG_LI, 0,
- "X.509 Certificate verify failure",
- (char *) subject,
- (char *)X509_verify_cert_error_string(error)
- );
- }
- #endif /* CKSYSLOG */
- } else {
- if ( ssl_verify_flag &
- (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
- printf("Error: ");
- else
- printf("Warning: ");
- switch (error) {
- case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- printf("Certificate is self signed.\r\n");
- break;
- case X509_V_ERR_CERT_HAS_EXPIRED:
- printf("Certificate has expired.\r\n");
- break;
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
- printf(
- "Certificate issuer's certificate isn't available locally.\r\n");
- break;
- case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
- printf("Unable to verify leaf signature.\r\n");
- break;
- case X509_V_ERR_CERT_REVOKED:
- printf("Certificate revoked.\r\n");
- break;
- default:
- printf("Error %d while verifying certificate.\r\n",
- X509_STORE_CTX_get_error(ctx));
- break;
- }
- }
- ok = !(ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
- } else {
- /* if we got all the way to the top of the tree then
- * we *can* use this certificate for a username to
- * match ... in all other cases we must not!
- */
- auth_ssl_name = saved_subject;
- saved_subject = NULL;
- }
- return_time:
- /* save the name if at least the first level is okay */
- if (depth == 0 && ok)
- makestr(&saved_subject,subject);
- /* clean up things */
- if (subject!=NULL)
- free(subject);
- if (issuer!=NULL)
- free(issuer);
- return ok;
- }
- int
- #ifdef CK_ANSIC
- ssl_client_verify_callback(int ok, X509_STORE_CTX * ctx)
- #else
- ssl_client_verify_callback(ok, ctx)
- int ok;
- X509_STORE_CTX *ctx;
- #endif
- {
- char subject[256]="", issuer[256]="";
- int depth, error, len;
- X509 *xs;
- setverbosity();
- xs=X509_STORE_CTX_get_current_cert(ctx);
- error=X509_STORE_CTX_get_error(ctx);
- depth=X509_STORE_CTX_get_error_depth(ctx);
- if ( ssl_debug_flag )
- printf("ssl:client_verify_callback:depth=%d ok=%d err=%d-%s\r\n",
- depth,ok,error,X509_verify_cert_error_string(error));
- if ( ssl_certsok_flag ) {
- ok = 1;
- }
- /* first thing is to have a meaningful name for the current
- * certificate that is being verified ... and if we cannot
- * determine that then something is seriously wrong!
- */
- #ifdef XN_FLAG_SEP_MULTILINE
- X509_NAME_print_ex(bio_err,X509_get_subject_name(xs),4,
- XN_FLAG_SEP_MULTILINE);
- len = BIO_read(bio_err,subject,256);
- subject[len < 256 ? len : 255] = '\0';
- if (!subject[0]) {
- ERR_print_errors(bio_err);
- len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
- ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
- uq_ok("X.509 Subject Name unavailable", ssl_err, 1, NULL, 0);
- ok=0;
- goto return_time;
- }
- X509_NAME_print_ex(bio_err,X509_get_issuer_name(xs),4,
- XN_FLAG_SEP_MULTILINE);
- len = BIO_read(bio_err,issuer,256);
- issuer[len < 256 ? len : 255] = '\0';
- if (!issuer[0]) {
- ERR_print_errors(bio_err);
- len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
- ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
- uq_ok("X.509 Issuer Name unavailable", ssl_err, 1, NULL, 0);
- ok=0;
- goto return_time;
- }
- #else /* XN_FLAG_SEP_MULTILINE */
- X509_NAME_oneline(X509_get_subject_name(xs),subject,256);
- if (!subject[0]) {
- int len;
- ERR_print_errors(bio_err);
- len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
- ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
- uq_ok("X.509 Subject Name unavailable", ssl_err, 1, NULL, 0);
- ok=0;
- goto return_time;
- }
- X509_NAME_oneline(X509_get_issuer_name(xs),issuer,256);
- if (!issuer[0]) {
- int len;
- ERR_print_errors(bio_err);
- len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
- ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
- uq_ok("X.509 Issuer Name unavailable", ssl_err, 1, NULL, 0);
- ok=0;
- goto return_time;
- }
- #endif /* XN_FLAG_SEP_MULTILINE */
- if (verbosity && depth != ssl_verify_depth) {
- printf("[%d] Certificate Subject:\r\n%s\r\n",depth,subject);
- printf("[%d] Certificate Issuer:\r\n%s\r\n",depth,issuer);
- ssl_verify_depth = depth;
- }
- ok = ssl_verify_crl(ok, ctx);
- if ( !ok ) {
- char prefix[1024];
- /* if the server is using a self signed certificate then
- * we need to decide if that is good enough for us to
- * accept ...
- */
- switch ( error ) {
- case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: {
- if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
- /* make 100% sure that in secure more we drop the
- * connection if the server does not have a
- * real certificate!
- */
- ckmakxmsg(prefix,1024,
- "Error: Server has a self-signed certificate\n",
- "[",ckitoa(depth),"] Certificate Subject=\n",subject,
- "\n[",ckitoa(depth),"] Certificate Issuer=\n",issuer,
- NULL,NULL,NULL);
- uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
- /* sometimes it is really handy to be able to debug things
- * and still get a connection!
- */
- if (ssl_debug_flag) {
- printf("SSL: debug -> ignoring cert required!\r\n");
- ok=1;
- } else {
- ok=0;
- }
- goto return_time;
- } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
- ckmakxmsg(prefix,1024,
- "Warning: Server has a self-signed certificate\n",
- "[",ckitoa(depth),"] Certificate Subject=\n",subject,
- "\n[",ckitoa(depth),"] Certificate Issuer=\n",issuer,
- NULL,NULL,NULL);
- ok = uq_ok(prefix,
- "Continue? (Y/N) ",
- 3, NULL, 0);
- if ( ok < 0 )
- ok = 0;
- goto return_time;
- }
- }
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
- if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
- /* make 100% sure that in secure more we drop the
- * connection if the server does not have a
- * real certificate!
- */
- ckmakxmsg(prefix,1024,
- "Error: ",
- (char *)X509_verify_cert_error_string(error),
- "\nCertificate Issuer=\n",issuer,
- NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
- uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
- /* sometimes it is really handy to be able to debug things
- * and still get a connection!
- */
- if (ssl_debug_flag) {
- printf("SSL: debug -> ignoring cert required!\r\n");
- ok=1;
- } else {
- ok=0;
- }
- goto return_time;
- } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
- ckmakxmsg(prefix,1024,
- "Warning: ",
- (char *)X509_verify_cert_error_string(error),
- "\nCertificate Issuer=\n",issuer,
- NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
- ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
- goto return_time;
- }
- break;
- case X509_V_ERR_CERT_NOT_YET_VALID:
- case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
- if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
- int len;
- /* make 100% sure that in secure more we drop the
- * connection if the server does not have a
- * real certificate!
- */
- ASN1_TIME_print(bio_err,X509_get_notBefore(xs));
- len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
- ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
- ckmakxmsg(prefix,1024,
- "Error: ",
- (char *)X509_verify_cert_error_string(error),
- "\nCertificate Subject=\n",subject,
- "\nnotBefore=",ssl_err,
- NULL,NULL,NULL,NULL,NULL,NULL);
- uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
- /* sometimes it is really handy to be able to debug things
- * and still get a connection!
- */
- if (ssl_debug_flag) {
- printf("SSL: debug -> ignoring cert required!\r\n");
- ok=1;
- } else {
- ok=0;
- }
- goto return_time;
- } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
- int len;
- ASN1_TIME_print(bio_err,X509_get_notBefore(xs));
- len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
- ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
- ckmakxmsg(prefix,1024,
- "Warning: ",
- (char *)X509_verify_cert_error_string(error),
- "\nCertificate Subject=\n",subject,
- "\n notBefore=",ssl_err,
- NULL,NULL,NULL,NULL,NULL,NULL);
- ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
- }
- break;
- case X509_V_ERR_CERT_HAS_EXPIRED:
- case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
- if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
- int len;
- /* make 100% sure that in secure more we drop the
- * connection if the server does not have a
- * real certificate!
- */
- ASN1_TIME_print(bio_err,X509_get_notAfter(xs));
- len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
- ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
- ckmakxmsg(prefix,1024,
- "Error: ",
- (char *)X509_verify_cert_error_string(error),
- "\nCertificate Subject=\n",subject,
- "\n notAfter=",ssl_err,
- NULL,NULL,NULL,NULL,NULL,NULL);
- uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
-
- /* sometimes it is really handy to be able to debug things
- * and still get a connection!
- */
- if (ssl_debug_flag) {
- printf("SSL: debug -> ignoring cert required!\r\n");
- ok=1;
- } else {
- ok=0;
- }
- goto return_time;
- } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
- int len;
- ASN1_TIME_print(bio_err,X509_get_notAfter(xs));
- len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
- ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
- ckmakxmsg(prefix,1024,
- "Warning: ",
- (char *)X509_verify_cert_error_string(error),
- "\nCertificate Subject=\n",subject,
- "\n notAfter=",ssl_err,
- NULL,NULL,NULL,NULL,NULL,NULL);
- ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
- }
- break;
- case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
- /*
- * When an SSL server sends its certificates to the client there
- * are two" conventions": one is to send the complete certificate
- * chain and the other is to send the whole chain apart from the
- * root.
- *
- * You don't usually need the root because the root is normally
- * stored and trusted locally.
- *
- * So if you get the whole chain it will complain about the self
- * signed certificate whereas if the root is missing it says it
- * can't find the issuer certificate.
- */
- if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
- /* make 100% sure that in secure more we drop the
- * connection if the server does not have a
- * real certificate!
- */
- ckmakxmsg(prefix,1024,
- "Error: ",
- (char *)X509_verify_cert_error_string(error),
- "\nCertificate Issuer=\n",issuer,
- NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
- uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
- /* sometimes it is really handy to be able to debug things
- * and still get a connection!
- */
- if (ssl_debug_flag) {
- printf("SSL: debug -> ignoring cert required!\r\n");
- ok=1;
- } else {
- ok=0;
- }
- goto return_time;
- } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
- ckmakxmsg(prefix,1024,
- "Warning: ",
- (char *)X509_verify_cert_error_string(error),
- "\nCertificate Issuer=\n",issuer,
- NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
- ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
- #ifdef NT
- if (ok) {
- /* if the user decides to accept the certificate
- * offer to store it for future connections in
- * the user's private store
- */
- ok = uq_ok(
- "Do you wish to store the certificate to verify future connections?",
- "Continue (Y/N)", 3, NULL, 0);
- if (ok)
- ck_X509_save_cert_to_user_store(xs);
- }
- #endif /* NT */
- }
- break;
- case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
- case X509_V_ERR_UNABLE_TO_GET_CRL:
- case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
- case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
- case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
- case X509_V_ERR_CERT_SIGNATURE_FAILURE:
- case X509_V_ERR_CRL_SIGNATURE_FAILURE:
- case X509_V_ERR_CRL_NOT_YET_VALID:
- case X509_V_ERR_CRL_HAS_EXPIRED:
- case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
- case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
- case X509_V_ERR_OUT_OF_MEM:
- case X509_V_ERR_CERT_CHAIN_TOO_LONG:
- case X509_V_ERR_CERT_REVOKED:
- case X509_V_ERR_APPLICATION_VERIFICATION:
- default:
- if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
- /* make 100% sure that in secure mode we drop the
- * connection if the server does not have a
- * real certificate!
- */
- ckmakxmsg(prefix,1024,
- "Error: ",
- (char *)X509_verify_cert_error_string(error),
- "\nCertificate Subject=\n",subject,
- NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
- uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
- /* sometimes it is really handy to be able to debug things
- * and still get a connection!
- */
- if (ssl_debug_flag) {
- printf("SSL: debug -> ignoring cert required!\r\n");
- ok=1;
- } else {
- ok=0;
- }
- goto return_time;
- } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
- ckmakxmsg(prefix,1024,
- "Warning: ",
- (char *)X509_verify_cert_error_string(error),
- "\nCertificate Subject=\n",subject,
- NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
- ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
- }
- break;
- }
- }
- return_time:
- if ( ssl_debug_flag )
- printf("ssl:client_verify_callback => ok: %d\r\n",ok);
- return ok;
- }
- VOID
- #ifdef CK_ANSIC
- ssl_client_info_callback(const SSL *s, int where, int ret)
- #else
- ssl_client_info_callback(s,where,ret)
- const SSL *s;
- int where;
- int ret;
- #endif /* CK_ANSIC */
- {
- if (inserver || !ssl_debug_flag)
- return;
- setverbosity();
- switch ( where ) {
- case SSL_CB_CONNECT_LOOP:
- printf("SSL_connect:%s %s\r\n",
- SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
- break;
- case SSL_CB_CONNECT_EXIT:
- if (ret == 0) {
- printf("SSL_connect:failed in %s %s\r\n",
- SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
- } else if (ret < 0) {
- printf("SSL_connect:error in %s %s\r\n",
- SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
- }
- break;
- case SSL_CB_ACCEPT_LOOP:
- printf("SSL_accept:%s %s\r\n",
- SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
- break;
- case SSL_CB_ACCEPT_EXIT:
- if (ret == 0) {
- printf("SSL_accept:failed in %s %s\r\n",
- SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
- } else if (ret < 0) {
- printf("SSL_accept:error in %s %s\r\n",
- SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
- }
- break;
- case SSL_CB_READ_ALERT:
- printf("SSL_read_alert\r\n");
- break;
- case SSL_CB_WRITE_ALERT:
- printf("SSL_write_alert\r\n");
- break;
- case SSL_CB_HANDSHAKE_START:
- printf("SSL_handshake:%s %s\r\n",
- SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
- break;
- case SSL_CB_HANDSHAKE_DONE:
- printf("SSL_handshake:%s %s\r\n",
- SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
- break;
- }
- }
- #ifdef USE_CERT_CB
- /* Return 1, client cert is available */
- /* Return 0, no client cert is available */
- /* Return -1, callback must be called again. SSL_want_x509_lookup() == 1 */
- int
- #ifdef CK_ANSIC
- ssl_client_cert_callback(SSL * s, X509 ** x509, EVP_PKEY ** pkey)
- #else /* CK_ANSIC */
- ssl_client_cert_callback(s, x509, pkey)
- SSL * s;
- X509 ** x509;
- EVP_PKEY ** pkey;
- #endif /* CK_ANSIC */
- {
- setverbosity();
- if ( ssl_debug_flag ) {
- const char * cipher_list=SSL_get_cipher(s);
- printf("ssl_client_cert_callback called (%s)\r\n",
- cipher_list?cipher_list:"UNKNOWN");
- }
- #ifdef COMMENT
- if ( s == tls_con ) {
- if (tls_load_certs(tls_cts,tls_con,0)) {
- *x509 = SSL_get_certificate(s);
- *pkey = SSL_get_privatekey(s);
- return(1);
- }
- } else if ( s == ssl_con ) {
- if (tls_load_certs(ssl_ctx,ssl_con,0)) {
- *x509 = SSL_get_certificate(s);
- *pkey = SSL_get_privatekey(s);
- return(1);
- }
- }
- return(0);
- #else /* COMMENT */
- return(0);
- #endif /* COMMENT */
- }
- #endif /* USE_CERT_CB */
- #ifndef MS_CALLBACK
- #define MS_CALLBACK
- #endif /* MS_CALLBACK */
- static RSA MS_CALLBACK *
- #ifdef CK_ANSIC
- tmp_rsa_cb(SSL * s, int export, int keylength)
- #else /* CK_ANSIC */
- tmp_rsa_cb(s,export,keylength)
- SSL *s;
- int export;
- int keylength;
- #endif /* CK_ANSIC */
- {
- static RSA *rsa_tmp=NULL;
- #ifndef NO_RSA
- if (rsa_tmp == NULL)
- {
- if (ssl_debug_flag)
- printf("Generating temporary (%d bit) RSA key...\r\n",keylength);
- rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL);
- if (ssl_debug_flag)
- printf("\r\n");
- }
- #else /* NO_RSA */
- if (ssl_debug_flag)
- printf("Unable to generate temporary RSA key...\r\n");
- #endif
- return(rsa_tmp);
- }
- #ifndef NO_DH
- static unsigned char dh512_p[]={
- 0xE9,0x4E,0x3A,0x64,0xFA,0x65,0x5F,0xA6,0x44,0xC7,0xFC,0xF1,
- 0x16,0x8B,0x11,0x11,0x7A,0xF0,0xB2,0x49,0x80,0x56,0xA3,0xF8,
- 0x0F,0x7D,0x01,0x68,0x5D,0xF6,0x8A,0xEA,0x8C,0xDD,0x01,0xDC,
- 0x43,0x18,0xE0,0xC4,0x89,0x80,0xE6,0x2D,0x44,0x77,0x45,0xFD,
- 0xBA,0xFC,0x43,0x35,0x12,0xC0,0xED,0x32,0xD3,0x16,0xEF,0x51,
- 0x09,0x44,0xA2,0xDB,
- };
- static unsigned char dh512_g[]={
- 0x05,
- };
- static unsigned char dh768_p[]={
- 0x8B,0x2A,0x8C,0x6C,0x0F,0x87,0xC7,0x34,0xEE,0x2E,0xFB,0x60,
- 0x94,0xB3,0xBF,0x95,0xBA,0x84,0x74,0x86,0xEA,0xE0,0xA4,0x33,
- 0xE0,0x8F,0x7C,0x79,0x5C,0x62,0xE2,0x91,0xC5,0x6D,0x68,0xB9,
- 0x6C,0x5E,0x4E,0x94,0x0C,0x8E,0x56,0x8E,0xEB,0x98,0x7C,0x6E,
- 0x0E,0xF2,0xD5,0xAA,0x22,0x27,0x3F,0x0F,0xAF,0x10,0xB5,0x0B,
- 0x16,0xCC,0x05,0x27,0xBB,0x58,0x6D,0x61,0x4B,0x2B,0xAB,0xDC,
- 0x6A,0x15,0xBC,0x36,0x75,0x4D,0xEC,0xAB,0xFA,0xB6,0xE1,0xB1,
- 0x13,0x70,0xD8,0x77,0xCD,0x5E,0x51,0x77,0x81,0x0D,0x77,0x43,
- };
- static unsigned char dh768_g[]={
- 0x05,
- };
- static unsigned char dh1024_p[]={
- 0xA4,0x75,0xCF,0x35,0x00,0xAF,0x3C,0x17,0xCE,0xB0,0xD0,0x52,
- 0x43,0xA0,0x0E,0xFA,0xA2,0xC9,0xBE,0x0B,0x76,0x7A,0xD9,0x2E,
- 0xF4,0x97,0xAC,0x02,0x24,0x69,0xF6,0x36,0x4F,0xAB,0xCC,0x43,
- 0xC1,0x74,0xFF,0xA3,0xD4,0x04,0x0F,0x11,0x2B,0x6D,0x8C,0x47,
- 0xC9,0xCF,0x40,0x93,0x9B,0x7D,0x1E,0x52,0x85,0xB2,0x17,0x55,
- 0x9C,0xF2,0x41,0x02,0x2A,0x9D,0x5F,0x24,0x22,0xC6,0x04,0xC4,
- 0xAB,0x92,0x6D,0xC7,0xC8,0xF3,0x41,0x58,0x6C,0x86,0xFD,0xB8,
- 0x0F,0x2D,0xDD,0xBF,0xA8,0x40,0x0C,0x58,0xC8,0xF2,0x3F,0x18,
- 0xEF,0xF1,0x93,0x3E,0xBA,0x16,0x41,0xBE,0x32,0x6C,0xC5,0x63,
- 0xFF,0x8A,0x02,0x3D,0xAC,0xD5,0x5A,0x49,0x64,0x34,0x14,0x2E,
- 0xFB,0x2E,0xE7,0x39,0x1A,0x0F,0x3C,0x33,
- };
- static unsigned char dh1024_g[]={
- 0x05,
- };
- static unsigned char dh1536_p[]={
- 0xA3,0x2B,0x75,0x0E,0x7B,0x31,0x82,0xCA,0xF2,0xFC,0xF3,0x3D,
- 0xCE,0x5F,0xCD,0x5B,0x95,0xF6,0x2F,0xA4,0x5D,0x08,0x26,0xD2,
- 0x5F,0xC0,0x3F,0xC5,0xD8,0xA2,0xFE,0x83,0x26,0xBC,0xEB,0x7D,
- 0xF0,0x4E,0xD2,0xA6,0xBB,0x3C,0x88,0x63,0xCE,0x98,0xDE,0x08,
- 0xE2,0xE1,0xAF,0xE2,0x38,0xA8,0xFA,0x68,0x76,0x8D,0xBF,0xDF,
- 0xBB,0x30,0x15,0xFE,0xBD,0x22,0xCC,0x03,0x4E,0x5E,0x33,0xA3,
- 0x6D,0xD6,0x68,0x12,0x97,0x17,0x4B,0xB5,0x84,0x5F,0x5F,0xA3,
- 0x5C,0x2F,0xA4,0x10,0xC1,0xAD,0xBF,0xAC,0x30,0xCA,0x47,0x64,
- 0x63,0xFE,0xEE,0xEE,0xA1,0x64,0x73,0x70,0xAA,0xF9,0xFE,0xC6,
- 0xAD,0x5E,0xF6,0xF3,0x9C,0xDF,0x34,0x53,0x34,0x72,0xA6,0xA4,
- 0xBB,0x81,0x5A,0x43,0x41,0xFD,0x41,0x05,0x5B,0x77,0x7B,0x84,
- 0x03,0xFA,0x8A,0xFA,0xF7,0x8E,0x0F,0xCB,0x51,0xA2,0xB8,0x45,
- 0xFF,0x59,0x42,0xEF,0xCF,0xF6,0x25,0x37,0xE2,0x6D,0xFF,0x69,
- 0x11,0xF5,0x77,0x59,0x79,0x1C,0x5F,0x05,0xFC,0x7A,0x65,0x81,
- 0x03,0x4A,0x78,0xC6,0xE9,0x48,0x73,0xF6,0x10,0xBC,0x99,0x1C,
- 0xEE,0x44,0x2F,0x8B,0x70,0xCA,0xA8,0xB6,0x02,0x83,0x3E,0x0B,
- };
- static unsigned char dh1536_g[]={
- 0x05,
- };
- static unsigned char dh2048_p[]={
- 0xFA,0x4E,0xE4,0x3B,0xFA,0xC1,0x87,0xDD,0xE7,0xC6,0x8B,0xE6,
- 0x13,0x85,0xBC,0x9B,0x2B,0x8B,0x5B,0x46,0xBB,0x8B,0x86,0x6D,
- 0xD7,0xB6,0xD5,0x49,0xC5,0x54,0xF2,0x3E,0xD2,0x39,0x64,0x9B,
- 0x0E,0x33,0x39,0x8F,0xFA,0xFA,0xD9,0x78,0xED,0x34,0x82,0x29,
- 0x37,0x58,0x4D,0x5D,0x40,0xCB,0x69,0xE3,0x8A,0x9F,0x17,0x0C,
- 0x01,0x23,0x6B,0x05,0x01,0xAF,0x33,0xDE,0xDF,0x1A,0xBB,0x7B,
- 0x6A,0x9F,0xD8,0xED,0x8D,0x5E,0x44,0x19,0x5B,0xE0,0xB6,0x23,
- 0xF9,0x7A,0x96,0x6E,0x94,0x33,0x31,0x49,0xBA,0x84,0xD5,0x12,
- 0xD7,0x6D,0xDC,0x35,0x54,0x64,0xA3,0xD8,0x04,0x26,0xC5,0xAF,
- 0x7F,0xE3,0xFE,0x6F,0xBE,0xD5,0x17,0x72,0x4B,0xA6,0xD0,0xA7,
- 0x5F,0x18,0xF5,0xF0,0x2D,0x11,0x9A,0xF6,0xD5,0x3B,0x6C,0x61,
- 0x3C,0x6F,0x8E,0x09,0x4F,0x2C,0xE1,0x26,0x06,0x51,0xB3,0x19,
- 0x85,0x85,0x13,0xF9,0xC2,0x6E,0x80,0x28,0x9E,0x8A,0xA0,0x01,
- 0x46,0xD1,0x85,0x44,0x8C,0xE6,0xEE,0x7E,0x1E,0x17,0x3D,0xBA,
- 0x54,0xFF,0xE8,0x0E,0xDD,0x51,0xF3,0x74,0x7F,0x0D,0x0B,0xAB,
- 0xCA,0x84,0x8D,0x24,0x5D,0x56,0xD4,0x47,0x02,0xFC,0x93,0x9F,
- 0xAE,0x9B,0x5C,0xDB,0x63,0xEB,0x65,0x01,0x38,0xC2,0x7B,0x30,
- 0x1E,0x17,0x1C,0x75,0xF5,0x16,0x3B,0x4F,0x5F,0x41,0x32,0xB5,
- 0xFF,0x9E,0x61,0xFD,0xD2,0x62,0x6E,0xFD,0x8A,0x28,0x93,0x59,
- 0x2D,0x70,0x14,0x4D,0xE1,0x86,0xD5,0x90,0xB4,0xDF,0x72,0x71,
- 0xE0,0xB4,0xD0,0xD6,0x82,0x3A,0x4A,0x04,0x58,0x32,0x0B,0xD3,
- 0x51,0x13,0x32,0x63,
- };
- static unsigned char dh2048_g[]={
- 0x02,
- };
- static DH *
- get_dh512()
- {
- DH *dh=NULL;
- BIGNUM *p, *g;
- if ((dh=DH_new()) == NULL)
- return(NULL);
- p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
- g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
- if ((p == NULL) || (g == NULL))
- return(NULL);
- DH_set0_pqg(dh, p, NULL, g);
- return(dh);
- }
- static DH *
- get_dh768()
- {
- DH *dh=NULL;
- BIGNUM *p, *g;
- if ((dh=DH_new()) == NULL)
- return(NULL);
- p=BN_bin2bn(dh768_p,sizeof(dh768_p),NULL);
- g=BN_bin2bn(dh768_g,sizeof(dh768_g),NULL);
- if ((p == NULL) || (g == NULL))
- return(NULL);
- DH_set0_pqg(dh, p, NULL, g);
- return(dh);
- }
- static DH *
- get_dh1024()
- {
- DH *dh=NULL;
- BIGNUM *p, *g;
- if ((dh=DH_new()) == NULL)
- return(NULL);
- p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
- g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
- if ((p == NULL) || (g == NULL))
- return(NULL);
- DH_set0_pqg(dh, p, NULL, g);
- return(dh);
- }
- static DH *
- get_dh1536()
- {
- DH *dh=NULL;
- BIGNUM *p, *g;
- if ((dh=DH_new()) == NULL)
- return(NULL);
- p=BN_bin2bn(dh1536_p,sizeof(dh1536_p),NULL);
- g=BN_bin2bn(dh1536_g,sizeof(dh1536_g),NULL);
- if ((p == NULL) || (g == NULL))
- return(NULL);
- DH_set0_pqg(dh, p, NULL, g);
- return(dh);
- }
- static DH *
- get_dh2048()
- {
- DH *dh=NULL;
- BIGNUM *p, *g;
- if ((dh=DH_new()) == NULL)
- return(NULL);
- p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
- g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
- if ((p == NULL) || (g == NULL))
- return(NULL);
- DH_set0_pqg(dh, p, NULL, g);
- return(dh);
- }
- #endif /* NO_DH */
- static DH MS_CALLBACK *
- #ifdef CK_ANSIC
- tmp_dh_cb(SSL * s, int export, int keylength)
- #else /* CK_ANSIC */
- tmp_dh_cb(s,export,keylength)
- SSL *s;
- int export;
- int keylength;
- #endif /* CK_ANSIC */
- {
- static DH *dh_tmp=NULL;
- BIO *bio=NULL;
- #ifndef NO_DH
- if (dh_tmp == NULL)
- {
- if (ssl_dh_param_file &&
- (bio=BIO_new_file(ssl_dh_param_file,"r")) != NULL)
- dh_tmp=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
- if (bio != NULL)
- BIO_free(bio);
- if ( dh_tmp == NULL ) {
- if ( keylength < 768 )
- dh_tmp = get_dh512();
- else if ( keylength < 1024 )
- dh_tmp = get_dh768();
- else if ( keylength < 1536 )
- dh_tmp = get_dh1024();
- else if ( keylength < 2048 )
- dh_tmp = get_dh1536();
- else
- dh_tmp = get_dh2048();
- }
- }
- #else /* NO_DH */
- if (ssl_debug_flag)
- printf("DH not supported...\r\n");
- #endif /* NO_DH */
- return(dh_tmp);
- }
- static void
- ssl_display_comp(SSL * ssl)
- {
- if ( quiet ) /* fdc - Mon Nov 28 11:44:15 2005 */
- return;
- if ( !ck_ssleay_is_installed() )
- return;
- if (ssl == NULL)
- return;
- #ifndef OPENSSL_NO_COMP /* ifdefs Bernard Spil 12/2015 */
- const COMP_METHOD *x = SSL_get_current_expansion(ssl);
- if (!x)
- #endif /* OPENSSL_NO_COMP */
- printf("Compression: None\r\n");
- #ifndef OPENSSL_NO_COMP /* ifdefs Bernard Spil 12/2015 */
- else {
- printf("Compression: %s\r\n",SSL_COMP_get_name(x));
- }
- #endif /* OPENSSL_NO_COMP */
- }
- int
- #ifdef CK_ANSIC
- ssl_display_connect_details(SSL * ssl_con, int server, int verbose)
- #else /* CK_ANSIC */
- ssl_display_connect_details(ssl_con,server,verbose)
- SSL *ssl_con;
- int server;
- int verbose;
- #endif /* CK_ANSIC */
- {
- X509 *peer;
- SSL_CIPHER * cipher;
- const char *cipher_list;
- char buf[512]="";
- if ( quiet ) /* fdc - Mon Nov 28 11:44:15 2005 */
- return(0);
- if ( !ck_ssleay_is_installed() )
- return(0);
- if ( inserver && !tn_deb )
- return(0);
- /* the cipher list *can* be NULL ... useless but it happens! */
- cipher = SSL_get_current_cipher(ssl_con);
- cipher_list = SSL_CIPHER_get_name(cipher);
- SSL_CIPHER_description(cipher,buf,sizeof(buf));
- if (cipher_list==NULL)
- cipher_list="<NULL>";
- printf("[TLS - %s",buf);
- ssl_display_comp(ssl_con);
- if ( server ) {
- cipher_list=SSL_get_shared_ciphers(ssl_con,buf,512);
- if (cipher_list==NULL)
- cipher_list="<NULL>";
- printf("[TLS - shared ciphers=%s]\r\n",
- cipher_list);
- }
- if ( server || tn_deb ) {
- peer=SSL_get_peer_certificate(ssl_con);
- if (peer != NULL) {
- X509_NAME_oneline(X509_get_subject_name(peer),buf,512);
- printf("[TLS - subject=%s]\r\n",buf);
- X509_NAME_oneline(X509_get_issuer_name(peer),buf,512);
- printf("[TLS - issuer=%s]\r\n",buf);
- /* X509_free(peer); */
- } else if (!tls_is_krb5(0)) {
- if ( !sstelnet && !tcp_incoming ) {
- printf("[TLS - No certificate provided.]\r\n");
- printf(
- "[TLS - The identity of the host could not be verified.]\r\n");
- }
- }
- }
- return(0);
- }
- /*
- * Use SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *, void * userdata)
- * to set the value of the userdata. We are going to use it to store the
- * prompt.
- */
- int
- #ifdef CK_ANSIC
- ssl_passwd_callback(char *buf, int len, int rwflag, VOID * userdata)
- #else /* CK_ANSIC */
- ssl_passwd_callback(buf,len,rwflag,userdata)
- char * buf; int len; int rwflag; VOID *userdata;
- #endif /* CK_ANSIC */
- {
- extern char pwbuf[];
- extern int pwflg, pwcrypt;
- int ok;
- char *prompt=NULL;
- if ( pwbuf[0] && pwflg ) {
- int n;
- n = ckstrncpy(buf,pwbuf,len);
- #ifdef OS2
- if ( pwcrypt )
- ck_encrypt((char *)buf);
- #endif /* OS2 */
- return(n);
- }
- if ( userdata == NULL )
- prompt="Enter certificate passphrase: ";
- else
- prompt=(char*)userdata;
- ok = uq_txt(NULL,prompt,2,NULL,buf,len,NULL,DEFAULT_UQ_TIMEOUT);
- return(ok > 0 ? strlen(buf) : 0);
- }
- /* Attempts to load certificate data into the TLS context structures */
- /* Returns 1 on success; 0 on failure */
- int
- tls_load_certs(SSL_CTX * ctx, SSL * con, int server)
- {
- int rc = 1;
- if ( !ck_ssleay_is_installed() )
- return(0);
- debug(F110,"tls_load_certs","SSL_CTX",0);
- debug(F110,"tls_load_certs","SSL",0);
- debug(F110,"tls_load_certs","server",0);
- if ( con ) {
- if (ssl_rsa_cert_file) {
- if ( ssl_debug_flag )
- printf("Loading RSA certificate into SSL\r\n");
- rc = SSL_use_certificate_file(con, ssl_rsa_cert_file,
- X509_FILETYPE_PEM);
- if (!rc)
- {
- if ( !quiet || ssl_debug_flag )
- printf("Error loading certificate from %s\r\n",
- ssl_rsa_cert_file);
- } else {
- if (!ssl_rsa_key_file || !ssl_rsa_key_file[0])
- makestr(&ssl_rsa_key_file,ssl_rsa_cert_file);
- rc = SSL_use_PrivateKey_file(con, ssl_rsa_key_file,
- X509_FILETYPE_PEM);
- if (!rc)
- rc = SSL_use_PrivateKey_file(con, ssl_rsa_cert_file,
- X509_FILETYPE_PEM);
- if (!rc)
- {
- if ( !quiet || ssl_debug_flag )
- printf("Error loading key from %s\r\n",
- ssl_rsa_key_file);
- } else {
- rc = SSL_check_private_key(con);
- if (!rc)
- {
- if ( ssl_debug_flag )
- printf(
- "Private key does not match the certificate public key\r\n");
- }
- }
- }
- }
- if (ssl_dsa_cert_file) {
- if ( ssl_debug_flag )
- printf("Loading DSA certificate into SSL\r\n");
- rc = SSL_use_certificate_file(con, ssl_dsa_cert_file,
- X509_FILETYPE_PEM);
- if (!rc)
- {
- if ( ssl_debug_flag ) {
- printf("Error loading certificate from %s\r\n",
- ssl_dsa_cert_file);
- }
- } else {
- if (!ssl_dh_key_file || !ssl_dh_key_file[0])
- makestr(&ssl_dh_key_file,ssl_dsa_cert_file);
- rc = SSL_use_PrivateKey_file(con, ssl_dh_key_file,
- X509_FILETYPE_PEM);
- if (!rc)
- rc = SSL_use_PrivateKey_file(con, ssl_dsa_cert_file,
- X509_FILETYPE_PEM);
- if (!rc)
- {
- if ( !quiet || ssl_debug_flag ) {
- printf("Error loading key from %s\r\n",
- ssl_dh_key_file);
- }
- } else {
- rc = SSL_check_private_key(con);
- if (!rc)
- {
- if ( ssl_debug_flag )
- printf(
- "Private key does not match the certificate public key\n");
- }
- }
- }
- }
- } else {
- if (ssl_rsa_cert_file) {
- if ( ssl_debug_flag )
- printf("Loading RSA certificate into SSL\r\n");
- rc = SSL_CTX_use_certificate_file(ctx, ssl_rsa_cert_file,
- X509_FILETYPE_PEM);
- if (!rc)
- {
- if ( !quiet || ssl_debug_flag )
- printf("Error loading certificate from %s\r\n",
- ssl_rsa_cert_file);
- } else {
- if (!ssl_rsa_key_file || !ssl_rsa_key_file[0])
- makestr(&ssl_rsa_key_file,ssl_rsa_cert_file);
- rc = SSL_CTX_use_PrivateKey_file(ctx, ssl_rsa_key_file,
- X509_FILETYPE_PEM);
- if (!rc)
- rc = SSL_CTX_use_PrivateKey_file(ctx, ssl_rsa_cert_file,
- X509_FILETYPE_PEM);
- if (!rc) {
- if ( ssl_debug_flag )
- printf("Error loading key from %s\r\n",ssl_rsa_key_file);
- } else {
- rc = SSL_CTX_check_private_key(ctx);
- if (!rc) {
- if ( ssl_debug_flag )
- printf(
- "Private key does not match the certificate public key\r\n");
- }
- }
- }
- }
- if (ssl_dsa_cert_file) {
- if ( ssl_debug_flag )
- printf("Loading DSA certificate into SSL\r\n");
- rc = SSL_CTX_use_certificate_file(ctx, ssl_dsa_cert_file,
- X509_FILETYPE_PEM);
- if (!rc) {
- if ( ssl_debug_flag ) {
- printf("Error loading certificate from %s\r\n",
- ssl_dsa_cert_file);
- }
- } else {
- if (!ssl_dh_key_file || !ssl_dh_key_file[0])
- makestr(&ssl_dh_key_file,ssl_dsa_cert_file);
- rc = SSL_CTX_use_PrivateKey_file(ctx, ssl_dh_key_file,
- X509_FILETYPE_PEM);
- if (!rc)
- rc = SSL_CTX_use_PrivateKey_file(ctx, ssl_dsa_cert_file,
- X509_FILETYPE_PEM);
- if (!rc) {
- if ( ssl_debug_flag )
- printf("Error loading key from %s\r\n",ssl_dh_key_file);
- } else {
- rc = SSL_CTX_check_private_key(ctx);
- if (!rc) {
- if ( ssl_debug_flag )
- printf(
- "Private key does not match the certificate public key\n");
- }
- }
- }
- }
- }
- if (ssl_rsa_cert_chain_file && server) {
- int skip1st = 0;
- if (ssl_debug_flag)
- printf("Loading RSA Certificate Chain into SSL\r\n");
- if (!ckstrcmp(ssl_rsa_cert_chain_file,ssl_rsa_cert_file,-1,
- #ifdef OS2
- 0
- #else
- 1
- #endif /* OS2 */
- ))
- skip1st = 1;
- rc = SSL_CTX_use_certificate_chain_file(ctx,ssl_rsa_cert_chain_file);
- if (!rc && ssl_debug_flag)
- printf("Error loading RSA Certificate Chain into SSL\r\n");
- }
- if (ssl_dsa_cert_chain_file && server) {
- int skip1st = 0;
- if (ssl_debug_flag)
- printf("Loading DSA Certificate Chain into SSL\r\n");
- if (!ckstrcmp(ssl_dsa_cert_chain_file,ssl_dsa_cert_file,-1,
- #ifdef OS2
- 0
- #else
- 1
- #endif /* OS2 */
- ))
- skip1st = 1;
- rc = SSL_CTX_use_certificate_chain_file(ctx,ssl_dsa_cert_chain_file);
- if (!rc && ssl_debug_flag)
- printf("Error loading DSA Certificate Chain into SSL\r\n");
- }
- return(rc);
- }
- VOID
- #ifdef CK_ANSIC
- ssl_once_init(void)
- #else
- ssl_once_init()
- #endif /* CK_ANSIC */
- {
- COMP_METHOD * cm;
- char * s;
- if ( !ck_ssleay_is_installed() )
- return;
- /*
- Pre-OpenSSL 1.0.0 comment:
- OpenSSL does not provide for ABI compatibility between releases prior
- to version 1.0.0. If the version does not match, it is not safe to
- assume that any function you call takes the same parameters or does
- the same thing with them. Removing this test prior to the OpenSSL 1.0.0
- release will result in an increase in unexplained or incorrect behaviors.
- The test should be revised once OpenSSL 1.0.0 is released and we see what
- its claims are as to ABI compatibility.
- */
- /*
- Post-OpenSSL 1.0.0 comment:
- OpenSSL does not provide for ABI compatibility between releases prior
- to version 1.0.0. After 1.0, the following holds:
- Changes to last letter: security and bugfix only, no new features.
- E.g. 1.0.0->1.0.0a
- Changes to last number: new ABI compatible features.
- E.g. 1.0.0->1.0.1
- Changes to middle number: major release, ABI compatibility not guaranteed.
- E.g. 1.0.0->1.1.0
- (per Dr. Stephen Henson)
- */
- debug(F111,"Kermit built for OpenSSL",OPENSSL_VERSION_TEXT,SSLEAY_VERSION_NUMBER);
- #ifndef OS2ONLY
- debug(F111,"OpenSSL Library",SSLeay_version(SSLEAY_VERSION),
- SSLeay());
- debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_BUILT_ON),0);
- debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_CFLAGS),0);
- debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_PLATFORM),0);
- /* The following test is suggested by Richard Levitte */
- /* if (((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xffffff0f) */
- /* Modified by Adam Friedlander for OpenSSL >= 1.0.0 */
- if (OPENSSL_VERSION_NUMBER > SSLeay()
- || ((OPENSSL_VERSION_NUMBER ^ SSLeay()) & COMPAT_VERSION_MASK)
- #ifdef OS2
- || ckstrcmp(OPENSSL_VERSION_TEXT,(char *)SSLeay_version(SSLEAY_VERSION),-1,1)
- #endif /* OS2 */
- ) {
- ssl_installed = 0;
- debug(F111,"OpenSSL Version does not match. Built with",
- SSLeay_version(SSLEAY_VERSION),SSLEAY_VERSION_NUMBER);
- printf("?OpenSSL libraries do not match required version:\r\n");
- printf(" . C-Kermit built with %s\r\n",OPENSSL_VERSION_TEXT);
- printf(" . Version found %s\r\n",SSLeay_version(SSLEAY_VERSION));
- #ifdef OPENSSL_100
- printf(" OpenSSL versions 1.0.0 or newer must be the same\r\n");
- printf(" major and minor version number, and Kermit may not\r\n");
- printf(" be used with a version of OpenSSL older than the one\r\n");
- printf(" supplied at compile time.\r\n");
- #else
- printf(" OpenSSL versions prior to 1.0.0 must be the same.\r\n");
- #endif /* OPENSSL_100 */
- s = "R";
- #ifdef SOLARIS
- printf(" Set CD_LIBRARY_PATH for %s.\r\n",OPENSSL_VERSION_TEXT);
- s = " Or r";
- #endif /* SOLARIS */
- #ifdef HPUX
- printf(" Set SHLIB_PATH for %s.\r\n",OPENSSL_VERSION_TEXT);
- s = " Or r";
- #endif /* HPUX */
- #ifdef AIX
- printf(" Set LIBPATH for %s.\r\n",OPENSSL_VERSION_TEXT);
- s = " Or r";
- #endif /* AIX */
- #ifdef LINUX
- printf(" Set LD_LIBRARY_PATH for %s.\r\n",OPENSSL_VERSION_TEXT);
- s = " Or r";
- #endif /* LINUX */
- printf(" %sebuild C-Kermit from source on this computer to make \
- versions agree.\r\n",s);
- #ifdef KTARGET
- {
- char * s;
- s = KTARGET;
- if (!s) s = "";
- if (!*s) s = "(unknown)";
- printf(" C-Kermit makefile target: %s\r\n",s);
- }
- #endif /* KTARGET */
- printf(" Or if that is what you did then try to find out why\r\n");
- printf(" the program loader (image activator) is choosing a\r\n");
- printf(" different OpenSSL library than the one specified in \
- the build.\r\n\r\n");
- printf(" All SSL/TLS features disabled.\r\n\r\n");
- bleep(BP_FAIL);
- #ifdef SSLDLL
- ck_ssl_unloaddll();
- ck_crypto_unloaddll();
- #endif /* SSLDLL */
- return;
- }
- #endif /* OS2ONLY */
- /* init things so we will get meaningful error messages
- * rather than numbers
- */
- SSL_load_error_strings();
- #ifdef SSHBUILTIN
- OPENSSL_add_all_algorithms_noconf();
- #else
- /* SSL_library_init() only loads those ciphers needs for SSL */
- /* These happen to be a similar set to those required for SSH */
- /* but they are not a complete set of ciphers provided by the */
- /* crypto library. */
- SSL_library_init();
- #endif /* SSHBUILTIN */
- #ifdef ZLIB
- cm = COMP_zlib();
- if (cm != NULL && COMP_get_type(cm) != NID_undef) {
- SSL_COMP_add_compression_method(0xe0, cm); /* EAY's ZLIB ID */
- }
- #endif /* ZLIB */
- #if 0 /* COMP_rle has apparently been removed in OpenSSL 1.1 */
- cm = COMP_rle();
- if (cm != NULL && cm->type != NID_undef)
- SSL_COMP_add_compression_method(0xe1, cm); /* EAY's RLE ID */
- #endif
- /* Ensure the Random number generator has enough entropy */
- if ( !RAND_status() ) {
- char buffer[256]="";
- char randombytes[256];
- int rc1 = -1, rc2 = 1; /* assume failure and success */
- debug(F110,"ssl_once_init","!RAND_status()",0);
- if ( ssl_rnd_file == NULL ) {
- debug(F110,"ssl_rnd_file","ssl_rnd_file is NULL",0);
- RAND_file_name(buffer,256);
- if ( buffer[0] )
- makestr(&ssl_rnd_file, buffer);
- else
- makestr(&ssl_rnd_file,".rnd");
- }
- debug(F110,"ssl_rnd_file",ssl_rnd_file,0);
- #ifndef OPENSSL_NO_EGD /* ifdef Bernard Spil 12/2015 */
- rc1 = RAND_egd(ssl_rnd_file);
- debug(F111,"ssl_once_init","RAND_egd()",rc1);
- if ( rc1 <= 0 ) {
- rc2 = RAND_load_file(ssl_rnd_file, -1);
- debug(F111,"ssl_once_init","RAND_load_file()",rc1);
- }
- #endif /* OPENSSL_NO_EGD */
- if ( rc1 <= 0 && !rc2 )
- {
- time_t t = time(NULL);
- int tlen = sizeof(time_t);
- int pid = getpid();
- int plen = sizeof(int);
- int n;
- #ifndef RAND_MAX
- #define RAND_MAX 0x7FFF
- #endif
- debug(F110,"ssl_once_init","calling RAND_seed()",0);
- RAND_seed((unsigned char *)&t, tlen);
- RAND_seed((unsigned char *)&pid, plen);
- srand((unsigned int)t);
- sprintf(buffer, "%.0f", (((double)(rand()%RAND_MAX)/RAND_MAX)*
- (sizeof(randombytes)-128-1)));
- n = (atoi(buffer)+1)%(sizeof(randombytes)-128-1);
- RAND_seed(randombytes, 128);
- }
- if ( !RAND_status() ) {
- debug(F110,"ssl_once_init","Unable to initialize PRNG",0);
- printf(" Unable to load 'random state'\n");
- printf(" SSL and TLS are unavailble.\n");
- printf(" Use SET AUTH SSL RANDOM-FILE <file> command to provide random data.\n");
- printf(" Specified file will be overwritten with new random data after use.\n");
- return;
- }
- if ( ssl_rnd_file ) {
- int rc = RAND_write_file(ssl_rnd_file);
- debug(F111,"ssl_once_init","RAND_write_file()",rc);
- }
- }
- #ifdef NT
- // Initialize additional OID types for use when saving certs to a file
- OBJ_create("2.99999.3","SET.ex3","SET x509v3 extension 3");
- #endif /* NT */
- /* make sure we have somewhere we can log errors to */
- bio_err=BIO_new(BIO_s_mem());
- debug(F100,"ssl_once_init() complete","",0);
- }
- int
- #ifdef CK_ANSIC
- ssl_tn_init(int mode)
- #else
- ssl_tn_init(mode) int mode;
- #endif /* CK_ANSIC */
- {
- #ifdef KRB5
- extern char * k5_keytab;
- extern char * krb5_d_srv;
- #endif /* KRB5 */
- static int last_ssl_mode = -1;
- SSL * ssl_conx=NULL, * tls_conx=NULL;
- ssl_initialized = 0;
- if ( !ck_ssleay_is_installed() )
- return(0);
- debug(F111,"ssl_tn_init","mode",mode);
- if (ssl_debug_flag)
- printf("SSL_DEBUG_FLAG on\r\n");
- if (last_ssl_mode != mode) {
- if (ssl_ctx) {
- SSL_CTX_free(ssl_ctx);
- ssl_ctx = NULL;
- }
- if (tls_ctx) {
- SSL_CTX_free(tls_ctx);
- tls_ctx = NULL;
- }
- }
- if ( (last_ssl_mode != mode) || !ssl_ctx || !tls_ctx ) {
- if ( mode == SSL_CLIENT ) {
- ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
- /* This can fail because we do not have RSA available */
- if ( !ssl_ctx ) {
- debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
- #ifndef OPENSSL_NO_SSL3 /* ifdef Bernard Spil 12/2015 */
- ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
- #endif /* OPENSSL_NO_SSL3 */
- }
- if ( !ssl_ctx ) {
- debug(F110,"ssl_tn_init","SSLv3_client_method failed",0);
- last_ssl_mode = -1;
- return(0);
- }
- /*
- TLS 1.0 is the new default as of 5 Feb 2015.
- Previously this was commented out because
- "too many web servers still do not support TLSv1".
- Now we try TLS 1.0 first, falling back to SSL 2.3
- and SSL 3.0 in that order. Maybe there should be
- an option not to fall back.
- */
- tls_ctx=(SSL_CTX *)SSL_CTX_new(TLS_client_method());
- if ( tls_ctx ) {
- debug(F110,"ssl_tn_init","TLS_client_method OK",0);
- } else {
- debug(F110,"ssl_tn_init","TLS_client_method failed",0);
- /* This can fail because we do not have RSA available */
- tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
- if ( !tls_ctx ) {
- debug(F110,"ssl_tn_init","SSLv23_client_method OK",0);
- } else {
- debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
- #ifndef OPENSSL_NO_SSL3 /* ifdef Bernard Spil 12/2015 */
- tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
- #endif /* OPENSSL_NO_SSL3 */
- if ( !tls_ctx ) {
- debug(F110,
- "ssl_tn_init","TLS_client_method failed",0);
- debug(F110,
- "ssl_tn_init","All SSL client methods failed",0);
- last_ssl_mode = -1;
- return(0);
- }
- }
- }
- #ifdef USE_CERT_CB
- SSL_CTX_set_client_cert_cb(ssl_ctx,ssl_client_cert_callback);
- SSL_CTX_set_client_cert_cb(tls_ctx,ssl_client_cert_callback);
- #endif /* USE_CERT_CB */
- } else if (mode == SSL_SERVER) {
- /* We are a server */
- ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_server_method());
- /* This can fail because we do not have RSA available */
- if ( !ssl_ctx ) {
- debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
- #ifndef OPENSSL_NO_SSL3 /* ifdef Bernard Spil 12/2015 */
- ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method());
- #endif /* OPENSSL_NO_SSL3 */
- }
- if ( !ssl_ctx ) {
- debug(F110,"ssl_tn_init","SSLv3_server_method failed",0);
- last_ssl_mode = -1;
- return(0);
- }
- #ifdef COMMENT
- tls_ctx=(SSL_CTX *)SSL_CTX_new(TLS_server_method());
- #else /* COMMENT */
- tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_server_method());
- /* This can fail because we do not have RSA available */
- if ( !tls_ctx ) {
- debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
- tls_ctx=(SSL_CTX *)SSL_CTX_new(TLS_server_method());
- }
- #endif /* COMMENT */
- if ( !tls_ctx ) {
- debug(F110,"ssl_tn_init","TLS_server_method failed",0);
- last_ssl_mode = -1;
- return(0);
- }
- } else /* Unknown mode */
- return(0);
- if ( !inserver ) {
- SSL_CTX_set_default_passwd_cb(ssl_ctx,
- (pem_password_cb *)ssl_passwd_callback);
- SSL_CTX_set_default_passwd_cb(tls_ctx,
- (pem_password_cb *)ssl_passwd_callback);
- }
- /* for SSL switch on all the interoperability and bug
- * workarounds so that we will communicate with people
- * that cannot read poorly written specs :-)
- * for TLS be sure to prevent use of SSLv2
- */
- SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2);
- SSL_CTX_set_options(tls_ctx,
- SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
- SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback);
- SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback);
- #ifndef COMMENT
- /* Set the proper caching mode */
- if ( mode == SSL_SERVER ) {
- SSL_CTX_set_session_cache_mode(ssl_ctx,SSL_SESS_CACHE_SERVER);
- SSL_CTX_set_session_cache_mode(tls_ctx,SSL_SESS_CACHE_SERVER);
- } else {
- SSL_CTX_set_session_cache_mode(ssl_ctx,SSL_SESS_CACHE_CLIENT);
- SSL_CTX_set_session_cache_mode(tls_ctx,SSL_SESS_CACHE_CLIENT);
- }
- SSL_CTX_set_session_id_context(ssl_ctx,(CHAR *)"1",1);
- SSL_CTX_set_session_id_context(tls_ctx,(CHAR *)"2",1);
- #else /* COMMENT */
- SSL_CTX_set_session_cache_mode(ssl_ctx,SSL_SESS_CACHE_OFF);
- SSL_CTX_set_session_cache_mode(tls_ctx,SSL_SESS_CACHE_OFF);
- #endif /* COMMENT */
- }
- /* The server uses defaults for the certificate files. */
- /* The client does not. */
- if (mode == SSL_SERVER) {
- char cert_filepath[1024];
- const char * defdir = NULL;
- DH * dh = NULL;
- defdir = getenv("SSL_CERT_DIR");
- if ( !defdir ) {
- #ifdef OS2
- defdir = exedir;
- #else /* OS2 */
- defdir = X509_get_default_cert_dir();
- #endif /* OS2 */
- debug(F110,"ssl_tn_init - setting default directory to",defdir,0);
- }
- if ( !defdir )
- defdir = "";
- if (!ssl_rsa_cert_file) {
- /* we need to know the fullpath to the location of the
- * certificate that we will be running with as we cannot
- * be sure of the cwd when we are launched
- */
- sprintf(cert_filepath,"%s/%s",defdir,"telnetd-rsa.pem");
- if (zchki(cert_filepath) > 0)
- makestr(&ssl_rsa_cert_file,cert_filepath);
- }
- if (ssl_rsa_cert_file && !ssl_rsa_key_file) {
- /* we need to know the fullpath to the location of the
- * certificate that we will be running with as we cannot
- * be sure of the cwd when we are launched
- */
- sprintf(cert_filepath,"%s/%s",defdir,"telnetd-rsa-key.pem");
- if (zchki(cert_filepath) > 0)
- makestr(&ssl_rsa_key_file,cert_filepath);
- }
- if (!ssl_dsa_cert_file) {
- /* we need to know the fullpath to the location of the
- * certificate that we will be running with as we cannot
- * be sure of the cwd when we are launched
- */
- sprintf(cert_filepath,"%s/%s",defdir,"telnetd-dsa.pem");
- if (zchki(cert_filepath) > 0)
- makestr(&ssl_dsa_cert_file,cert_filepath);
- }
- if (ssl_dsa_cert_file && !ssl_dh_key_file) {
- /* we need to know the fullpath to the location of the
- * certificate that we will be running with as we cannot
- * be sure of the cwd when we are launched
- */
- sprintf(cert_filepath,"%s/%s",defdir,"telnetd-dsa-key.pem");
- if (zchki(cert_filepath) > 0)
- makestr(&ssl_dh_key_file,cert_filepath);
- }
- if (!ssl_crl_dir) {
- /* we need to know the fullpath to the location of the
- * certificate that we will be running with as we cannot
- * be sure of the cwd when we are launched
- */
- sprintf(cert_filepath,"%s/crl",defdir);
- if (zchki(cert_filepath) > 0)
- makestr(&ssl_crl_dir,cert_filepath);
- }
- if (ssl_only_flag && !tls_load_certs(ssl_ctx,ssl_con,1)) {
- debug(F110,"ssl_tn_init","Unable to load SSL certs",0);
- last_ssl_mode = -1;
- return(0);
- }
- if (tls_only_flag && !tls_load_certs(tls_ctx,tls_con,1)) {
- debug(F110,"ssl_tn_init","Unable to load TLS certs",0);
- last_ssl_mode = -1;
- return(0);
- }
- if ( (last_ssl_mode != mode) || !ssl_ctx || !tls_ctx ) {
- /* we may require a temp 512 bit RSA key because of the
- * wonderful way export things work ... if so we generate
- * one now!
- */
- SSL_CTX_set_tmp_rsa_callback(ssl_ctx, tmp_rsa_cb);
- SSL_CTX_set_tmp_dh_callback( ssl_ctx, tmp_dh_cb);
- SSL_CTX_set_tmp_rsa_callback(tls_ctx, tmp_rsa_cb);
- SSL_CTX_set_tmp_dh_callback( tls_ctx, tmp_dh_cb);
- dh = tmp_dh_cb(NULL,0,512);
- SSL_CTX_set_tmp_dh(ssl_ctx,dh);
- SSL_CTX_set_tmp_dh(tls_ctx,dh);
- /* The following code is only called if we are using a
- * certificate with an RSA public key and where the
- * certificate has a key length less than 512 bits or is
- * marked for signing only. This is so we can support
- * the greatest legal privacy level with exportable clients.
- */
- if (SSL_CTX_need_tmp_RSA(ssl_ctx) ||
- SSL_CTX_need_tmp_RSA(tls_ctx))
- {
- RSA *rsa;
- if ( ssl_debug_flag )
- printf("Generating temp (512 bit) RSA key ...\r\n");
- rsa=RSA_generate_key(512,RSA_F4,NULL,NULL);
- if ( ssl_debug_flag )
- printf("Generation of temp (512 bit) RSA key done\r\n");
- if (SSL_CTX_need_tmp_RSA(ssl_ctx)) {
- if (!SSL_CTX_set_tmp_rsa(ssl_ctx,rsa)) {
- if ( ssl_debug_flag )
- printf(
- "Failed to assign generated temp RSA key to SSL!\r\n");
- }
- }
- if (SSL_CTX_need_tmp_RSA(tls_ctx)) {
- if (!SSL_CTX_set_tmp_rsa(tls_ctx,rsa)) {
- if ( ssl_debug_flag )
- printf(
- "Failed to assign generated temp RSA key to TLS!\r\n");
- }
- }
- RSA_free(rsa);
- if ( ssl_debug_flag )
- printf("Assigned temp (512 bit) RSA key\r\n");
- }
- }
- }
- /* make sure we will find certificates in the standard
- * location ... otherwise we don't look anywhere for
- * these things which is going to make client certificate
- * exchange rather useless :-)
- * In OS2, default values for ssl_verify_file and ssl_verify_path.
- */
- #ifdef OS2
- #ifdef NT
- {
- /* The defaults in the SSL crypto library are not appropriate for OS/2 */
- char path[CKMAXPATH];
- ckmakmsg(path,CKMAXPATH,exedir,"certs",NULL,NULL);
- if (isdir(path) &&
- SSL_CTX_load_verify_locations(tls_ctx,NULL,path) == 1) {
- debug(F110,"ssl_tn_init certificate verify dir",path,0);
- if (ssl_debug_flag)
- printf(" Certificate Verification Directory: %s\r\n",path);
- SSL_CTX_load_verify_locations(ssl_ctx,NULL,path);
- }
- ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/certs",NULL,NULL);
- if (isdir(path) &&
- SSL_CTX_load_verify_locations(tls_ctx,NULL,path) == 1) {
- debug(F110,"ssl_tn_init certificate verify dir",path,0);
- if (ssl_debug_flag)
- printf(" Certificate Verification Directory: %s\r\n",path);
- SSL_CTX_load_verify_locations(ssl_ctx,NULL,path);
- }
- ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/certs",NULL,NULL);
- if (isdir(path) &&
- SSL_CTX_load_verify_locations(tls_ctx,NULL,path) == 1) {
- debug(F110,"ssl_tn_init certificate verify dir",path,0);
- if (ssl_debug_flag)
- printf(" Certificate Verification Directory: %s\r\n",path);
- SSL_CTX_load_verify_locations(ssl_ctx,NULL,path);
- }
- ckmakmsg(path,CKMAXPATH,exedir,"ca_certs.pem",NULL,NULL);
- if (zchki(path) > 0 &&
- SSL_CTX_load_verify_locations(tls_ctx,path,NULL) == 1) {
- debug(F110,"ssl_tn_init certificate verify file",path,0);
- if (ssl_debug_flag)
- printf(" Certificate Verification File: %s\r\n",path);
- SSL_CTX_load_verify_locations(ssl_ctx,path,NULL);
- }
- ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/ca_certs.pem",NULL,NULL);
- if (zchki(path) > 0 &&
- SSL_CTX_load_verify_locations(tls_ctx,path,NULL) == 1) {
- debug(F110,"ssl_tn_init certificate verify file",path,0);
- if (ssl_debug_flag)
- printf(" Certificate Verification File: %s\r\n",path);
- SSL_CTX_load_verify_locations(ssl_ctx,path,NULL);
- }
- ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/ca_certs.pem",NULL,NULL);
- if (zchki(path) > 0 &&
- SSL_CTX_load_verify_locations(tls_ctx,path,NULL) == 1) {
- debug(F110,"ssl_tn_init certificate verify file",path,0);
- if (ssl_debug_flag)
- printf(" Certificate Verification File: %s\r\n",path);
- SSL_CTX_load_verify_locations(ssl_ctx,path,NULL);
- }
- }
- #else /* NT */
- {
- /* The defaults in the SSL crypto library are not appropriate for OS/2 */
- char path[CKMAXPATH];
- ckmakmsg(path,CKMAXPATH,exedir,"certs",NULL,NULL);
- if (isdir(path) &&
- SSL_CTX_load_verify_locations(tls_ctx,NULL,path) == 1) {
- debug(F110,"ssl_tn_init certificate verify dir",path,0);
- if (ssl_debug_flag)
- printf(" Certificate Verification Directory: %s\r\n",path);
- SSL_CTX_load_verify_locations(ssl_ctx,NULL,path);
- }
- ckmakmsg(path,CKMAXPATH,exedir,"ca_certs.pem",NULL,NULL);
- if (zchki(path) > 0 &&
- SSL_CTX_load_verify_locations(tls_ctx,path,NULL) == 1) {
- debug(F110,"ssl_tn_init certificate verify file",path,0);
- if (ssl_debug_flag)
- printf(" Certificate Verification File: %s\r\n",path);
- SSL_CTX_load_verify_locations(ssl_ctx,path,NULL);
- }
- }
- #endif /* NT */
- #else /* OS2 */
- SSL_CTX_set_default_verify_paths(ssl_ctx);
- SSL_CTX_set_default_verify_paths(tls_ctx);
- #endif /* OS2 */
- if (ssl_verify_file) {
- if (zchki(ssl_verify_file) > 0 &&
- SSL_CTX_load_verify_locations(tls_ctx,ssl_verify_file,NULL) == 1) {
- debug(F110,"ssl_tn_init certificate verify file",ssl_verify_file,0);
- if (ssl_debug_flag)
- printf(" Certificate Verification File: %s\r\n",ssl_verify_file);
- SSL_CTX_load_verify_locations(ssl_ctx,ssl_verify_file,NULL);
- }
- }
- if (ssl_verify_dir && isdir(ssl_verify_dir)) {
- if (SSL_CTX_load_verify_locations(tls_ctx,NULL,ssl_verify_dir) == 1) {
- debug(F110,"ssl_tn_init certificate verify dir",ssl_verify_dir,0);
- if (ssl_debug_flag)
- printf(" Certificate Verification Directory: %s\r\n",ssl_verify_dir);
- SSL_CTX_load_verify_locations(ssl_ctx,NULL,ssl_verify_dir);
- }
- }
- if (mode == SSL_SERVER) {
- SSL_CTX_set_verify(ssl_ctx,
- ssl_verify_flag?ssl_verify_flag|SSL_VERIFY_CLIENT_ONCE:0,
- ssl_server_verify_callback);
- SSL_CTX_set_verify(tls_ctx,
- ssl_verify_flag?ssl_verify_flag|SSL_VERIFY_CLIENT_ONCE:0,
- ssl_server_verify_callback);
- } else {
- SSL_CTX_set_verify(ssl_ctx,ssl_verify_flag,
- ssl_client_verify_callback);
- SSL_CTX_set_verify(tls_ctx,ssl_verify_flag,
- ssl_client_verify_callback);
- }
- /* Free the existing CRL Store */
- if (crl_store) {
- X509_STORE_free(crl_store);
- crl_store = NULL;
- }
- /* set up the new CRL Store */
- crl_store = X509_STORE_new();
- if (crl_store) {
- #ifdef OS2
- char path[CKMAXPATH];
- ckmakmsg(path,CKMAXPATH,exedir,"crls",NULL,NULL);
- if (isdir(path) &&
- X509_STORE_load_locations(crl_store,NULL,path) == 1) {
- debug(F110,"ssl_tn_init crl dir",path,0);
- if (ssl_debug_flag)
- printf(" CRL Directory: %s\r\n",path);
- }
- #ifdef NT
- ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/crls",NULL,NULL);
- if (isdir(path) &&
- X509_STORE_load_locations(crl_store,NULL,path) == 1) {
- debug(F110,"ssl_tn_init crl dir",path,0);
- if (ssl_debug_flag)
- printf(" CRL Directory: %s\r\n",path);
- }
- ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/crls",NULL,NULL);
- if (isdir(path) &&
- X509_STORE_load_locations(crl_store,NULL,path) == 1) {
- debug(F110,"ssl_tn_init crl dir",path,0);
- if (ssl_debug_flag)
- printf(" CRL Directory: %s\r\n",path);
- }
- #endif /* NT */
-
- ckmakmsg(path,CKMAXPATH,exedir,"ca_crls.pem",NULL,NULL);
- if (zchki(path) > 0 &&
- X509_STORE_load_locations(crl_store,path,NULL) == 1) {
- debug(F110,"ssl_tn_init crl file",path,0);
- if (ssl_debug_flag)
- printf(" CRL File: %s\r\n",path);
- }
- #ifdef NT
- ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/ca_crls.pem",NULL,NULL);
- if (zchki(path) > 0 &&
- X509_STORE_load_locations(crl_store,path,NULL) == 1) {
- debug(F110,"ssl_tn_init crl file",path,0);
- if (ssl_debug_flag)
- printf(" CRL File: %s\r\n",path);
- }
- ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/ca_crls.pem",NULL,NULL);
- if (zchki(path) > 0 &&
- X509_STORE_load_locations(crl_store,path,NULL) == 1) {
- debug(F110,"ssl_tn_init crl file",path,0);
- if (ssl_debug_flag)
- printf(" CRL File: %s\r\n",path);
- }
- #endif /* NT */
- #endif /* OS2 */
- if (ssl_crl_file || ssl_crl_dir) {
- if (ssl_crl_file && zchki(ssl_crl_file) > 0 &&
- X509_STORE_load_locations(crl_store,ssl_crl_file,NULL) == 1) {
- debug(F110,"ssl_tn_init crl file",ssl_crl_file,0);
- if (ssl_debug_flag)
- printf(" CRL File: %s\r\n",ssl_crl_file);
- }
- if (ssl_crl_dir && isdir(ssl_crl_dir) &&
- X509_STORE_load_locations(crl_store,NULL,ssl_crl_dir) == 1) {
- debug(F110,"ssl_tn_init crl dir",ssl_crl_dir,0);
- if (ssl_debug_flag)
- printf(" CRL Directory: %s\r\n",ssl_crl_dir);
- }
- }
- #ifndef OS2
- else {
- X509_STORE_set_default_paths(crl_store);
- }
- #endif /* OS2 */
- }
- #ifndef COMMENT
- ssl_conx = ssl_con;
- ssl_con=(SSL *)SSL_new(ssl_ctx);
- if ( !ssl_con ) {
- debug(F110,"ssl_tn_init","SSL_new(ssl_con) failed",0);
- last_ssl_mode = -1;
- ssl_con = ssl_conx;
- return(0);
- }
- if (ssl_conx) {
- if ( mode == SSL_CLIENT ) {
- SSL_set_session(ssl_con, SSL_get_session(ssl_conx));
- }
- #ifdef SSL_KRB5
- if (ssl_conx->kssl_ctx) {
- kssl_ctx_free(ssl_conx->kssl_ctx);
- ssl_conx->kssl_ctx = NULL;
- }
- #endif /* SSL_KRB5 */
- SSL_free(ssl_conx);
- ssl_conx = NULL;
- }
- tls_conx = tls_con;
- tls_con=(SSL *)SSL_new(tls_ctx);
- if ( !tls_con ) {
- debug(F110,"ssl_tn_init","SSL_new(tls_con) failed",0);
- last_ssl_mode = -1;
- tls_con = tls_conx;
- return(0);
- }
- if (tls_conx) {
- if ( mode == SSL_CLIENT )
- SSL_set_session(tls_con, SSL_get_session(tls_conx));
- #ifdef SSL_KRB5
- if (tls_conx->kssl_ctx) {
- kssl_ctx_free(tls_conx->kssl_ctx);
- tls_conx->kssl_ctx = NULL;
- }
- #endif /* SSL_KRB5 */
- SSL_free(tls_conx);
- tls_conx = NULL;
- }
- #else /* COMMENT */
- /* I don't know why this does not work to reuse the connection. */
- if ( ssl_con ) {
- SSL_clear(ssl_con);
- SSL_set_session(ssl_con,NULL);
- SSL_set_accept_state(ssl_con) ;
- } else {
- ssl_con=(SSL *)SSL_new(ssl_ctx);
- if (!ssl_con) {
- debug(F110,"ssl_tn_init","SSL_new(ssl_ctx) failed",0);
- last_ssl_mode = -1;
- ssl_con = ssl_conx;
- return(0);
- }
- }
- if ( tls_con ) {
- SSL_clear(tls_con);
- SSL_set_session(tls_con,NULL);
- SSL_set_accept_state(tls_con) ;
- } else {
- tls_con=(SSL *)SSL_new(tls_ctx);
- if ( !tls_con ) {
- debug(F110,"ssl_tn_init","SSL_new(tls_ctx) failed",0);
- last_ssl_mode = -1;
- tls_con = tls_conx;
- return(0);
- }
- }
- #endif /* COMMENT */
- #ifdef SSL_KRB5
- #ifndef KRB5_SERVICE_NAME
- #define KRB5_SERVICE_NAME "host"
- #endif
- if (ssl_con->kssl_ctx == NULL)
- ssl_con->kssl_ctx = kssl_ctx_new();
- if (tls_con->kssl_ctx == NULL)
- tls_con->kssl_ctx = kssl_ctx_new();
- if (mode == SSL_SERVER) {
- if (ssl_con->kssl_ctx != NULL)
- kssl_ctx_setstring(ssl_con->kssl_ctx, KSSL_KEYTAB, k5_keytab);
- if (tls_con->kssl_ctx != NULL)
- kssl_ctx_setstring(tls_con->kssl_ctx, KSSL_KEYTAB, k5_keytab);
- } else {
- if (ssl_con->kssl_ctx != NULL)
- kssl_ctx_setstring(ssl_con->kssl_ctx, KSSL_SERVER, szHostName);
- if (tls_con->kssl_ctx != NULL)
- kssl_ctx_setstring(tls_con->kssl_ctx, KSSL_SERVER, szHostName);
- }
- kssl_ctx_setstring(ssl_con->kssl_ctx, KSSL_SERVICE,
- krb5_d_srv ? krb5_d_srv : KRB5_SERVICE_NAME);
- kssl_ctx_setstring(tls_con->kssl_ctx, KSSL_SERVICE,
- krb5_d_srv ? krb5_d_srv : KRB5_SERVICE_NAME);
- #endif /* SSL_KRB5 */
- if (ssl_cipher_list) {
- SSL_set_cipher_list(ssl_con,ssl_cipher_list);
- SSL_set_cipher_list(tls_con,ssl_cipher_list);
- } else {
- char * p;
- if (p = getenv("SSL_CIPHER")) {
- SSL_set_cipher_list(ssl_con,p);
- SSL_set_cipher_list(tls_con,p);
- } else {
- SSL_set_cipher_list(ssl_con,DEFAULT_CIPHER_LIST);
- SSL_set_cipher_list(tls_con,DEFAULT_CIPHER_LIST);
- }
- }
- ssl_verify_depth = -1;
- if ( ssl_debug_flag )
- printf("SSL/TLS init done!\r\n");
- ssl_initialized = 1;
- last_ssl_mode = mode;
- debug(F110,"ssl_tn_init","done",0);
- return(1);
- }
- #ifndef NOHTTP
- int
- #ifdef CK_ANSIC
- ssl_http_init(char * hostname)
- #else
- ssl_http_init(hostname) char * hostname;
- #endif /* CK_ANSIC */
- {
- #ifdef KRB5
- extern char * k5_keytab;
- extern char * krb5_d_srv;
- #endif /* KRB5 */
- SSL * tls_conx=NULL;
- ssl_http_initialized = 0;
- if ( !ck_ssleay_is_installed() )
- return(0);
- debug(F110,"ssl_http_init",hostname,0);
- if (ssl_debug_flag)
- printf("SSL_DEBUG_FLAG on\r\n");
- if (!tls_http_ctx ) {
- /*
- TLS 1.0 is the new default as of 5 Feb 2015.
- Previously this was commented out because
- "too many web servers still do not support TLSv1".
- Now we try TLS 1.0 first, falling back to SSL 2.3
- and SSL 3.0 in that order. Maybe there should be
- an option not to fall back.
- */
- tls_http_ctx=(SSL_CTX *)SSL_CTX_new(TLS_client_method());
- if ( tls_http_ctx ) {
- debug(F110,"ssl_http_init","TLS_client_method OK",0);
- }
- }
- SSL_CTX_set_default_passwd_cb(tls_http_ctx,
- (pem_password_cb *)ssl_passwd_callback);
- /* for SSL switch on all the interoperability and bug
- * workarounds so that we will communicate with people
- * who cannot read poorly written specs :-)
- * for TLS be sure to prevent use of SSLv2
- */
- SSL_CTX_set_options(tls_http_ctx,
- SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
- SSL_CTX_set_info_callback(tls_http_ctx,ssl_client_info_callback);
- #ifndef COMMENT
- SSL_CTX_set_session_cache_mode(tls_http_ctx,SSL_SESS_CACHE_CLIENT);
- SSL_CTX_set_session_id_context(tls_http_ctx,(CHAR *)"3",1);
- #else /* COMMENT */
- SSL_CTX_set_session_cache_mode(tls_http_ctx,SSL_SESS_CACHE_OFF);
- #endif /* COMMENT */
- /* make sure we will find certificates in the standard
- * location ... otherwise we don't look anywhere for
- * these things which is going to make client certificate
- * exchange rather useless :-)
- */
- #ifdef OS2
- #ifdef NT
- {
- /* The defaults in the SSL crypto library are not appropriate for OS/2 */
- char path[CKMAXPATH];
- ckmakmsg(path,CKMAXPATH,exedir,"certs",NULL,NULL);
- if (SSL_CTX_load_verify_locations(tls_http_ctx,NULL,path) == 0) {
- debug(F110,"ssl_http_init unable to load path",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load verify-dir: %s\r\n",path);
- }
- ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/certs",NULL,NULL);
- if (SSL_CTX_load_verify_locations(tls_http_ctx,NULL,path) == 0) {
- debug(F110,"ssl_http_init unable to load path",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load verify-dir: %s\r\n",path);
- }
- ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/certs",NULL,NULL);
- if (SSL_CTX_load_verify_locations(tls_http_ctx,NULL,path) == 0) {
- debug(F110,"ssl_http_init unable to load path",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load verify-dir: %s\r\n",path);
- }
- ckmakmsg(path,CKMAXPATH,exedir,"ca_certs.pem",NULL,NULL);
- if (SSL_CTX_load_verify_locations(tls_http_ctx,path,NULL) == 0) {
- debug(F110,"ssl_http_init unable to load path",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load verify-file: %s\r\n",path);
- }
- ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/ca_certs.pem",NULL,NULL);
- if (SSL_CTX_load_verify_locations(tls_http_ctx,path,NULL) == 0) {
- debug(F110,"ssl_http_init unable to load path",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load verify-file: %s\r\n",path);
- }
- ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/ca_certs.pem",NULL,NULL);
- if (SSL_CTX_load_verify_locations(tls_http_ctx,path,NULL) == 0) {
- debug(F110,"ssl_http_init unable to load path",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load verify-file: %s\r\n",path);
- }
- }
- #else /* NT */
- {
- /* The defaults in the SSL crypto library are not appropriate for OS/2 */
- char path[CKMAXPATH];
- ckmakmsg(path,CKMAXPATH,exedir,"certs",NULL,NULL);
- if (SSL_CTX_load_verify_locations(tls_http_ctx,NULL,path) == 0) {
- debug(F110,"ssl_http_init unable to load path",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load verify-dir: %s\r\n",path);
- }
- ckmakmsg(path,CKMAXPATH,exedir,"ca_certs.pem",NULL,NULL);
- if (SSL_CTX_load_verify_locations(tls_http_ctx,path,NULL) == 0) {
- debug(F110,"ssl_http_init unable to load path",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load verify-file: %s\r\n",path);
- }
- }
- #endif /* NT */
- #else /* OS2 */
- SSL_CTX_set_default_verify_paths(tls_http_ctx);
- #endif /* OS2 */
- if (ssl_verify_file &&
- SSL_CTX_load_verify_locations(tls_http_ctx,ssl_verify_file,NULL) == 0) {
- debug(F110,"ssl_http_init unable to load ssl_verify_file",ssl_verify_file,0);
- if (ssl_debug_flag)
- printf("?Unable to load verify-file: %s\r\n",ssl_verify_file);
- }
- if (ssl_verify_dir &&
- SSL_CTX_load_verify_locations(tls_http_ctx,NULL,ssl_verify_dir) == 0) {
- debug(F110,"ssl_http_init unable to load ssl_verify_dir",ssl_verify_dir,0);
- if (ssl_debug_flag)
- printf("?Unable to load verify-dir: %s\r\n",ssl_verify_dir);
- }
- SSL_CTX_set_verify(tls_http_ctx,ssl_verify_flag,
- ssl_client_verify_callback);
- /* Free the existing CRL Store */
- if (crl_store) {
- X509_STORE_free(crl_store);
- crl_store = NULL;
- }
- /* set up the new CRL Store */
- crl_store = X509_STORE_new();
- if (crl_store) {
- #ifdef OS2
- char path[CKMAXPATH];
- ckmakmsg(path,CKMAXPATH,exedir,"crls",NULL,NULL);
- if (X509_STORE_load_locations(crl_store,NULL,path) == 0) {
- debug(F110,"ssl_http_init unable to load dir",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load crl-dir: %s\r\n",path);
- }
- #ifdef NT
- ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/crls",NULL,NULL);
- if (X509_STORE_load_locations(crl_store,NULL,path) == 0) {
- debug(F110,"ssl_http_init unable to load dir",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load crl-dir: %s\r\n",path);
- }
- ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/crls",NULL,NULL);
- if (X509_STORE_load_locations(crl_store,NULL,path) == 0) {
- debug(F110,"ssl_http_init unable to load dir",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load crl-dir: %s\r\n",path);
- }
- #endif /* NT */
-
- ckmakmsg(path,CKMAXPATH,exedir,"ca_crls.pem",NULL,NULL);
- if (X509_STORE_load_locations(crl_store,path,NULL) == 0) {
- debug(F110,"ssl_http_init unable to load file",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load crl-file: %s\r\n",path);
- }
- #ifdef NT
- ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/ca_crls.pem",NULL,NULL);
- if (X509_STORE_load_locations(crl_store,path,NULL) == 0) {
- debug(F110,"ssl_http_init unable to load file",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load crl-file: %s\r\n",path);
- }
- ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/ca_crls.pem",NULL,NULL);
- if (X509_STORE_load_locations(crl_store,path,NULL) == 0) {
- debug(F110,"ssl_http_init unable to load file",path,0);
- if (ssl_debug_flag)
- printf("?Unable to load crl-file: %s\r\n",path);
- }
- #endif /* NT */
- #endif /* OS2 */
- if (ssl_crl_file || ssl_crl_dir) {
- if (ssl_crl_file &&
- X509_STORE_load_locations(crl_store,ssl_crl_file,NULL) == 0) {
- debug(F110,"ssl_http_init unable to load ssl_crl_file",ssl_crl_file,0);
- if (ssl_debug_flag)
- printf("?Unable to load crl-file: %s\r\n",ssl_crl_file);
- }
- if (ssl_crl_dir &&
- X509_STORE_load_locations(crl_store,NULL,ssl_crl_dir) == 0) {
- debug(F110,"ssl_http_init unable to load ssl_crl_dir",ssl_crl_dir,0);
- if (ssl_debug_flag)
- printf("?Unable to load crl-dir: %s\r\n",ssl_crl_dir);
- }
- } else {
- X509_STORE_set_default_paths(crl_store);
- }
- }
- #ifndef COMMENT
- tls_conx = tls_http_con;
- tls_http_con=(SSL *)SSL_new(tls_http_ctx);
- if ( !tls_http_con ) {
- debug(F110,"ssl_http_init","SSL_new(tls_http_con) failed",0);
- tls_http_con = tls_conx;
- return(0);
- }
- if (tls_conx) {
- SSL_set_session(tls_http_con, SSL_get_session(tls_conx));
- #ifdef SSL_KRB5
- if (tls_conx->kssl_ctx) {
- kssl_ctx_free(tls_conx->kssl_ctx);
- tls_conx->kssl_ctx = NULL;
- }
- #endif /* SSL_KRB5 */
- SSL_free(tls_conx);
- tls_conx = NULL;
- }
- #else /* COMMENT */
- /* I don't know why this does not work to reuse the connection. */
- if ( tls_http_con ) {
- SSL_clear(tls_http_con);
- SSL_set_session(tls_http_con,NULL);
- SSL_set_accept_state(tls_http_con) ;
- } else {
- tls_http_con=(SSL *)SSL_new(tls_http_ctx);
- if ( !tls_http_con ) {
- debug(F110,"ssl_http_init","SSL_new(tls_http_ctx) failed",0);
- tls_http_con = tls_conx;
- return(0);
- }
- }
- #endif /* COMMENT */
- #ifdef SSL_KRB5
- #ifndef KRB5_SERVICE_NAME
- #define KRB5_SERVICE_NAME "host"
- #endif
- if (tls_http_con->kssl_ctx == NULL)
- tls_http_con->kssl_ctx = kssl_ctx_new();
- if (tls_http_con->kssl_ctx != NULL)
- kssl_ctx_setstring(tls_http_con->kssl_ctx, KSSL_SERVER, hostname);
- kssl_ctx_setstring(tls_http_con->kssl_ctx, KSSL_SERVICE,
- krb5_d_srv ? krb5_d_srv : KRB5_SERVICE_NAME);
- #endif /* SSL_KRB5 */
- if (ssl_cipher_list)
- SSL_set_cipher_list(tls_http_con,ssl_cipher_list);
- else {
- char * p;
- if (p = getenv("SSL_CIPHER")) {
- SSL_set_cipher_list(tls_http_con,p);
- } else {
- SSL_set_cipher_list(tls_http_con,DEFAULT_CIPHER_LIST);
- }
- }
- ssl_verify_depth = -1;
- if ( ssl_debug_flag )
- printf("SSL/TLS init done!\r\n");
- ssl_http_initialized = 1;
- return(1);
- }
- #endif /* NOHTTP */
- char *
- ssl_get_dNSName(ssl) SSL * ssl;
- {
- static char *dns = NULL;
- X509 *server_cert = NULL;
- int i;
- X509_EXTENSION *ext = NULL;
- STACK_OF(GENERAL_NAME) *ialt = NULL;
- GENERAL_NAME *gen = NULL;
- if ( dns ) {
- free(dns);
- dns = NULL;
- }
- if (server_cert = SSL_get_peer_certificate(ssl)) {
- if ((i = X509_get_ext_by_NID(server_cert, NID_subject_alt_name, -1))<0)
- return NULL;
- if (!(ext = X509_get_ext(server_cert, i)))
- return NULL;
- X509V3_add_standard_extensions();
- if (!(ialt = X509V3_EXT_d2i(ext)))
- return NULL;
- for (i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
- gen = sk_GENERAL_NAME_value(ialt, i);
- if (gen->type == GEN_DNS) {
- if (!gen->d.ia5 || !gen->d.ia5->length)
- break;
- if (strlen((char *)gen->d.ia5->data) != gen->d.ia5->length) {
- /* Ignoring IA5String containing null character */
- continue;
- }
- dns = malloc(gen->d.ia5->length + 1);
- if (dns) {
- memcpy(dns, gen->d.ia5->data, gen->d.ia5->length);
- dns[gen->d.ia5->length] = 0;
- }
- break;
- }
- }
- X509V3_EXT_cleanup();
- }
- cleanup:
- if (ialt) sk_GENERAL_NAME_free(ialt);
- if (server_cert) X509_free(server_cert);
- return dns;
- }
- char *
- ssl_get_commonName(ssl) SSL * ssl; {
- static char name[256];
- int name_text_len;
- int err;
- X509 *server_cert;
- name_text_len = 0;
- if (server_cert = SSL_get_peer_certificate(ssl)) {
- name_text_len =
- X509_NAME_get_text_by_NID(X509_get_subject_name(server_cert),
- NID_commonName, name, sizeof(name));
- X509_free(server_cert);
- }
- if (name_text_len <= 0) {
- /* Common Name was empty or not retrieved */
- err = 0;
- } else if (strlen(name) != name_text_len) {
- /* Ignoring Common Name containing null character */
- err = 0;
- } else {
- err = 1;
- }
- if (err > 0)
- return name;
- else
- return NULL;
- }
- char *
- ssl_get_issuer_name(ssl) SSL * ssl;
- {
- static char name[256];
- X509 *server_cert;
- name[0] = '\0';
- if (server_cert = SSL_get_peer_certificate(ssl)) {
- X509_NAME_oneline(X509_get_issuer_name(server_cert),name,sizeof(name));
- X509_free(server_cert);
- return name;
- }
- else {
- #ifdef COMMENT
- fprintf(stderr, "Warning: No certificate from server!\r\n");
- #endif /* COMMENT */
- return NULL;
- }
- }
- char *
- ssl_get_subject_name(ssl) SSL * ssl;
- {
- static char name[256];
- X509 *server_cert;
- name[0] = '\0';
- if (server_cert = SSL_get_peer_certificate(ssl)) {
- X509_NAME_oneline(X509_get_subject_name(server_cert),name,sizeof(name));
- X509_free(server_cert);
- return name;
- }
- else
- return NULL;
- }
- #ifdef COMMENT
- #ifdef CK_SSL
- && !(ck_ssleay_is_installed() &&
- (tls_active_flag || ssl_active_flag) &&
- ssl_anonymous_cipher(tls_active_flag?tls_con:ssl_con))
- #endif /* CK_SSL */
- int
- ssl_anonymous_cipher(ssl) SSL * ssl;
- {
- X509 * cert;
- if (sstelnet)
- cert = SSL_get_certificate(ssl);
- else
- cert = SSL_get_peer_certificate(ssl);
- if ( cert ) {
- X509_free(cert);
- return 0;
- }
- return 1;
- }
- #endif /* COMMENT */
- /*
- This one is (very much!) based on work by
- Ralf S. Engelschall <rse@engelschall.com>.
- Comments by Ralf.
- */
- int
- ssl_verify_crl(int ok, X509_STORE_CTX *ctx)
- {
- X509_OBJECT *obj;
- X509_NAME *subject = NULL;
- X509_NAME *issuer = NULL;
- X509 *xs = NULL;
- X509_CRL *crl = NULL;
- X509_REVOKED *revoked = NULL;
- X509_STORE_CTX * store_ctx = NULL;
- long serial;
- BIO *bio = NULL;
- int i, n, rc;
- char *cp;
- char *cp2;
- /*
- * Unless a revocation store for CRLs was created we
- * cannot do any CRL-based verification, of course.
- */
- if (!crl_store)
- return ok;
- store_ctx = X509_STORE_CTX_new();
- if ( !store_ctx )
- return(ok);
- /*
- * Determine certificate ingredients in advance
- */
- xs = X509_STORE_CTX_get_current_cert(ctx);
- subject = X509_get_subject_name(xs);
- issuer = X509_get_issuer_name(xs);
- /*
- * OpenSSL provides the general mechanism to deal with CRLs but does not
- * use them automatically when verifying certificates, so we do it
- * explicitly here. We will check the CRL for the currently checked
- * certificate, if there is such a CRL in the store.
- *
- * We come through this procedure for each certificate in the certificate
- * chain, starting with the root-CA's certificate. At each step we've to
- * both verify the signature on the CRL (to make sure it's a valid CRL)
- * and it's revocation list (to make sure the current certificate isn't
- * revoked). But because to check the signature on the CRL we need the
- * public key of the issuing CA certificate (which was already processed
- * one round before), we've a little problem. But we can both solve it and
- * at the same time optimize the processing by using the following
- * verification scheme (idea and code snippets borrowed from the GLOBUS
- * project):
- *
- * 1. We'll check the signature of a CRL in each step when we find a CRL
- * through the _subject_ name of the current certificate. This CRL
- * itself will be needed the first time in the next round, of course.
- * But we do the signature processing one round before this where the
- * public key of the CA is available.
- *
- * 2. We'll check the revocation list of a CRL in each step when
- * we find a CRL through the _issuer_ name of the current certificate.
- * This CRLs signature was then already verified one round before.
- *
- * This verification scheme allows a CA to revoke its own certificate as
- * well, of course.
- */
- /*
- * Try to retrieve a CRL corresponding to the _subject_ of
- * the current certificate in order to verify it's integrity.
- */
- obj = X509_OBJECT_new();
- if (!obj) {
- X509_STORE_CTX_free(store_ctx);
- return ok;
- }
- X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL);
- rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, obj);
- X509_STORE_CTX_cleanup(store_ctx);
- crl = X509_OBJECT_get0_X509_CRL(obj);
- if (rc > 0 && crl != NULL) {
- /*
- * Verify the signature on this CRL
- */
- if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0) {
- fprintf(stderr, "Invalid signature on CRL!\n");
- X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
- X509_OBJECT_free(obj);
- X509_STORE_CTX_free(store_ctx);
- return 0;
- }
- /*
- * Check date of CRL to make sure it's not expired
- */
- i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
- if (i == 0) {
- fprintf(stderr, "Found CRL has invalid nextUpdate field.\n");
- X509_STORE_CTX_set_error(ctx,
- X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
- X509_OBJECT_free(obj);
- X509_STORE_CTX_free(store_ctx);
- return 0;
- }
- if (i < 0) {
- fprintf(stderr,
- "Found CRL is expired - revoking all certificates until you get updated CRL.\n"
- );
- X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED);
- X509_OBJECT_free(obj);
- X509_STORE_CTX_free(store_ctx);
- return 0;
- }
- }
- /*
- * Try to retrieve a CRL corresponding to the _issuer_ of
- * the current certificate in order to check for revocation.
- */
- X509_OBJECT_free(obj);
- obj = X509_OBJECT_new();
- if (!obj) {
- X509_STORE_CTX_free(store_ctx);
- return ok;
- }
- X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL);
- rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, obj);
- X509_STORE_CTX_free(store_ctx); /* calls X509_STORE_CTX_cleanup() */
- crl = X509_OBJECT_get0_X509_CRL(obj);
- if (rc > 0 && crl != NULL) {
- /*
- * Check if the current certificate is revoked by this CRL
- */
- n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
- for (i = 0; i < n; i++) {
- revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
- if (ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(revoked),
- X509_get_serialNumber(xs)) == 0) {
- serial = ASN1_INTEGER_get(X509_REVOKED_get0_serialNumber(revoked));
- cp = X509_NAME_oneline(issuer, NULL, 0);
- free(cp);
- X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
- X509_OBJECT_free(obj);
- return 0;
- }
- }
- }
- X509_OBJECT_free(obj);
- return ok;
- }
- char *
- tls_userid_from_client_cert(ssl) SSL * ssl;
- {
- #ifndef OS2 /* [jt] 2013/11/21 - K-95 doesn't have X509_to_user */
- static char cn[256];
- static char *r = cn;
- int err;
- X509 *client_cert;
- if (client_cert = SSL_get_peer_certificate(ssl)) {
- /* call the custom function */
- err = X509_to_user(client_cert, cn, sizeof(cn));
- X509_free(client_cert);
- if (err)
- return r = NULL;
- else
- return r;
- }
- else
- return r = NULL;
- #else
- return NULL;
- #endif /* OS2 */
- }
- unsigned char **
- tls_get_SAN_objs(SSL * ssl, int type)
- /* returns NULL or an array of malloc'ed objects of type `type' from the server's
- * subjectAltName, remember to free() them all!
- */
- {
- #define NUM_SAN_OBJS 64
- static unsigned char *objs[NUM_SAN_OBJS];
- unsigned char **rv = NULL;
- X509 *server_cert = NULL;
- int i, j;
- X509_EXTENSION *ext = NULL;
- STACK_OF(GENERAL_NAME) *ialt = NULL;
- GENERAL_NAME *gen = NULL;
- memset(objs, 0, sizeof(objs));
- if (server_cert = SSL_get_peer_certificate(ssl)) {
- if ((i = X509_get_ext_by_NID(server_cert, NID_subject_alt_name, -1)) < 0)
- goto eject;
- if (!(ext = X509_get_ext(server_cert, i)))
- goto eject;
- X509V3_add_standard_extensions();
- if (!(ialt = X509V3_EXT_d2i(ext)))
- goto eject;
- rv = objs;
- for (i = 0, j = 0; i < sk_GENERAL_NAME_num(ialt) && j < NUM_SAN_OBJS - 2; i++) {
- gen = sk_GENERAL_NAME_value(ialt, i);
- /* The use of V_ASN1_CONTEXT_SPECIFIC is because OpenSSL 0.9.6 defined its
- * types | V_ASN1_CONTEXT_SPECIFIC. 0.9.7 does not. In case, we are built
- * with one and linked to the other we use this hack.
- */
- if ((gen->type | V_ASN1_CONTEXT_SPECIFIC) == (type | V_ASN1_CONTEXT_SPECIFIC)) {
- if (!gen->d.ia5 || !gen->d.ia5->length)
- break;
- if (strlen((char *)gen->d.ia5->data) != gen->d.ia5->length) {
- /* Ignoring IA5String containing null character */
- continue;
- }
- objs[j] = malloc(gen->d.ia5->length + 1);
- if (objs[j]) {
- memcpy(objs[j], gen->d.ia5->data, gen->d.ia5->length);
- objs[j][gen->d.ia5->length] = 0;
- j++;
- }
- }
- }
- X509V3_EXT_cleanup();
- }
- eject:
- if (ialt) sk_GENERAL_NAME_free(ialt);
- if (server_cert) X509_free(server_cert);
- return rv;
- }
- static int
- dNSName_cmp(const char *host, const char *dNSName)
- {
- int c1 = 1, c2 = 1, num_comp, rv = -1;
- char *p, *p1, *p2, *host_copy=NULL, *dNSName_copy=NULL;
- /* first we count the number of domain name components in both parameters.
- * they should be equal many, or it's not a match
- */
- p = (char *) host;
- while (p = strstr(p, ".")) {
- c1++;
- p++;
- }
- p = (char *) dNSName;
- while (p = strstr(p, ".")) {
- c2++;
- p++;
- }
- if (c1 != c2)
- return -1;
- num_comp = c1;
- makestr(&host_copy,host);
- makestr(&dNSName_copy,dNSName);
- if (host_copy == NULL || dNSName_copy == NULL)
- goto eject;
- /* make substrings by replacing '.' with '\0' */
- p = dNSName_copy;
- while (p = strstr(p, ".")) {
- *p = '\0';
- p++;
- }
- p = host_copy;
- while (p = strstr(p, ".")) {
- *p = '\0';
- p++;
- }
- /* compare each component */
- p1 = host_copy;
- p2 = dNSName_copy;
- for (; num_comp; num_comp--) {
- if (!ckmatch(p2, p1,0,1))
- /* failed match */
- goto eject;
- p1 += strlen(p1) + 1;
- p2 += strlen(p2) + 1;
- }
- /* match ok */
- rv = 0;
- eject:
- if (dNSName_copy) free(dNSName_copy);
- if (host_copy) free(host_copy);
- return rv;
- }
- static int
- show_hostname_warning(char *s1, char *s2)
- {
- char prefix[1024];
- int ok = 1;
- setverbosity();
- ckmakxmsg(prefix,1024,
- "Warning: Hostname (\"", s1,
- "\") does not match server's certificate (\"", s2, "\")",
- NULL,NULL,NULL,NULL,NULL,NULL,NULL);
- if (ssl_verify_flag)
- ok = uq_ok(prefix,
- "Continue? (Y/N) ",
- 3, NULL, 0);
- else if (verbosity)
- printf(prefix);
- return(ok);
- }
- #ifndef OSF50
- #ifndef HPUX10
- #ifndef HPUX1100
- #ifndef SCO_OSR505
- #ifndef OpenBSD
- #ifndef FREEBSD4
- #ifndef NETBSD15
- #ifndef LINUX
- #ifndef AIX41
- #ifndef UW7
- #ifndef IRIX65
- #ifndef SOLARIS9
- #ifndef SOLARIS8
- #ifndef SOLARIS7
- #ifndef MACOSX
- #ifdef DEC_TCPIP
- #define inet_aton INET_ATON
- #endif /* DEC_TCPIP */
- #ifndef NO_DCL_INET_ATON
- static int
- inet_aton(char * ipaddress, struct in_addr * ia) {
- struct stringarray * q;
- union {
- unsigned long l;
- unsigned char b[4];
- } dummy;
- q = cksplit(1,0,ipaddress,".","0123456789abcdefACDEF",8,0,0,0);
- if (q->a_size == 4) {
- dummy.b[0] = atoi(q->a_head[1]);
- dummy.b[1] = atoi(q->a_head[2]);
- dummy.b[2] = atoi(q->a_head[3]);
- dummy.b[3] = atoi(q->a_head[4]);
- ia->s_addr = dummy.l;
- return(ia->s_addr != 0);
- }
- return(0);
- }
- #endif /* NO_DCL_INET_ATON */
- #endif /* MACOSX */
- #endif /* SOLARIS7 */
- #endif /* SOLARIS8 */
- #endif /* SOLARIS9 */
- #endif /* IRIX65 */
- #endif /* UW7 */
- #endif /* AIX41 */
- #endif /* LINUX */
- #endif /* NETBSD15 */
- #endif /* FREEBSD4 */
- #endif /* OpenBSD */
- #endif /* SCO_OSR505 */
- #endif /* HPUX1100 */
- #endif /* HPUX10 */
- #endif /* OSF50 */
- int
- ssl_check_server_name(SSL * ssl, char * hostname)
- /* returns 0 if hostname and server's cert matches, else -1 */
- {
- char * commonName;
- unsigned char ** dNSName;
- unsigned char ** ipAddress;
- struct in_addr ia;
- int rv;
- setverbosity();
- if (verbosity && !inserver) {
- if (dNSName = tls_get_SAN_objs(ssl,GEN_DNS)) {
- int i = 0;
- for (i = 0; dNSName[i]; i++) {
- printf("Certificate[0] altSubjectName DNS=%s\r\n",dNSName[i]);
- free(dNSName[i]);
- }
- }
- if (ipAddress = tls_get_SAN_objs(ssl,GEN_IPADD)) {
- int i = 0;
- char *server_ip;
- struct in_addr ia;
- for (i = 0; ipAddress[i]; i++) {
- if (ipAddress[i]) {
- ia.s_addr = *(unsigned long *)ipAddress[i];
- server_ip = inet_ntoa(ia);
- printf("Certificate[0] altSubjectName IPAddr=%s\r\n",server_ip);
- }
- free(ipAddress[i]);
- }
- /* ipAddress points to a static - don't free */
- }
- if (dNSName = tls_get_SAN_objs(ssl,GEN_EMAIL)) {
- int i = 0;
- for (i = 0; dNSName[i]; i++) {
- printf("Certificate[0] altSubjectName Email=%s\r\n",dNSName[i]);
- free(dNSName[i]);
- }
- }
- if (dNSName = tls_get_SAN_objs(ssl,GEN_URI)) {
- int i = 0;
- for (i = 0; dNSName[i]; i++) {
- printf("Certificate[0] altSubjectName URI=%s\r\n",dNSName[i]);
- free(dNSName[i]);
- }
- }
- if (dNSName = tls_get_SAN_objs(ssl,GEN_OTHERNAME)) {
- int i = 0;
- for (i = 0; dNSName[i]; i++) {
- printf("Certificate[0] altSubjectName Other=%s\r\n",dNSName[i]);
- free(dNSName[i]);
- }
- }
- }
- /* first we check if `hostname' is in fact an ip address */
- if (inet_aton(hostname, &ia)) {
- ipAddress = tls_get_SAN_objs(ssl,GEN_IPADD);
- if (ipAddress) {
- int i = 0;
- char *server_ip = "UNKNOWN";
- for (i = 0; ipAddress[i]; i++)
- if (*(unsigned long *)ipAddress[i] == ia.s_addr)
- return 0;
- if (ipAddress[i - 1]) {
- ia.s_addr = *(unsigned long *)ipAddress[i - 1];
- server_ip = inet_ntoa(ia);
- }
- rv = show_hostname_warning(hostname, server_ip) ? 0 : -1;
- for (i = 0; ipAddress[i]; i++)
- free(ipAddress[i]);
- } else {
- rv = show_hostname_warning(hostname, "NO IP IN CERT") ? 0 : -1;
- }
- return(rv);
- }
- /* look for dNSName(s) in subjectAltName in the server's certificate */
- dNSName = tls_get_SAN_objs(ssl,GEN_DNS);
- if (dNSName) {
- int i = 0;
- for (i = 0; dNSName[i]; i++) {
- if (!dNSName_cmp(hostname,(char *)dNSName[i]))
- return 0;
- }
- rv = show_hostname_warning(hostname,
- (char *)((dNSName[i - 1] == NULL) ?
- (char *)"UNKNOWN" : (char *)dNSName[i - 1]))
- ? 0 : -1;
- for (i = 0; dNSName[i]; i++)
- free(dNSName[i]);
- return rv;
- } else if ((commonName = ssl_get_commonName(ssl))) {
- /* so the server didn't have any dNSName's, check the commonName */
- if (!dNSName_cmp(hostname, commonName))
- return 0;
- else
- return (show_hostname_warning(hostname, commonName) ? 0 : -1);
- }
- return -1;
- }
- /* Is 'user' authorized to access the system without a login */
- int
- tls_is_user_valid(SSL * ssl, const char *user)
- {
- #ifndef OS2 /* [jt] 2013/11/21 - K-95 doesn't have X509_userok */
- X509 *client_cert;
- int r = 0;
- if ( !ssl || !user || !user[0] )
- return(0);
- if (!(client_cert = SSL_get_peer_certificate(ssl)))
- return 0;
- /* Use user supplied function */
- r = X509_userok(client_cert,user);
- X509_free(client_cert);
- return r;
- #else
- return 0;
- #endif /* OS2 */
- }
- int
- tls_is_anon(int x)
- {
- char buf[128];
- SSL_CIPHER * cipher;
- SSL * ssl = NULL;
- switch ( x ) {
- #ifndef NOFTP
- #ifndef SYSFTP
- case 1: /* ftp command */
- if ( ssl_ftp_active_flag )
- ssl = ssl_ftp_con;
- else
- return(0);
- break;
- case 2: /* ftp data */
- if ( ssl_ftp_data_active_flag )
- ssl = ssl_ftp_data_con;
- else
- return(0);
- break;
- #endif /* SYSFTP */
- #endif /* NOFTP */
- default:
- if (tls_active_flag)
- ssl = tls_con;
- else if (ssl_active_flag)
- ssl = ssl_con;
- else
- return(0);
- }
- cipher = SSL_get_current_cipher(ssl);
- if (SSL_CIPHER_description(cipher,buf,sizeof(buf))) {
- if (ckindex("Au=None",buf,0,0,0) != 0)
- return(1); /* anonymous */
- return(0); /* known */
- } else {
- /* could not get cipher description. Assume anonymous */
- return(1);
- }
- }
- int
- tls_is_krb5(int x)
- {
- char buf[128];
- SSL_CIPHER * cipher;
- SSL * ssl = NULL;
- switch ( x ) {
- #ifndef NOFTP
- #ifndef SYSFTP
- case 1: /* ftp command */
- if ( ssl_ftp_active_flag )
- ssl = ssl_ftp_con;
- else
- return(0);
- break;
- case 2: /* ftp data */
- if ( ssl_ftp_data_active_flag )
- ssl = ssl_ftp_data_con;
- else
- return(0);
- break;
- #endif /* SYSFTP */
- #endif /* NOFTP */
- #ifndef NOHTTP
- case 3:
- if ( tls_http_active_flag )
- ssl = tls_http_con;
- break;
- #endif /* NOHTTP */
- default:
- if (tls_active_flag)
- ssl = tls_con;
- else if (ssl_active_flag)
- ssl = ssl_con;
- else
- return(0);
- }
- cipher = SSL_get_current_cipher(ssl);
- if (cipher && SSL_CIPHER_description(cipher,buf,sizeof(buf))) {
- if (ckindex("Au=KRB5",buf,0,0,0) != 0)
- return(1); /* krb5 */
- }
- return(0); /* not */
- }
- int
- ssl_get_client_finished(char *buf, int count)
- {
- #ifdef NO_GET_FINISHED
- return(0);
- #else
- if (sstelnet || tcp_incoming) {
- return(SSL_get_peer_finished(ssl_active_flag?ssl_con:tls_con,
- buf,count));
- } else {
- return(SSL_get_finished(ssl_active_flag?ssl_con:tls_con,
- buf,count));
- }
- #endif /* NO_GET_FINISHED */
- }
- int
- ssl_get_server_finished(char *buf, int count)
- {
- #ifdef NO_GET_FINISHED
- return(0);
- #else
- if (sstelnet || tcp_incoming) {
- return(SSL_get_finished(ssl_active_flag?ssl_con:tls_con,
- buf,count));
- } else {
- return(SSL_get_peer_finished(ssl_active_flag?ssl_con:tls_con,
- buf,count));
- }
- #endif /* NO_GET_FINISHED */
- }
- #ifdef CK_AUTHENTICATION
- int
- #ifdef CK_ANSIC
- ssl_reply(int how, unsigned char *data, int cnt)
- #else
- ssl_reply(how,data,cnt) int how; unsigned char *data; int cnt;
- #endif
- {
- char * str=NULL;
- setverbosity();
- data += 4; /* Point to status byte */
- cnt -= 4;
- if(cnt-- < 1) {
- auth_finished(AUTH_REJECT);
- return AUTH_FAILURE;
- }
- switch(*data++) {
- case SSL_ACCEPT:
- if (tn_deb || debses)
- tn_debug("[SSL - handshake starting]");
- else if ( verbosity )
- printf("[SSL - handshake starting]\r\n");
- debug(F110,"ssl_reply","[SSL - handshake starting]",0);
- /* right ... now we drop into the SSL library */
- if (!ssl_only_flag) {
- if (ssl_dummy_flag) {
- if (tn_deb || debses)
- tn_debug("[SSL - Dummy Connected]");
- else if ( verbosity ) {
- printf("[SSL - Dummy Connected]\r\n");
- }
- debug(F110,"ssl_reply","[SSL - Dummy Connected]",0);
- auth_finished(AUTH_UNKNOWN);
- accept_complete = 1;
- return AUTH_SUCCESS;
- }
- if (SSL_connect(ssl_con) <= 0) {
- int len;
- if (tn_deb || debses) {
- tn_debug("[SSL - FAILED]");
- ERR_print_errors(bio_err);
- len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
- ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
- printf(ssl_err);
- } else if ( verbosity ) {
- printf("[SSL - FAILED]\r\n");
- ERR_print_errors(bio_err);
- len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
- ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
- printf(ssl_err);
- }
- debug(F110,"ssl_reply","[SSL - FAILED]",0);
- auth_finished(AUTH_REJECT);
- ttclos(0);
- return AUTH_FAILURE;
- } else {
- if (tn_deb || debses)
- tn_debug("[SSL - OK]");
- else if ( verbosity ) {
- printf("[SSL - OK]\r\n");
- }
- debug(F110,"ssl_reply","[SSL - OK]",0);
- ssl_active_flag = 1;
- ssl_display_connect_details(ssl_con,0,verbosity);
- }
- }
- auth_finished(AUTH_UNKNOWN);
- accept_complete = 1;
- break;
- case SSL_REJECT:
- if (tn_deb || debses) {
- tn_debug(
- "[SSL - failed to switch on SSL - trying plaintext login]");
- } else if ( verbosity ) {
- printf("[SSL - failed to switch on SSL]\r\n");
- printf("Trying plaintext login:\r\n");
- }
- debug(F110,"ssl_reply","[SSL - failed to switch on SSL]",0);
- auth_finished(AUTH_REJECT);
- return AUTH_FAILURE;
- default:
- return AUTH_FAILURE;
- }
- return AUTH_SUCCESS;
- }
- int
- #ifdef CK_ANSIC
- ssl_is(unsigned char *data, int cnt)
- #else
- ssl_is(data,cnt) unsigned char *data; int cnt;
- #endif
- {
- if ((cnt -= 4) < 1)
- return AUTH_FAILURE;
- setverbosity();
- data += 4;
- switch(*data++) {
- case SSL_START:
- /* server starts the SSL stuff now ... */
- if (!ssl_only_flag) {
- if ( !tls_load_certs(ssl_ctx,ssl_con,1) ) {
- auth_finished(AUTH_REJECT);
- return AUTH_FAILURE;
- }
- if (tn_deb || debses)
- tn_debug("[SSL - handshake starting]");
- else if ( verbosity )
- printf("[SSL - handshake starting]\r\n");
- debug(F110,"ssl_is","[SSL - handshake starting]",0);
- SendSSLAuthSB(SSL_ACCEPT, (void *)0, 0);
- auth_ssl_valid = 1;
- if (ssl_dummy_flag) {
- if (tn_deb || debses)
- tn_debug("[SSL - Dummy Connected]");
- else if ( verbosity ) {
- printf("[SSL - Dummy Connected]\r\n");
- }
- debug(F110,"ssl_is","[SSL - Dummy Connected]",0);
- accept_complete = 1;
- auth_finished(AUTH_UNKNOWN);
- return AUTH_SUCCESS;
- }
- if (SSL_accept(ssl_con) <= 0) {
- char errbuf[1024];
- sprintf(errbuf,"[SSL - SSL_accept error: %s",
- ERR_error_string(ERR_get_error(),NULL));
- if (tn_deb || debses)
- tn_debug(errbuf);
- else if ( ssl_debug_flag )
- printf("%s\r\n",errbuf);
- else if ( verbosity )
- printf("[SSL - SSL_accept error]\r\n");
- debug(F110,"ssl_is",errbuf,0);
- auth_finished(AUTH_REJECT);
- ttclos(0);
- return AUTH_FAILURE;
- }
- if (tn_deb || debses)
- tn_debug("[SSL - OK]");
- else if ( verbosity ) {
- printf("[SSL - OK]\r\n");
- }
- debug(F110,"ssl_is","[SSL - OK]",0);
- ssl_active_flag = 1;
- ssl_display_connect_details(ssl_con,1,verbosity);
- /* now check to see that we got exactly what we
- * wanted from the caller ... if a certificate is
- * required then we make 100% sure that we were
- * given one during the handshake (as it is an optional
- * part of SSL)
- */
- #ifdef SSL_KRB5
- if ( tls_is_krb5(0) ) {
- if (ssl_con->kssl_ctx->client_princ)
- debug(F110,"ssl_is KRB5",ssl_con->kssl_ctx->client_princ,0);
- } else
- #endif /* SSL_KRB5 */
- if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
- X509 * peer = SSL_get_peer_certificate(ssl_con);
- if (peer == NULL) {
- if (tn_deb || debses)
- tn_debug("[SSL - peer check failed]");
- else if (ssl_debug_flag)
- printf("[SSL - peer check failed]\r\n");
- debug(F110,"ssl_is","[SSL - peer check failed]",0);
- /* LOGGING REQUIRED HERE! */
- auth_finished(AUTH_REJECT);
- return AUTH_FAILURE;
- }
- }
- auth_finished(AUTH_UNKNOWN);
- accept_complete = 1;
- }
- break;
- default:
- SendSSLAuthSB(SSL_REJECT, (void *) "Unknown option received", -1);
- if (tn_deb || debses)
- tn_debug("[SSL - Unknown option received]");
- else
- printf("Unknown SSL option %d\r\n", data[-1]);
- debug(F111,"ssl_is","[SSL - Unknown option received]",data[-1]);
- auth_ssl_valid = 0;
- auth_finished(AUTH_REJECT);
- return(AUTH_FAILURE);
- }
- return AUTH_SUCCESS;
- }
- #endif /* CK_AUTHENTICATION */
- int
- ck_tn_tls_negotiate(VOID)
- {
- X509 * peer = NULL;
- char str[256], *uid=NULL;
- extern int sstelnet;
- if ( !ck_ssleay_is_installed() )
- return(-1);
- setverbosity();
- if (sstelnet) {
- /* server starts the TLS stuff now ... */
- if (!tls_only_flag) {
- if ( !tls_load_certs(tls_ctx,tls_con,1) ) {
- auth_finished(AUTH_REJECT);
- return -1;
- }
- if (tn_deb || debses)
- tn_debug("[TLS - handshake starting]");
- else if ( verbosity )
- printf("[TLS - handshake starting]\r\n");
- debug(F110,"ck_tn_tls_negotiate","[TLS - handshake starting]",0);
- if (ssl_dummy_flag) {
- if (tn_deb || debses)
- tn_debug("[TLS - Dummy Connected]");
- else if ( verbosity ) {
- printf("[TLS - Dummy Connected]\r\n");
- }
- debug(F110,"ck_tn_tls_negotiate","[TLS - Dummy Connected]",0);
- accept_complete = 1;
- auth_finished(AUTH_REJECT);
- return 0;
- }
- if (SSL_accept(tls_con) <= 0) {
- char errbuf[1024];
- sprintf(errbuf,"[TLS - SSL_accept error: %s",
- ERR_error_string(ERR_get_error(),NULL));
- if (tn_deb || debses)
- tn_debug(errbuf);
- else if ( ssl_debug_flag )
- printf("%s\r\n",errbuf);
- else if ( verbosity )
- printf("[TLS - SSL_accept error]\r\n");
- debug(F110,"ck_tn_tls_negotiate",errbuf,0);
- auth_finished(AUTH_REJECT);
- return -1;
- }
- if (tn_deb || debses)
- tn_debug("[TLS - OK]");
- else if ( verbosity ) {
- printf("[TLS - OK]\r\n");
- }
- debug(F110,"ck_tn_tls_negotiate","[TLS - OK]",0);
- tls_active_flag = 1;
- ssl_display_connect_details(tls_con,1,verbosity);
- #ifdef SSL_KRB5
- if ( tls_is_krb5(0) ) {
- if (tls_con->kssl_ctx->client_princ) {
- char *p;
- ckstrncpy(szUserNameAuthenticated,
- tls_con->kssl_ctx->client_princ,
- UIDBUFLEN);
- ckstrncpy(szUserNameRequested,
- tls_con->kssl_ctx->client_princ,
- UIDBUFLEN);
- for ( p = szUserNameRequested; *p ; p++ ) {
- if ( *p == '@' || *p == '/' ) {
- *p = '\0';
- break;
- }
- }
- } else {
- szUserNameRequested[0] = '\0';
- szUserNameAuthenticated[0] = '\0';
- }
- #ifdef CK_LOGIN
- if (zvuser(szUserNameRequested))
- auth_finished(AUTH_VALID);
- else
- #endif /* CK_LOGIN */
- auth_finished(AUTH_USER);
- } else
- #endif /* SSL_KRB5 */
- {
- /* now check to see that we got exactly what we
- * wanted from the caller ... if a certificate is
- * required then we make 100% sure that we were
- * given one during the handshake (as it is an optional
- * part of TLS)
- */
- peer=SSL_get_peer_certificate(tls_con);
- if (peer == NULL) {
- debug(F100,"SSL_get_peer_certificate() == NULL","",0);
- auth_finished(AUTH_REJECT);
- if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
- if (tn_deb || debses)
- tn_debug("[TLS - peer check failed]");
- else if (ssl_debug_flag) {
- printf("[TLS - peer check failed]\r\n");
- }
- debug(F110,
- "ck_tn_tls_negotiate",
- "[TLS - peer check failed]",
- 0
- );
- /* LOGGING REQUIRED HERE! */
- return -1;
- }
- } else {
- debug(F100,"SSL_get_peer_certificate() != NULL","",0);
- X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
- NID_commonName,str,
- 256
- );
- if ( verbosity )
- printf("[TLS - commonName=%s]\r\n",str);
- X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
- #ifndef NID_x500UniqueIdentifier
- NID_uniqueIdentifier,
- #else
- NID_x500UniqueIdentifier,
- #endif
- str,
- 256
- );
- if ( verbosity )
- printf("[TLS - uniqueIdentifier=%s]\r\n",str);
- /* Try to determine user name */
- uid = tls_userid_from_client_cert(tls_con);
- if ( uid ) {
- /* This code is very questionable.
- * How should it behave?
- * The client has presented a certificate that
- * contains a username. We have validated the
- * certificate but we do not automatically
- * log the user in unless there is a .tlslogin
- * file.
- */
- ckstrncpy(szUserNameRequested,uid,UIDBUFLEN);
- #ifdef CK_LOGIN
- if (zvuser(uid))
- auth_finished(AUTH_VALID);
- else
- #endif /* CK_LOGIN */
- auth_finished(AUTH_USER);
- }
- else {
- szUserNameRequested[0] = '\0';
- auth_finished(AUTH_REJECT);
- }
- }
- }
- }
- } else {
- char * str=NULL;
- if (tn_deb || debses)
- tn_debug("[TLS - handshake starting]");
- else if ( verbosity )
- printf("[TLS - handshake starting]\r\n");
- debug(F110,"ck_tn_tls_negotiate","[TLS - handshake starting]",0);
- /* right ... now we drop into the SSL library */
- if (!tls_only_flag) {
- char *subject=NULL, *issuer=NULL, *commonName=NULL, *dNSName=NULL;
- if (ssl_dummy_flag) {
- if (tn_deb || debses)
- tn_debug("[TLS - Dummy Connected]");
- else if ( verbosity ) {
- printf("[TLS - Dummy Connected]\r\n");
- }
- debug(F110,"ck_tn_tls_negotiate","[TLS - Dummy Connected]",0);
- auth_finished(AUTH_REJECT);
- accept_complete = 1;
- return 0;
- }
- #ifndef USE_CERT_CB
- if (!tls_load_certs(tls_ctx,tls_con,0))
- return(-1);
- #endif /* USE_CERT_CB */
- if (SSL_connect(tls_con) <= 0) {
- int len;
- if (tn_deb || debses) {
- tn_debug("[TLS - FAILED]");
- ERR_print_errors(bio_err);
- len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
- ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
- printf(ssl_err);
- } else if ( verbosity ) {
- printf("[TLS - FAILED]\r\n");
- ERR_print_errors(bio_err);
- len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
- ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
- printf(ssl_err);
- }
- debug(F110,"ck_tn_tls_negotiate","[TLS - FAILED]",0);
- auth_finished(AUTH_REJECT);
- return -1;
- }
- tls_active_flag = 1;
- if ( !ssl_certsok_flag && (ssl_verify_flag & SSL_VERIFY_PEER)
- && !tls_is_krb5(0)) {
- char prmpt[1024];
- subject = ssl_get_subject_name(tls_con);
- if (!subject) {
- if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
- {
- if (tn_deb || debses)
- tn_debug("[TLS - FAILED]");
- else if ( verbosity )
- printf("[TLS - FAILED]\r\n");
- debug(F110,"ck_tn_tls_negotiate","[TLS - FAILED]",0);
- auth_finished(AUTH_REJECT);
- return -1;
- } else {
- int ok;
- ok = uq_ok("Warning: Server didn't provide a certificate",
- "Continue? (Y/N)", 3, NULL, 0);
- if (!ok) {
- if (tn_deb || debses)
- tn_debug("[TLS - FAILED]");
- else if ( verbosity )
- printf("[TLS - FAILED]\r\n");
- debug(F110,
- "ck_tn_tls_negotiate","[TLS - FAILED]",0);
- auth_finished(AUTH_REJECT);
- return -1;
- }
- }
- } else if (ssl_check_server_name(tls_con, szHostName)) {
- if (tn_deb || debses)
- tn_debug("[TLS - FAILED]");
- else if ( verbosity )
- printf("[TLS - FAILED]\r\n");
- debug(F110,
- "ck_tn_tls_negotiate","[TLS - FAILED]",0);
- auth_finished(AUTH_REJECT);
- return -1;
- }
- }
- if ( ssl_debug_flag && ssl_finished_messages) {
- char msg[32];
- int i, len=32;
- extern char tn_msg[], hexbuf[];
- tn_msg[0] = '\0';
- len = ssl_get_client_finished(msg,len);
- if ( len > 0 ) {
- for ( i=0;i<len;i++ ) {
- sprintf(hexbuf,"%02X ",msg[i]);
- ckstrncat(tn_msg,hexbuf,TN_MSG_LEN);
- }
- printf("TLS client finished: %s\r\n",tn_msg);
- }
- tn_msg[0] = '\0';
- len = ssl_get_server_finished(msg,len);
- if ( len > 0 ) {
- for ( i=0;i<len;i++ ) {
- sprintf(hexbuf,"%02X ",msg[i]);
- ckstrncat(tn_msg,hexbuf,TN_MSG_LEN);
- }
- printf("TLS server finished: %s\r\n",tn_msg);
- }
- }
- if (tn_deb || debses)
- tn_debug("[TLS - OK]");
- else if ( verbosity )
- printf("[TLS - OK]\r\n");
- debug(F110,"ck_tn_tls_negotiate","[TLS - OK]",0);
- ssl_display_connect_details(tls_con,0,verbosity);
- }
- auth_finished(AUTH_REJECT);
- }
- accept_complete = 1;
- auth_ssl_valid = 1;
- return(0);
- }
- int
- ck_ssl_incoming(fd) int fd;
- {
- /* if we are not running in debug then any error
- * stuff from SSL debug *must* not go down
- * the socket (which 0,1,2 are all pointing to by
- * default)
- */
- int timo = 2000;
- setverbosity();
- if ( !ck_ssleay_is_installed() )
- return(-1);
- /* do the SSL stuff now ... before we play with pty's */
- SSL_set_fd(ssl_con,fd);
- SSL_set_fd(tls_con,fd);
- if (tls_only_flag) {
- if (tn_deb || debses)
- tn_debug("[TLS - handshake starting]");
- else if ( verbosity )
- printf("[TLS - handshake starting]\r\n");
- debug(F110,"ck_ssl_incoming","[TLS - handshake starting]",0);
- /* hmm ... only when running talking to things like
- * https servers should we hit this code and then
- * we really don't care *who* we talk to :-)
- */
- if (SSL_accept(tls_con) <= 0) {
- char errbuf[1024];
- sprintf(errbuf,"[TLS - SSL_accept error: %s",
- ERR_error_string(ERR_get_error(),NULL));
- if (tn_deb || debses)
- tn_debug(errbuf);
- else if ( ssl_debug_flag )
- printf("%s\r\n",errbuf);
- else if ( verbosity )
- printf("[TLS - SSL_accept error]\r\n");
- debug(F110,"ck_ssl_incoming",errbuf,0);
- return(-1);
- } else {
- if (tn_deb || debses)
- tn_debug("[TLS - OK]");
- else if ( verbosity )
- printf("[TLS - OK]\r\n");
- debug(F110,"ck_ssl_incoming","[TLS - OK]",0);
- tls_active_flag = 1;
- }
- } else if (ssl_only_flag) {
- if (tn_deb || debses)
- tn_debug("[SSL - handshake starting]");
- else if ( verbosity )
- printf("[SSL - handshake starting]\r\n");
- debug(F110,"ck_ssl_incoming","[SSL - handshake starting]",0);
- /* hmm ... only when running talking to things like
- * https servers should we hit this code and then
- * we really don't care *who* we talk to :-)
- */
- if (SSL_accept(ssl_con) <= 0) {
- char errbuf[1024];
- sprintf(errbuf,"[SSL - SSL_accept error: %s",
- ERR_error_string(ERR_get_error(),NULL));
- if (tn_deb || debses)
- tn_debug(errbuf);
- else if ( ssl_debug_flag )
- printf("%s\r\n",errbuf);
- else if ( verbosity )
- printf("[SSL - SSL_accept error]\r\n");
- debug(F110,"ck_ssl_incoming",errbuf,0);
- return(-1);
- } else {
- if (tn_deb || debses)
- tn_debug("[SSL - OK]");
- else if ( verbosity )
- printf("[SSL - OK]\r\n");
- debug(F110,"ssl_is","[SSL - OK]",0);
- ssl_active_flag = 1;
- }
- }
- if (ssl_active_flag || tls_active_flag) {
- X509 *peer;
- char str[256], *uid=NULL;
- /* now check to see that we got exactly what we
- * wanted from the caller ... if a certificate is
- * required then we make 100% sure that we were
- * given on during the handshake (as it is an optional
- * part of SSL and TLS)
- */
- if ( tls_active_flag ) {
- peer=SSL_get_peer_certificate(tls_con);
- } else if ( ssl_active_flag ) {
- peer=SSL_get_peer_certificate(ssl_con);
- }
- if (peer == NULL) {
- debug(F100,"SSL_get_peer_certificate() == NULL","",0);
- auth_finished(AUTH_REJECT);
- if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
- if (tn_deb || debses)
- tn_debug("[SSL/TLS - peer check failed]");
- else if (ssl_debug_flag) {
- printf("[SSL/TLS - peer check failed]\r\n");
- }
- debug(F110,
- "ck_tn_tls_negotiate",
- "[SSL/TLS - peer check failed]",
- 0
- );
- /* LOGGING REQUIRED HERE! */
- return -1;
- }
- } else {
- debug(F100,"SSL_get_peer_certificate() != NULL","",0);
- X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
- NID_commonName,str,
- 256
- );
- printf("[TLS - commonName=%s]\r\n",str);
- X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
- #ifndef NID_x500UniqueIdentifier
- NID_uniqueIdentifier,
- #else
- NID_x500UniqueIdentifier,
- #endif
- str,256
- );
- printf("[TLS - uniqueIdentifier=%s]\r\n",str);
- /* Try to determine user name */
- uid = tls_userid_from_client_cert(tls_con);
- if ( uid ) {
- /* This code is very questionable.
- * How should it behave?
- * The client has presented a certificate that
- * contains a username. We have validated the
- * certificate but we do not automatically
- * log the user in unless there is a .tlslogin
- * file.
- */
- ckstrncpy(szUserNameRequested,uid,UIDBUFLEN);
- #ifdef CK_LOGIN
- if (zvuser(uid))
- auth_finished(AUTH_VALID);
- else
- #endif /* CK_LOGIN */
- auth_finished(AUTH_USER);
- }
- else {
- szUserNameRequested[0] = '\0';
- auth_finished(AUTH_REJECT);
- }
- }
- }
- return(0); /* success */
- }
- int
- ck_ssl_outgoing(fd) int fd;
- {
- int timo = 2000;
- setverbosity();
- if ( !ck_ssleay_is_installed() )
- return(-1);
- /* bind in the network descriptor */
- SSL_set_fd(ssl_con,fd);
- SSL_set_fd(tls_con,fd);
- /* If we are doing raw TLS then start it now ... */
- if (tls_only_flag) {
- #ifndef USE_CERT_CB
- if (!tls_load_certs(tls_ctx,tls_con,0)) {
- debug(F110,"ck_ssl_outgoing","tls_load_certs() failed",0);
- return(-1);
- }
- #endif /* USE_CERT_CB */
- if (tn_deb || debses)
- tn_debug("[TLS - handshake starting]");
- else if (verbosity)
- printf("[TLS - handshake starting]\r\n");
- debug(F110,"ck_ssl_outgoing","[TLS - handshake starting]",0);
- if (SSL_connect(tls_con) <= 0) {
- char errbuf[1024];
- sprintf(errbuf,"[TLS - SSL_connect error: %s",
- ERR_error_string(ERR_get_error(),NULL));
- if (tn_deb || debses)
- tn_debug(errbuf);
- else if ( ssl_debug_flag )
- printf("%s\r\n",errbuf);
- if (tn_deb || debses)
- tn_debug("[TLS - FAILED]");
- else if ( verbosity )
- printf("[TLS - FAILED]\r\n");
- debug(F110,"ck_ssl_outgoing","[TLS - FAILED]",0);
- netclos();
- return(-1);
- } else {
- tls_active_flag = 1;
- if ( !ssl_certsok_flag && (ssl_verify_flag & SSL_VERIFY_PEER) &&
- !tls_is_krb5(0) ) {
- char *subject = ssl_get_subject_name(tls_con);
- if (!subject) {
- if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
- {
- if (tn_deb || debses)
- tn_debug("[TLS - FAILED]");
- else if ( verbosity )
- printf("[TLS - FAILED]\r\n");
- debug(F110,"ck_tn_tls_negotiate","[TLS - FAILED]",0);
- auth_finished(AUTH_REJECT);
- return -1;
- } else {
- char prmpt[1024];
- int ok;
- ok = uq_ok("Warning: Server didn't provide a certificate",
- "Continue? (Y/N)", 3, NULL, 0);
- if (!ok) {
- if (tn_deb || debses)
- tn_debug("[TLS - FAILED]");
- else if ( verbosity )
- printf("[TLS - FAILED]\r\n");
- debug(F110,
- "ck_tn_tls_negotiate","[TLS - FAILED]",0);
- auth_finished(AUTH_REJECT);
- return -1;
- }
- }
- } else if (ssl_check_server_name(tls_con, szHostName)) {
- if (tn_deb || debses)
- tn_debug("[TLS - FAILED]");
- else if ( verbosity )
- printf("[TLS - FAILED]\r\n");
- debug(F110,
- "ck_tn_tls_negotiate","[TLS - FAILED]",0);
- auth_finished(AUTH_REJECT);
- return -1;
- }
- }
- if (tn_deb || debses)
- tn_debug("[TLS - OK]");
- else if (!quiet)
- printf("[TLS - OK]\r\n");
- debug(F110,"ck_ssl_outgoing","[TLS - OK]",0);
- ssl_display_connect_details(tls_con,0,verbosity);
- }
- }
- /* if we are doing raw SSL then start it now ... */
- else if (ssl_only_flag) {
- #ifndef USE_CERT_CB
- if (!tls_load_certs(ssl_ctx,ssl_con,0))
- return(-1);
- #endif /* USE_CERT_CB */
- if (tn_deb || debses)
- tn_debug("[SSL - handshake starting]");
- else if ( verbosity )
- printf("[SSL - handshake starting]\r\n");
- debug(F110,"ck_ssl_outgoing","[SSL - handshake starting]",0);
- if (SSL_connect(ssl_con) <= 0) {
- if ( ssl_debug_flag ) {
- char errbuf[1024];
- sprintf(errbuf,"[SSL - SSL_connect error: %s",
- ERR_error_string(ERR_get_error(),NULL));
- printf("%s\r\n",errbuf);
- }
- if (tn_deb || debses)
- tn_debug("[SSL - FAILED]");
- else if ( verbosity )
- printf("[SSL - FAILED]\r\n");
- debug(F110,"ck_ssl_outgoing","[SSL - FAILED]",0);
- return(-1);
- } else {
- ssl_active_flag = 1;
- if ( !ssl_certsok_flag && (ssl_verify_flag & SSL_VERIFY_PEER) &&
- !tls_is_krb5(0)) {
- char *subject = ssl_get_subject_name(ssl_con);
- if (!subject) {
- if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
- {
- if (tn_deb || debses)
- tn_debug("[SSL - FAILED]");
- else if ( verbosity )
- printf("[SSL - FAILED]\r\n");
- debug(F110,"ck_tn_tls_negotiate","[SSL - FAILED]",0);
- auth_finished(AUTH_REJECT);
- return -1;
- } else {
- char prmpt[1024];
- int ok;
- ok = uq_ok("Warning: Server didn't provide a certificate",
- "Continue? (Y/N)", 3, NULL, 0);
- if (!ok) {
- if (tn_deb || debses)
- tn_debug("[SSL - FAILED]");
- else if ( verbosity )
- printf("[SSL - FAILED]\r\n");
- debug(F110,
- "ck_tn_tls_negotiate","[SSL - FAILED]",0);
- auth_finished(AUTH_REJECT);
- return -1;
- }
- }
- } else if (ssl_check_server_name(ssl_con, szHostName)) {
- if (tn_deb || debses)
- tn_debug("[SSL - FAILED]");
- else if ( verbosity )
- printf("[SSL - FAILED]\r\n");
- debug(F110, "ck_tn_tls_negotiate","[SSL - FAILED]",0);
- auth_finished(AUTH_REJECT);
- return -1;
- }
- }
- if (tn_deb || debses)
- tn_debug("[SSL - OK]");
- else if (!quiet)
- printf("[SSL - OK]\r\n");
- debug(F110,"ck_ssl_outgoing","[SSL - OK]",0);
- ssl_display_connect_details(ssl_con,0,verbosity);
- }
- }
- return(0); /* success */
- }
- #ifndef NOHTTP
- int
- ck_ssl_http_client(fd, hostname) int fd; char * hostname;
- {
- int timo = 2000;
- if ( !ck_ssleay_is_installed() )
- return(-1);
- setverbosity();
- /* bind in the network descriptor */
- SSL_set_fd(tls_http_con,fd);
- /* If we are doing raw TLS then start it now ... */
- if (1) {
- #ifndef USE_CERT_CB
- if (!tls_load_certs(tls_http_ctx,tls_http_con,0)) {
- debug(F110,"ck_ssl_http_client","tls_load_certs() failed",0);
- return(-1);
- }
- #endif /* USE_CERT_CB */
- if (tn_deb || debses)
- tn_debug("[TLS - handshake starting]");
- else if (verbosity)
- printf("[TLS - handshake starting]\r\n");
- debug(F110,"ck_ssl_outgoing","[TLS - handshake starting]",0);
- if (SSL_connect(tls_http_con) <= 0) {
- char errbuf[1024];
- sprintf(errbuf,"[TLS - SSL_connect error: %s",
- ERR_error_string(ERR_get_error(),NULL));
- if (tn_deb || debses)
- tn_debug(errbuf);
- else if ( ssl_debug_flag )
- printf("%s\r\n",errbuf);
- if (tn_deb || debses)
- tn_debug("[TLS - FAILED]");
- else if ( verbosity )
- printf("[TLS - FAILED]\r\n");
- debug(F110,"ck_ssl_http_client","[TLS - FAILED]",0);
- http_close();
- return(-1);
- } else {
- tls_http_active_flag = 1;
- if ( !ssl_certsok_flag && (ssl_verify_flag & SSL_VERIFY_PEER) &&
- !tls_is_krb5(3) ) {
- char *subject = ssl_get_subject_name(tls_http_con);
- if (!subject) {
- if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
- {
- if (tn_deb || debses)
- tn_debug("[TLS - FAILED]");
- else if ( verbosity )
- printf("[TLS - FAILED]\r\n");
- debug(F110,"ck_tn_tls_negotiate","[TLS - FAILED]",0);
- return -1;
- } else {
- char prmpt[1024];
- int ok;
- ok = uq_ok("Warning: Server didn't provide a certificate",
- "Continue? (Y/N)", 3, NULL, 0);
- if (!ok) {
- if (tn_deb || debses)
- tn_debug("[TLS - FAILED]");
- else if ( verbosity )
- printf("[TLS - FAILED]\r\n");
- debug(F110,
- "ck_tn_tls_negotiate","[TLS - FAILED]",0);
- return -1;
- }
- }
- } else if (ssl_check_server_name(tls_http_con, hostname)) {
- if (tn_deb || debses)
- tn_debug("[TLS - FAILED]");
- else if ( verbosity )
- printf("[TLS - FAILED]\r\n");
- debug(F110,
- "ck_tn_tls_negotiate","[TLS - FAILED]",0);
- return -1;
- }
- }
- printf("[TLS - OK]\r\n");
- if (tn_deb || debses)
- tn_debug("[TLS - OK]");
- debug(F110,"ck_ssl_outgoing","[TLS - OK]",0);
- ssl_display_connect_details(tls_http_con,0,verbosity);
- }
- }
- return(0); /* success */
- }
- #endif /* NOHTTP */
- int
- ck_ssl_renegotiate_ciphers()
- {
- if ( !ck_ssleay_is_installed() )
- return(0);
- if ( !sstelnet )
- return(0);
- if ( ssl_active_flag )
- return SSL_renegotiate(ssl_con);
- else if ( tls_active_flag )
- return SSL_renegotiate(tls_con);
- return(0);
- }
- #ifdef NT
- int
- ck_X509_save_cert_to_user_store(X509 *cert)
- {
- #ifdef X509V3_EXT_DUMP_UNKNOWN
- char path[CKMAXPATH];
- char hash[16];
- char * GetAppData(int);
- BIO * out=NULL;
- if ( cert == NULL )
- return(0);
- sprintf(hash,"%08lx",X509_subject_name_hash(cert));
- ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/certs/",
- hash,".0");
-
- out=BIO_new(BIO_s_file());
- if (out == NULL)
- {
- ERR_print_errors(bio_err);
- return(0);
- }
- if (BIO_write_filename(out,path) <= 0) {
- perror(path);
- return(0);
- }
- X509_print_ex(out, cert, XN_FLAG_SEP_MULTILINE, X509V3_EXT_DUMP_UNKNOWN);
- if (!PEM_write_bio_X509(out,cert)) {
- BIO_printf(bio_err,"unable to write certificate\n");
- ERR_print_errors(bio_err);
- BIO_free_all(out);
- return(0);
- }
- BIO_free_all(out);
- return(1);
- #else /* X509V3_EXT_DUMP_UNKNOWN */
- return(0);
- #endif /* X509V3_EXT_DUMP_UNKNOWN */
- }
- #endif /* NT */
- #ifndef OS2
- /* The following function should be replaced by institution specific */
- /* code that will convert an X509 cert structure to a userid for the */
- /* purposes of client to host login. The example code included */
- /* simply returns the UID field of the Subject if it exists. */
- /* X509_to_user() returns 0 if valid userid in 'userid', else -1 */
- int
- X509_to_user(X509 *peer_cert, char *userid, int len)
- {
- #ifdef X509_UID_TO_USER
- /* BEGIN EXAMPLE */
- int err;
- if (!(peer_cert && userid) || len <= 0)
- return -1;
- userid[0] = '\0';
- debug(F110,"X509_to_user() subject",
- X509_NAME_oneline(X509_get_subject_name(peer_cert),NULL,0),0);
- /* userid is in cert subject /UID */
- err = X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert),
- #ifndef NID_x500UniqueIdentifier
- NID_uniqueIdentifier,
- #else
- NID_x500UniqueIdentifier,
- #endif
- userid, len);
- debug(F111,"X509_to_user() userid",userid,err);
- if (err > 0)
- return 0;
- /* END EXAMPLE */
- #else /* X509_UID_TO_USER */
- #ifdef X509_SUBJECT_ALT_NAME_TO_USER
- /* BEGIN EXAMPLE */
- int i;
- X509_EXTENSION *ext = NULL;
- STACK_OF(GENERAL_NAME) *ialt = NULL;
- GENERAL_NAME *gen = NULL;
- char email[256];
- if (!(peer_cert && userid) || len <= 0)
- return -1;
- userid[0] = '\0';
- email[0] = '\0';
- debug(F110,"X509_to_user() subject",
- X509_NAME_oneline(X509_get_subject_name(peer_cert),NULL,0),0);
- if ((i = X509_get_ext_by_NID(peer_cert, NID_subject_alt_name, -1))<0)
- return -1;
- if (!(ext = X509_get_ext(peer_cert, i)))
- return -1;
- X509V3_add_standard_extensions();
- if (!(ialt = X509V3_EXT_d2i(ext)))
- return -1;
- for (i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
- gen = sk_GENERAL_NAME_value(ialt, i);
- if (gen->type == GEN_DNS) {
- if (!gen->d.ia5 || !gen->d.ia5->length)
- break;
- if (strlen(gen->d.ia5->data) != gen->d.ia5->length) {
- /* Ignoring IA5String containing null character */
- continue;
- }
- if ( gen->d.ia5->length + 1 > sizeof(email) ) {
- goto cleanup;
- }
- memcpy(email, gen->d.ia5->data, gen->d.ia5->length);
- email[gen->d.ia5->length] = 0;
- break;
- }
- }
- cleanup:
- X509V3_EXT_cleanup();
- if (ialt)
- sk_GENERAL_NAME_free(ialt);
- debug(F110,"X509_to_user() email",email,0);
- if ( email[0] ) {
- char * domain = NULL;
- /* Find domain */
- for ( i=0 ; email[i] ; i++ ) {
- if ( email[i] == '@' ) {
- email[i] = '\0';
- domain = &email[i+1];
- break;
- }
- }
- if ( domain ) {
- /* XXX - Put code to Verify domain here */
- if ( /* domain is okay */ 1 )
- ckstrncpy(userid,email,len);
- }
- }
- return(userid[0] ? 0 : -1);
- /* END EXAMPLE */
- #endif /* X509_SUBJECT_ALT_NAME_TO_USER */
- #endif /* X509_UID_TO_USER */
- return -1;
- }
- /* The following function should be replaced by institution specific */
- /* code that will determine whether or not the combination of the */
- /* provided X509 certificate and username is valid for automatic */
- /* login. Whereas X509_to_user() is used to provide authentication */
- /* of the user, the X509_userok() function is used to provide */
- /* authorization. The certificate passed into X509_userok() does */
- /* need to map to a userid; nor would the userid it would map to */
- /* need to match the userid provided to the function. There are */
- /* numerous circumstances in which it is beneficial to have the ability */
- /* for multiple users to gain access to a common account such as */
- /* 'root' on Unix; or a class account on a web server. In Unix we */
- /* implement this capability with the ~userid/.tlslogin file which */
- /* a list of X509 certificates which may be used to access the */
- /* account 'userid'. */
- /* X509_to_user() returns 0 if access is denied; 1 is access is permitted */
- int
- X509_userok(X509 * peer_cert, const char * userid)
- {
- #ifndef VMS
- /* check if clients cert is in "user"'s ~/.tlslogin file */
- char buf[512];
- int r = 0;
- FILE *fp;
- struct passwd *pwd;
- X509 *file_cert;
- const ASN1_BIT_STRING *peer_sig, *file_sig;
- if ( peer_cert == NULL )
- return(0);
- X509_get0_signature(&peer_sig, NULL, peer_cert);
- if (!(pwd = getpwnam(userid)))
- return 0;
- if (strlen(pwd->pw_dir) > 500)
- return(0);
- sprintf(buf, "%s/.tlslogin", pwd->pw_dir);
- if (!(fp = fopen(buf, "r")))
- return 0;
- while (!r && (file_cert = PEM_read_X509(fp, NULL, NULL, NULL))) {
- X509_get0_signature(&file_sig, NULL, file_cert);
- if (!ASN1_STRING_cmp(peer_sig, file_sig))
- r = 1;
- X509_free(file_cert);
- }
- fclose(fp);
- return(r);
- #else /* VMS */
- /* Need to implement an appropriate function for VMS */
- return(0);
- #endif /* VMS */
- }
- #endif /* OS2 */
- #endif /* CK_SSL */
|