本文整理汇总了C++中ERR_get_error函数的典型用法代码示例。如果您正苦于以下问题:C++ ERR_get_error函数的具体用法?C++ ERR_get_error怎么用?C++ ERR_get_error使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了ERR_get_error函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: network_write_chunkqueue_openssl
int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq) {
int ssl_r;
chunk *c;
size_t chunks_written = 0;
/* this is a 64k sendbuffer
*
* it has to stay at the same location all the time to satisfy the needs
* of SSL_write to pass the SAME parameter in case of a _WANT_WRITE
*
* the buffer is allocated once, is NOT realloced and is NOT freed at shutdown
* -> we expect a 64k block to 'leak' in valgrind
*
*
* In reality we would like to use mmap() but we don't have a guarantee that
* we get the same mmap() address for each call. On openbsd the mmap() address
* even randomized.
* That means either we keep the mmap() open or we do a read() into a
* constant buffer
* */
#define LOCAL_SEND_BUFSIZE (64 * 1024)
static char *local_send_buffer = NULL;
/* the remote side closed the connection before without shutdown request
* - IE
* - wget
* if keep-alive is disabled */
if (con->keep_alive == 0) {
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
}
for(c = cq->first; c; c = c->next) {
int chunk_finished = 0;
switch(c->type) {
case MEM_CHUNK: {
char * offset;
size_t toSend;
ssize_t r;
if (c->mem->used == 0 || c->mem->used == 1) {
chunk_finished = 1;
break;
}
offset = c->mem->ptr + c->offset;
toSend = c->mem->used - 1 - c->offset;
/**
* SSL_write man-page
*
* WARNING
* When an SSL_write() operation has to be repeated because of
* SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, it must be
* repeated with the same arguments.
*
*/
ERR_clear_error();
if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
unsigned long err;
switch ((ssl_r = SSL_get_error(ssl, r))) {
case SSL_ERROR_WANT_WRITE:
break;
case SSL_ERROR_SYSCALL:
/* perhaps we have error waiting in our error-queue */
if (0 != (err = ERR_get_error())) {
do {
log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
ssl_r, r,
ERR_error_string(err, NULL));
} while((err = ERR_get_error()));
} else if (r == -1) {
/* no, but we have errno */
switch(errno) {
case EPIPE:
case ECONNRESET:
return -2;
default:
log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL:",
ssl_r, r, errno,
strerror(errno));
break;
}
} else {
/* neither error-queue nor errno ? */
log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
ssl_r, r, errno,
strerror(errno));
}
return -1;
case SSL_ERROR_ZERO_RETURN:
/* clean shutdown on the remote side */
if (r == 0) return -2;
/* fall through */
//.........这里部分代码省略.........
示例2: FC_ASSERT
bytes public_key::decrypt( const bytes& in )const
{
FC_ASSERT( my && my->rsa );
bytes out( RSA_size(my->rsa) );//, char(0) );
int rtn = RSA_public_decrypt( in.size(),
(unsigned char*)in.data(),
(unsigned char*)out.data(),
my->rsa, RSA_PKCS1_OAEP_PADDING );
if( rtn >= 0 ) {
out.resize(rtn);
return out;
}
FC_THROW_EXCEPTION( exception, "openssl: ${message}", ("message",fc::string(ERR_error_string( ERR_get_error(),NULL))) );
}示例3: tap11_change_pin
static int
tap11_change_pin(
const char *p11lib,
int is_so,
const char *pin,
const char *newpin)
{
int rc = 0;
unsigned int nslots;
PKCS11_CTX *p11ctx;
PKCS11_SLOT *slots, *slot;
p11ctx = PKCS11_CTX_new();
/* load pkcs #11 module */
rc = PKCS11_CTX_load(p11ctx,p11lib);
if (rc) {
fprintf(stderr,"PKCS11_CTX_load\n");
return -1;
}
/* get information on all slots */
rc = PKCS11_enumerate_slots(p11ctx, &slots, &nslots);
if (rc < 0) {
fprintf(stderr,"PKCS11_enumerate_slots\n");
return -1;
}
/* get first slot with a token */
slot = PKCS11_find_token(p11ctx, slots, nslots);
if (!slot || !slot->token) {
fprintf(stderr,"PKCS11_find_token\n");
return -1;
}
fprintf(stderr,"Slot manufacturer......: %s\n", slot->manufacturer);
fprintf(stderr,"Slot description.......: %s\n", slot->description);
fprintf(stderr,"Slot token label.......: %s\n", slot->token->label);
fprintf(stderr,"Slot token manufacturer: %s\n", slot->token->manufacturer);
fprintf(stderr,"Slot token model.......: %s\n", slot->token->model);
fprintf(stderr,"Slot token serialnr....: %s\n", slot->token->serialnr);
/* rw mode */
rc = PKCS11_open_session(slot, 1);
if (rc != 0) {
ERR_load_PKCS11_strings();
fprintf(stderr,"PKCS11_open_session %s\n",
ERR_reason_error_string(ERR_get_error()));
return -1;
}
rc = PKCS11_login(slot, is_so, pin);
if (rc != 0) {
ERR_load_PKCS11_strings();
fprintf(stderr,"PKCS11_init_login %s\n",
ERR_reason_error_string(ERR_get_error()));
return -1;
}
rc = PKCS11_change_pin(slot,pin,newpin);
if (rc != 0) {
ERR_load_PKCS11_strings();
fprintf(stderr,"PKCS11_change_pin %s\n",
ERR_reason_error_string(ERR_get_error()));
return -1;
}
PKCS11_logout(slot);
PKCS11_release_all_slots(p11ctx, slots, nslots);
PKCS11_CTX_unload(p11ctx);
PKCS11_CTX_free(p11ctx);
fprintf(stderr,"\n\npin change succeed\n");
return 0;
}示例4: proxy_tls_recv
int proxy_tls_recv(rad_listen_t *listener)
{
int rcode;
size_t length;
listen_socket_t *sock = listener->data;
char buffer[256];
RADIUS_PACKET *packet;
uint8_t *data;
/*
* Get the maximum size of data to receive.
*/
if (!sock->data) sock->data = talloc_array(sock, uint8_t,
sock->ssn->offset);
data = sock->data;
DEBUG3("Proxy SSL socket has data to read");
PTHREAD_MUTEX_LOCK(&sock->mutex);
redo:
rcode = SSL_read(sock->ssn->ssl, data, 4);
if (rcode <= 0) {
int err = SSL_get_error(sock->ssn->ssl, rcode);
switch (err) {
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
goto redo;
case SSL_ERROR_ZERO_RETURN:
/* remote end sent close_notify, send one back */
SSL_shutdown(sock->ssn->ssl);
case SSL_ERROR_SYSCALL:
do_close:
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
tls_socket_close(listener);
return 0;
default:
while ((err = ERR_get_error())) {
DEBUG("proxy recv says %s",
ERR_error_string(err, NULL));
}
goto do_close;
}
}
length = (data[2] << 8) | data[3];
DEBUG3("Proxy received header saying we have a packet of %u bytes",
(unsigned int) length);
if (length > sock->ssn->offset) {
INFO("Received packet will be too large! Set \"fragment_size=%u\"",
(data[2] << 8) | data[3]);
goto do_close;
}
rcode = SSL_read(sock->ssn->ssl, data + 4, length);
if (rcode <= 0) {
switch (SSL_get_error(sock->ssn->ssl, rcode)) {
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
break;
case SSL_ERROR_ZERO_RETURN:
/* remote end sent close_notify, send one back */
SSL_shutdown(sock->ssn->ssl);
goto do_close;
default:
goto do_close;
}
}
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
packet = rad_alloc(NULL, 0);
packet->sockfd = listener->fd;
packet->src_ipaddr = sock->other_ipaddr;
packet->src_port = sock->other_port;
packet->dst_ipaddr = sock->my_ipaddr;
packet->dst_port = sock->my_port;
packet->code = data[0];
packet->id = data[1];
packet->data_len = length;
packet->data = talloc_array(packet, uint8_t, packet->data_len);
memcpy(packet->data, data, packet->data_len);
memcpy(packet->vector, packet->data + 4, 16);
/*
* FIXME: Client MIB updates?
*/
switch(packet->code) {
case PW_AUTHENTICATION_ACK:
case PW_ACCESS_CHALLENGE:
case PW_AUTHENTICATION_REJECT:
break;
#ifdef WITH_ACCOUNTING
case PW_ACCOUNTING_RESPONSE:
break;
#endif
//.........这里部分代码省略.........
示例5: new_ssl_stream
static int
new_ssl_stream(const char *name, int fd, enum session_type type,
enum ssl_state state, struct stream **streamp)
{
struct ssl_stream *sslv;
SSL *ssl = NULL;
int retval;
/* Check for all the needful configuration. */
retval = 0;
if (!private_key.read) {
VLOG_ERR("Private key must be configured to use SSL");
retval = ENOPROTOOPT;
}
if (!certificate.read) {
VLOG_ERR("Certificate must be configured to use SSL");
retval = ENOPROTOOPT;
}
if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) {
VLOG_ERR("CA certificate must be configured to use SSL");
retval = ENOPROTOOPT;
}
if (!retval && !SSL_CTX_check_private_key(ctx)) {
VLOG_ERR("Private key does not match certificate public key: %s",
ERR_error_string(ERR_get_error(), NULL));
retval = ENOPROTOOPT;
}
if (retval) {
goto error;
}
/* Disable Nagle.
* On windows platforms, this can only be called upon TCP connected.
*/
if (state == STATE_SSL_CONNECTING) {
setsockopt_tcp_nodelay(fd);
}
/* Create and configure OpenSSL stream. */
ssl = SSL_new(ctx);
if (ssl == NULL) {
VLOG_ERR("SSL_new: %s", ERR_error_string(ERR_get_error(), NULL));
retval = ENOPROTOOPT;
goto error;
}
if (SSL_set_fd(ssl, fd) == 0) {
VLOG_ERR("SSL_set_fd: %s", ERR_error_string(ERR_get_error(), NULL));
retval = ENOPROTOOPT;
goto error;
}
if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) {
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
}
/* Create and return the ssl_stream. */
sslv = xmalloc(sizeof *sslv);
stream_init(&sslv->stream, &ssl_stream_class, EAGAIN, name);
sslv->state = state;
sslv->type = type;
sslv->fd = fd;
sslv->ssl = ssl;
sslv->txbuf = NULL;
sslv->rx_want = sslv->tx_want = SSL_NOTHING;
sslv->session_nr = next_session_nr++;
sslv->n_head = 0;
if (VLOG_IS_DBG_ENABLED()) {
SSL_set_msg_callback(ssl, ssl_protocol_cb);
SSL_set_msg_callback_arg(ssl, sslv);
}
*streamp = &sslv->stream;
return 0;
error:
if (ssl) {
SSL_free(ssl);
}
closesocket(fd);
return retval;
}示例6: interpret_ssl_error
static int
interpret_ssl_error(const char *function, int ret, int error,
int *want)
{
*want = SSL_NOTHING;
switch (error) {
case SSL_ERROR_NONE:
VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_NONE", function);
break;
case SSL_ERROR_ZERO_RETURN:
VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_ZERO_RETURN", function);
break;
case SSL_ERROR_WANT_READ:
*want = SSL_READING;
return EAGAIN;
case SSL_ERROR_WANT_WRITE:
*want = SSL_WRITING;
return EAGAIN;
case SSL_ERROR_WANT_CONNECT:
VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_CONNECT", function);
break;
case SSL_ERROR_WANT_ACCEPT:
VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_ACCEPT", function);
break;
case SSL_ERROR_WANT_X509_LOOKUP:
VLOG_ERR_RL(&rl, "%s: unexpected SSL_ERROR_WANT_X509_LOOKUP",
function);
break;
case SSL_ERROR_SYSCALL: {
int queued_error = ERR_get_error();
if (queued_error == 0) {
if (ret < 0) {
int status = errno;
VLOG_WARN_RL(&rl, "%s: system error (%s)",
function, ovs_strerror(status));
return status;
} else {
VLOG_WARN_RL(&rl, "%s: unexpected SSL connection close",
function);
return EPROTO;
}
} else {
VLOG_WARN_RL(&rl, "%s: %s",
function, ERR_error_string(queued_error, NULL));
break;
}
}
case SSL_ERROR_SSL:
interpret_queued_ssl_error(function);
break;
default:
VLOG_ERR_RL(&rl, "%s: bad SSL error code %d", function, error);
break;
}
return EIO;
}示例7: throw
/**
* @return returns X.509 certificate serial number.
* @throws IOException exception is thrown if the serial is incorrect.
*/
long digidoc::X509Cert::getSerial() const throw(IOException)
{
long serial = ASN1_INTEGER_get(X509_get_serialNumber(cert));
if(serial <= 0)
{
THROW_IOEXCEPTION("Failed to read certificate serial number from X.509 certificate: %s", ERR_reason_error_string(ERR_get_error()));
}
return serial;
}示例8: rb_setup_ssl_server
int
rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list)
{
DH *dh;
unsigned long err;
if(cert == NULL)
{
rb_lib_log("rb_setup_ssl_server: No certificate file");
return 0;
}
if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert))
{
err = ERR_get_error();
rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
get_ssl_error(err));
return 0;
}
if(keyfile == NULL)
{
rb_lib_log("rb_setup_ssl_server: No key file");
return 0;
}
if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM))
{
err = ERR_get_error();
rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
get_ssl_error(err));
return 0;
}
if(dhfile != NULL)
{
/* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */
BIO *bio = BIO_new_file(dhfile, "r");
if(bio != NULL)
{
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
if(dh == NULL)
{
err = ERR_get_error();
rb_lib_log
("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
dhfile, get_ssl_error(err));
BIO_free(bio);
return 0;
}
BIO_free(bio);
SSL_CTX_set_tmp_dh(ssl_server_ctx, dh);
}
else
{
err = ERR_get_error();
rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
dhfile, get_ssl_error(err));
}
}
if (cipher_list != NULL)
{
SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list);
}
return 1;
}示例9: rb_init_ssl
int
rb_init_ssl(void)
{
int ret = 1;
char librb_data[] = "librb data";
const char librb_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
SSL_load_error_strings();
SSL_library_init();
librb_index = SSL_get_ex_new_index(0, librb_data, NULL, NULL, NULL);
#ifndef LRB_HAVE_TLS_METHOD_API
ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
#else
ssl_server_ctx = SSL_CTX_new(TLS_server_method());
#endif
if(ssl_server_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
get_ssl_error(ERR_get_error()));
ret = 0;
}
long server_options = SSL_CTX_get_options(ssl_server_ctx);
#ifndef LRB_HAVE_TLS_METHOD_API
server_options |= SSL_OP_NO_SSLv2;
server_options |= SSL_OP_NO_SSLv3;
#endif
#ifdef SSL_OP_SINGLE_DH_USE
server_options |= SSL_OP_SINGLE_DH_USE;
#endif
#ifdef SSL_OP_SINGLE_ECDH_USE
server_options |= SSL_OP_SINGLE_ECDH_USE;
#endif
#ifdef SSL_OP_NO_TICKET
server_options |= SSL_OP_NO_TICKET;
#endif
server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
SSL_CTX_set_options(ssl_server_ctx, server_options);
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_cipher_list(ssl_server_ctx, librb_ciphers);
/* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available
* (it's not by default on Solaris or Red Hat... fuck Red Hat and Oracle)
*/
#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && !defined(OPENSSL_NO_ECDH)
EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
if (key) {
SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
EC_KEY_free(key);
}
#endif
#ifndef LRB_HAVE_TLS_METHOD_API
ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
#else
ssl_client_ctx = SSL_CTX_new(TLS_client_method());
#endif
if(ssl_client_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
get_ssl_error(ERR_get_error()));
ret = 0;
}
#ifndef LRB_HAVE_TLS_METHOD_API
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
#endif
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
#endif
SSL_CTX_set_cipher_list(ssl_client_ctx, librb_ciphers);
return ret;
}示例10: main
int main(){
int len = 1024; //buffer length
char buf[len]; //read buffer
/* Initializing OpenSSL */
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
SSL_library_init();
BIO *bio, *abio, *out; //the sockets
SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
SSL *ssl;
if( ctx == NULL ){
fprintf(stderr, "DEBUG ctx is null\n");
fprintf(stderr, "ERROR::OpenSLL: %s\n", ERR_reason_error_string(ERR_get_error()));
exit(1);
}
//get password for private key
// SSL_CTX_set_default_passwd_cb( ctx, &pem_passwd_cb );
//load certificate (with public key)
SSL_CTX_use_certificate_file( ctx, "/home/mml/Develop/ca/certs/01.pem", SSL_FILETYPE_PEM);
//load private key
SSL_CTX_use_PrivateKey_file( ctx, "/home/mml/Develop/ca/testkey.pem", SSL_FILETYPE_PEM);
bio = BIO_new_ssl(ctx, 0);
if( bio == NULL ){
fprintf(stderr, "ERROR cannot bind\n");
exit(1);
}
BIO_get_ssl(bio, &ssl);
SSL_set_mode( ssl, SSL_MODE_AUTO_RETRY );
abio = BIO_new_accept("localhost:15001");
BIO_set_accept_bios(abio, bio);
BIO_do_accept(abio);
fprintf(stdout, "DEBUG: waiting for connection\n");
BIO_do_accept(abio);
out = BIO_pop(abio);
fprintf(stdout, "DEBUG: doing handshake\n");
BIO_do_handshake(out);
if(BIO_write(out, "Hello", 5) <= 0){
if(! BIO_should_retry(bio)) {
fprintf(stderr, "ERROR connection is already closed. (write)\n");
exit(1);
} else {
//retry routine
}
}
bzero(buf, len);
if( BIO_read(out, buf, len) <= 0 ){
if( !(BIO_should_retry(bio)) ){
fprintf(stderr, "ERROR connection is already closed (read)\n");
exit(0);
} else {
//retry routine
}
}
fprintf(stdout, "Hello%s\n", buf);
//close connection
BIO_free_all(abio);
BIO_free_all(out);
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}示例11: _openssl_log_error
void _openssl_log_error(int rc, SSL *con, const char *location) {
const char *reason, *file, *data;
unsigned long numerical_reason;
int flags, line;
snmp_log(LOG_ERR, "---- OpenSSL Related Errors: ----\n");
/* SSL specific errors */
if (con) {
int sslnum = SSL_get_error(con, rc);
switch(sslnum) {
case SSL_ERROR_NONE:
reason = "SSL_ERROR_NONE";
break;
case SSL_ERROR_SSL:
reason = "SSL_ERROR_SSL";
break;
case SSL_ERROR_WANT_READ:
reason = "SSL_ERROR_WANT_READ";
break;
case SSL_ERROR_WANT_WRITE:
reason = "SSL_ERROR_WANT_WRITE";
break;
case SSL_ERROR_WANT_X509_LOOKUP:
reason = "SSL_ERROR_WANT_X509_LOOKUP";
break;
case SSL_ERROR_SYSCALL:
reason = "SSL_ERROR_SYSCALL";
snmp_log(LOG_ERR, "TLS error: %s: rc=%d, sslerror = %d (%s): system_error=%d (%s)\n",
location, rc, sslnum, reason, errno, strerror(errno));
snmp_log(LOG_ERR, "TLS Error: %s\n",
ERR_reason_error_string(ERR_get_error()));
return;
case SSL_ERROR_ZERO_RETURN:
reason = "SSL_ERROR_ZERO_RETURN";
break;
case SSL_ERROR_WANT_CONNECT:
reason = "SSL_ERROR_WANT_CONNECT";
break;
case SSL_ERROR_WANT_ACCEPT:
reason = "SSL_ERROR_WANT_ACCEPT";
break;
default:
reason = "unknown";
}
snmp_log(LOG_ERR, " TLS error: %s: rc=%d, sslerror = %d (%s)\n",
location, rc, sslnum, reason);
snmp_log(LOG_ERR, " TLS Error: %s\n",
ERR_reason_error_string(ERR_get_error()));
}
/* other errors */
while ((numerical_reason =
ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
snmp_log(LOG_ERR, " error: #%lu (file %s, line %d)\n",
numerical_reason, file, line);
/* if we have a text translation: */
if (data && (flags & ERR_TXT_STRING)) {
snmp_log(LOG_ERR, " Textual Error: %s\n", data);
/*
* per openssl man page: If it has been allocated by
* OPENSSL_malloc(), *flags&ERR_TXT_MALLOCED is true.
*
* arggh... stupid openssl prototype for ERR_get_error_line_data
* wants a const char **, but returns something that we might
* need to free??
*/
if (flags & ERR_TXT_MALLOCED)
OPENSSL_free(NETSNMP_REMOVE_CONST(void *, data)); }
}
snmp_log(LOG_ERR, "---- End of OpenSSL Errors ----\n");
}示例12: tcp_stream_create_ssl_from_fd
tcp_stream_t *
tcp_stream_create_ssl_from_fd(int fd, const char *hostname,
const tcp_ssl_info_t *tsi,
char *errbuf, size_t errlen)
{
char errmsg[120];
tcp_stream_t *ts = calloc(1, sizeof(tcp_stream_t));
ts->ts_fd = fd;
if((ts->ts_ssl = SSL_new(ssl_ctx)) == NULL)
goto bad_ssl;
if(SSL_set_fd(ts->ts_ssl, fd) == 0)
goto bad_ssl;
if(tsi->key != NULL) {
BIO *cbio = BIO_new_mem_buf((char *)tsi->key, -1);
EVP_PKEY *key = PEM_read_bio_PrivateKey(cbio, NULL, NULL, NULL);
BIO_free(cbio);
if(key == NULL) {
snprintf(errbuf, errlen, "Unable to load private key");
goto bad;
}
SSL_use_PrivateKey(ts->ts_ssl, key);
EVP_PKEY_free(key);
}
if(tsi->cert != NULL) {
BIO *cbio = BIO_new_mem_buf((char *)tsi->cert, -1);
X509 *cert = PEM_read_bio_X509(cbio, NULL, 0, NULL);
BIO_free(cbio);
if(cert == NULL) {
snprintf(errbuf, errlen, "Unable to load certificate");
goto bad;
}
SSL_use_certificate(ts->ts_ssl, cert);
X509_free(cert);
}
if(SSL_connect(ts->ts_ssl) <= 0) {
goto bad_ssl;
}
SSL_set_mode(ts->ts_ssl, SSL_MODE_AUTO_RETRY);
X509 *peer = SSL_get_peer_certificate(ts->ts_ssl);
if(peer == NULL) {
goto bad_ssl;
}
int err = SSL_get_verify_result(ts->ts_ssl);
if(err != X509_V_OK) {
snprintf(errbuf, errlen, "Certificate error: %s",
X509_verify_cert_error_string(err));
X509_free(peer);
goto bad;
}
if(verify_hostname(hostname, peer, errbuf, errlen)) {
X509_free(peer);
goto bad;
}
X509_free(peer);
ts->ts_fd = fd;
htsbuf_queue_init(&ts->ts_spill, INT32_MAX);
htsbuf_queue_init(&ts->ts_sendq, INT32_MAX);
ts->ts_write = ssl_write;
ts->ts_read = ssl_read;
return ts;
bad_ssl:
ERR_error_string(ERR_get_error(), errmsg);
snprintf(errbuf, errlen, "SSL: %s", errmsg);
bad:
tcp_close(ts);
return NULL;
}示例13: ssh_rsa_sign
/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
int
ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
const u_char *data, u_int datalen)
{
const EVP_MD *evp_md;
EVP_MD_CTX md;
u_char *sig = NULL;
u_int slen = 0, len;
#ifdef USE_LEGACY_RSA_SIGN
u_char digest[EVP_MAX_MD_SIZE];
u_int dlen;
#endif
int ok, nid;
Buffer b;
if (key == NULL || key->rsa == NULL || (key->type != KEY_RSA &&
key->type != KEY_RSA_CERT && key->type != KEY_RSA_CERT_V00)) {
error("ssh_rsa_sign: no RSA key");
return -1;
}
nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
return -1;
}
#ifdef USE_LEGACY_RSA_SIGN
EVP_DigestInit(&md, evp_md);
EVP_DigestUpdate(&md, data, datalen);
EVP_DigestFinal(&md, digest, &dlen);
slen = RSA_size(key->rsa);
sig = xmalloc(slen);
ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
memset(digest, 'd', sizeof(digest));
#else /*ndef USE_LEGACY_RSA_SIGN*/
{
EVP_PKEY *pkey = NULL;
ok = -1;
pkey = EVP_PKEY_new();
if (pkey == NULL) {
error("%s: out of memory", __func__);
goto done;
}
EVP_PKEY_set1_RSA(pkey, key->rsa);
slen = EVP_PKEY_size(pkey);
sig = xmalloc(slen); /*fatal on error*/
ssh_EVP_MD_CTX_init(&md);
ok = ssh_EVP_SignInit_ex(&md, evp_md, NULL);
if (ok <= 0) {
char ebuf[256];
error("%s: EVP_SignInit_ex fail with errormsg='%.*s'"
, __func__
, (int)sizeof(ebuf), openssl_errormsg(ebuf, sizeof(ebuf)));
goto clean;
}
ok = ssh_EVP_SignUpdate(&md, data, datalen);
if (ok <= 0) {
char ebuf[256];
error("%s: EVP_SignUpdate fail with errormsg='%.*s'"
, __func__
, (int)sizeof(ebuf), openssl_errormsg(ebuf, sizeof(ebuf)));
goto clean;
}
ok = EVP_SignFinal(&md, sig, &len, pkey);
if (ok <= 0) {
char ebuf[256];
error("%s: SignFinal fail with errormsg='%.*s'"
, __func__
, (int)sizeof(ebuf), openssl_errormsg(ebuf, sizeof(ebuf)));
goto clean;
}
clean:
ssh_EVP_MD_CTX_cleanup(&md);
done:
if (pkey != NULL) EVP_PKEY_free(pkey);
}
#endif /*ndef USE_LEGACY_RSA_SIGN*/
if (ok <= 0) {
#ifdef USE_LEGACY_RSA_SIGN
int ecode = ERR_get_error();
error("ssh_rsa_sign: RSA_sign failed: %s",
ERR_error_string(ecode, NULL));
#endif /*def USE_LEGACY_RSA_SIGN*/
xfree(sig);
return -1;
}
//.........这里部分代码省略.........
示例14: do_ca_cert_bootstrap
static int
do_ca_cert_bootstrap(struct stream *stream)
{
struct ssl_stream *sslv = ssl_stream_cast(stream);
STACK_OF(X509) *chain;
X509 *cert;
FILE *file;
int error;
int fd;
chain = SSL_get_peer_cert_chain(sslv->ssl);
if (!chain || !sk_X509_num(chain)) {
VLOG_ERR("could not bootstrap CA cert: no certificate presented by "
"peer");
return EPROTO;
}
cert = sk_X509_value(chain, sk_X509_num(chain) - 1);
/* Check that 'cert' is self-signed. Otherwise it is not a CA
* certificate and we should not attempt to use it as one. */
error = X509_check_issued(cert, cert);
if (error) {
VLOG_ERR("could not bootstrap CA cert: obtained certificate is "
"not self-signed (%s)",
X509_verify_cert_error_string(error));
if (sk_X509_num(chain) < 2) {
VLOG_ERR("only one certificate was received, so probably the peer "
"is not configured to send its CA certificate");
}
return EPROTO;
}
fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444);
if (fd < 0) {
if (errno == EEXIST) {
VLOG_INFO_RL(&rl, "reading CA cert %s created by another process",
ca_cert.file_name);
stream_ssl_set_ca_cert_file__(ca_cert.file_name, true, true);
return EPROTO;
} else {
VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s",
ca_cert.file_name, ovs_strerror(errno));
return errno;
}
}
file = fdopen(fd, "w");
if (!file) {
error = errno;
VLOG_ERR("could not bootstrap CA cert: fdopen failed: %s",
ovs_strerror(error));
unlink(ca_cert.file_name);
return error;
}
if (!PEM_write_X509(file, cert)) {
VLOG_ERR("could not bootstrap CA cert: PEM_write_X509 to %s failed: "
"%s", ca_cert.file_name,
ERR_error_string(ERR_get_error(), NULL));
fclose(file);
unlink(ca_cert.file_name);
return EIO;
}
if (fclose(file)) {
error = errno;
VLOG_ERR("could not bootstrap CA cert: writing %s failed: %s",
ca_cert.file_name, ovs_strerror(error));
unlink(ca_cert.file_name);
return error;
}
VLOG_INFO("successfully bootstrapped CA cert to %s", ca_cert.file_name);
log_ca_cert(ca_cert.file_name, cert);
bootstrap_ca_cert = false;
ca_cert.read = true;
/* SSL_CTX_add_client_CA makes a copy of cert's relevant data. */
SSL_CTX_add_client_CA(ctx, cert);
SSL_CTX_set_cert_store(ctx, X509_STORE_new());
if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) {
VLOG_ERR("SSL_CTX_load_verify_locations: %s",
ERR_error_string(ERR_get_error(), NULL));
return EPROTO;
}
VLOG_INFO("killing successful connection to retry using CA cert");
return EPROTO;
}示例15: AuthenticateAgent
int AuthenticateAgent(AgentConnection *conn, Attributes attr, Promise *pp)
{
char sendbuffer[CF_EXPANDSIZE], in[CF_BUFSIZE], *out, *decrypted_cchall;
BIGNUM *nonce_challenge, *bn = NULL;
unsigned long err;
unsigned char digest[EVP_MAX_MD_SIZE];
int encrypted_len, nonce_len = 0, len, session_size;
bool implicitly_trust_server;
char enterprise_field = 'c';
RSA *server_pubkey = NULL;
if ((PUBKEY == NULL) || (PRIVKEY == NULL))
{
CfOut(cf_error, "", "No public/private key pair found at %s\n", CFPUBKEYFILE);
return false;
}
enterprise_field = CfEnterpriseOptions();
session_size = CfSessionKeySize(enterprise_field);
/* Generate a random challenge to authenticate the server */
nonce_challenge = BN_new();
if (nonce_challenge == NULL)
{
CfOut(cf_error, "", "Cannot allocate BIGNUM structure for server challenge\n");
return false;
}
BN_rand(nonce_challenge, CF_NONCELEN, 0, 0);
nonce_len = BN_bn2mpi(nonce_challenge, in);
if (FIPS_MODE)
{
HashString(in, nonce_len, digest, CF_DEFAULT_DIGEST);
}
else
{
HashString(in, nonce_len, digest, cf_md5);
}
/* We assume that the server bound to the remote socket is the official one i.e. = root's */
if ((server_pubkey = HavePublicKeyByIP(conn->username, conn->remoteip)))
{
implicitly_trust_server = false;
encrypted_len = RSA_size(server_pubkey);
}
else
{
implicitly_trust_server = true;
encrypted_len = nonce_len;
}
// Server pubkey is what we want to has as a unique ID
snprintf(sendbuffer, sizeof(sendbuffer), "SAUTH %c %d %d %c", implicitly_trust_server ? 'n': 'y', encrypted_len,
nonce_len, enterprise_field);
out = xmalloc(encrypted_len);
if (server_pubkey != NULL)
{
if (RSA_public_encrypt(nonce_len, in, out, server_pubkey, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
cfPS(cf_error, CF_FAIL, "", pp, attr, "Public encryption failed = %s\n", ERR_reason_error_string(err));
free(out);
RSA_free(server_pubkey);
return false;
}
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, out, encrypted_len);
}
else
{
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, in, nonce_len);
}
/* proposition C1 - Send challenge / nonce */
SendTransaction(conn->sd, sendbuffer, CF_RSA_PROTO_OFFSET + encrypted_len, CF_DONE);
BN_free(bn);
BN_free(nonce_challenge);
free(out);
if (DEBUG)
{
RSA_print_fp(stdout, PUBKEY, 0);
}
/*Send the public key - we don't know if server has it */
/* proposition C2 */
memset(sendbuffer, 0, CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->n, sendbuffer);
SendTransaction(conn->sd, sendbuffer, len, CF_DONE); /* No need to encrypt the public key ... */
/* proposition C3 */
//.........这里部分代码省略.........