本文整理汇总了C++中SSL_CTX_check_private_key函数的典型用法代码示例。如果您正苦于以下问题:C++ SSL_CTX_check_private_key函数的具体用法?C++ SSL_CTX_check_private_key怎么用?C++ SSL_CTX_check_private_key使用的例子?那么, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了SSL_CTX_check_private_key函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: be_tls_init
/*
* Initialize global SSL context.
*/
void
be_tls_init(void)
{
struct stat buf;
STACK_OF(X509_NAME) *root_cert_list = NULL;
if (!SSL_context)
{
#if SSLEAY_VERSION_NUMBER >= 0x0907000L
OPENSSL_config(NULL);
#endif
SSL_library_init();
SSL_load_error_strings();
/*
* We use SSLv23_method() because it can negotiate use of the highest
* mutually supported protocol version, while alternatives like
* TLSv1_2_method() permit only one specific version. Note that we
* don't actually allow SSL v2 or v3, only TLS protocols (see below).
*/
SSL_context = SSL_CTX_new(SSLv23_method());
if (!SSL_context)
ereport(FATAL,
(errmsg("could not create SSL context: %s",
SSLerrmessage(ERR_get_error()))));
/*
* Disable OpenSSL's moving-write-buffer sanity check, because it
* causes unnecessary failures in nonblocking send cases.
*/
SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
/*
* Load and verify server's certificate and private key
*/
if (SSL_CTX_use_certificate_chain_file(SSL_context,
ssl_cert_file) != 1)
ereport(FATAL,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("could not load server certificate file \"%s\": %s",
ssl_cert_file, SSLerrmessage(ERR_get_error()))));
if (stat(ssl_key_file, &buf) != 0)
ereport(FATAL,
(errcode_for_file_access(),
errmsg("could not access private key file \"%s\": %m",
ssl_key_file)));
if (!S_ISREG(buf.st_mode))
ereport(FATAL,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" is not a regular file",
ssl_key_file)));
/*
* Refuse to load files owned by users other than us or root.
*
* XXX surely we can check this on Windows somehow, too.
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
if (buf.st_uid != geteuid() && buf.st_uid != 0)
ereport(FATAL,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" must be owned by the database user or root",
ssl_key_file)));
#endif
/*
* Require no public access to key file. If the file is owned by us,
* require mode 0600 or less. If owned by root, require 0640 or less
* to allow read access through our gid, or a supplementary gid that
* allows to read system-wide certificates.
*
* XXX temporarily suppress check when on Windows, because there may
* not be proper support for Unix-y file permissions. Need to think
* of a reasonable check to apply on Windows. (See also the data
* directory permission check in postmaster.c)
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
if ((buf.st_uid == geteuid() && buf.st_mode & (S_IRWXG | S_IRWXO)) ||
(buf.st_uid == 0 && buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)))
ereport(FATAL,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" has group or world access",
ssl_key_file),
errdetail("File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.")));
#endif
if (SSL_CTX_use_PrivateKey_file(SSL_context,
ssl_key_file,
SSL_FILETYPE_PEM) != 1)
ereport(FATAL,
(errmsg("could not load private key file \"%s\": %s",
ssl_key_file, SSLerrmessage(ERR_get_error()))));
if (SSL_CTX_check_private_key(SSL_context) != 1)
//.........这里部分代码省略.........
示例2: network_init
//.........这里部分代码省略.........
return -1;
}
}
}
if (s->ssl_verifyclient) {
if (NULL == s->ssl_ca_file_cert_names) {
log_error_write(srv, __FILE__, __LINE__, "s",
"SSL: You specified ssl.verifyclient.activate but no ca_file"
);
return -1;
}
SSL_CTX_set_client_CA_list(s->ssl_ctx, SSL_dup_CA_list(s->ssl_ca_file_cert_names));
SSL_CTX_set_verify(
s->ssl_ctx,
SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
NULL
);
SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
}
if (SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509) < 0) {
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
return -1;
}
if (SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey) < 0) {
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
return -1;
}
if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
"Private key does not match the certificate public key, reason:",
ERR_error_string(ERR_get_error(), NULL),
s->ssl_pemfile);
return -1;
}
SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
# ifndef OPENSSL_NO_TLSEXT
if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
!SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
"failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
return -1;
}
# endif
}
#endif
b = buffer_init();
buffer_copy_string_buffer(b, srv->srvconf.bindhost);
buffer_append_string_len(b, CONST_STR_LEN(":"));
buffer_append_long(b, srv->srvconf.port);
if (0 != network_server_init(srv, b, srv->config_storage[0])) {
buffer_free(b);
return -1;
}
buffer_free(b);
示例3: janus_dtls_srtp_init
/* DTLS-SRTP initialization */
gint janus_dtls_srtp_init(const char* server_pem, const char* server_key) {
/* FIXME First of all make OpenSSL thread safe (see note above on issue #316) */
janus_dtls_locks = g_malloc0(sizeof(*janus_dtls_locks) * CRYPTO_num_locks());
int l=0;
for(l = 0; l < CRYPTO_num_locks(); l++) {
janus_mutex_init(&janus_dtls_locks[l]);
}
CRYPTO_THREADID_set_callback(janus_dtls_cb_openssl_threadid);
CRYPTO_set_locking_callback(janus_dtls_cb_openssl_lock);
/* Go on and create the DTLS context */
ssl_ctx = SSL_CTX_new(DTLSv1_method());
if(!ssl_ctx) {
JANUS_LOG(LOG_FATAL, "Ops, error creating DTLS context?\n");
return -1;
}
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, janus_dtls_verify_callback);
SSL_CTX_set_tlsext_use_srtp(ssl_ctx, "SRTP_AES128_CM_SHA1_80"); /* FIXME Should we support something else as well? */
if (!server_pem && !server_key) {
JANUS_LOG(LOG_WARN, "No cert/key specified, autogenerating some...\n");
if (janus_dtls_generate_keys(&ssl_cert, &ssl_key) != 0) {
JANUS_LOG(LOG_FATAL, "Error generating DTLS key/certificate\n");
return -2;
}
} else if (!server_pem || !server_key) {
JANUS_LOG(LOG_FATAL, "DTLS certificate and key must be specified\n");
return -2;
} else if (janus_dtls_load_keys(server_pem, server_key, &ssl_cert, &ssl_key) != 0) {
return -3;
}
if(!SSL_CTX_use_certificate(ssl_ctx, ssl_cert)) {
JANUS_LOG(LOG_FATAL, "Certificate error (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -4;
}
if(!SSL_CTX_use_PrivateKey(ssl_ctx, ssl_key)) {
JANUS_LOG(LOG_FATAL, "Certificate key error (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -5;
}
if(!SSL_CTX_check_private_key(ssl_ctx)) {
JANUS_LOG(LOG_FATAL, "Certificate check error (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -6;
}
SSL_CTX_set_read_ahead(ssl_ctx,1);
unsigned int size;
unsigned char fingerprint[EVP_MAX_MD_SIZE];
if(X509_digest(ssl_cert, EVP_sha256(), (unsigned char *)fingerprint, &size) == 0) {
JANUS_LOG(LOG_FATAL, "Error converting X509 structure (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -7;
}
char *lfp = (char *)&local_fingerprint;
unsigned int i = 0;
for(i = 0; i < size; i++) {
g_snprintf(lfp, 4, "%.2X:", fingerprint[i]);
lfp += 3;
}
*(lfp-1) = 0;
JANUS_LOG(LOG_INFO, "Fingerprint of our certificate: %s\n", local_fingerprint);
SSL_CTX_set_cipher_list(ssl_ctx, DTLS_CIPHERS);
/* Initialize libsrtp */
if(srtp_init() != err_status_ok) {
JANUS_LOG(LOG_FATAL, "Ops, error setting up libsrtp?\n");
return 5;
}
return 0;
}示例4: initialize_SSL
/*
* Initialize global SSL context.
*/
static void
initialize_SSL(void)
{
struct stat buf;
STACK_OF(X509_NAME) *root_cert_list = NULL;
if (!SSL_context)
{
#if SSLEAY_VERSION_NUMBER >= 0x0907000L
OPENSSL_config(NULL);
#endif
SSL_library_init();
SSL_load_error_strings();
SSL_context = SSL_CTX_new(SSLv23_method());
if (!SSL_context)
ereport(FATAL,
(errmsg("could not create SSL context: %s",
SSLerrmessage())));
/*
* Disable OpenSSL's moving-write-buffer sanity check, because it
* causes unnecessary failures in nonblocking send cases.
*/
SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
/*
* Load and verify server's certificate and private key
*/
if (SSL_CTX_use_certificate_chain_file(SSL_context,
ssl_cert_file) != 1)
ereport(FATAL,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("could not load server certificate file \"%s\": %s",
ssl_cert_file, SSLerrmessage())));
if (stat(ssl_key_file, &buf) != 0)
ereport(FATAL,
(errcode_for_file_access(),
errmsg("could not access private key file \"%s\": %m",
ssl_key_file)));
/*
* Require no public access to key file.
*
* XXX temporarily suppress check when on Windows, because there may
* not be proper support for Unix-y file permissions. Need to think
* of a reasonable check to apply on Windows. (See also the data
* directory permission check in postmaster.c)
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
if (!S_ISREG(buf.st_mode) || buf.st_mode & (S_IRWXG | S_IRWXO))
ereport(FATAL,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" has group or world access",
ssl_key_file),
errdetail("Permissions should be u=rw (0600) or less.")));
#endif
if (SSL_CTX_use_PrivateKey_file(SSL_context,
ssl_key_file,
SSL_FILETYPE_PEM) != 1)
ereport(FATAL,
(errmsg("could not load private key file \"%s\": %s",
ssl_key_file, SSLerrmessage())));
if (SSL_CTX_check_private_key(SSL_context) != 1)
ereport(FATAL,
(errmsg("check of private key failed: %s",
SSLerrmessage())));
}
/* set up ephemeral DH keys, and disallow SSL v2 while at it */
SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb);
SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
/* set up the allowed cipher list */
if (SSL_CTX_set_cipher_list(SSL_context, SSLCipherSuites) != 1)
elog(FATAL, "could not set the cipher list (no valid ciphers available)");
/*
* Load CA store, so we can verify client certificates if needed.
*/
if (ssl_ca_file[0])
{
if (SSL_CTX_load_verify_locations(SSL_context, ssl_ca_file, NULL) != 1 ||
(root_cert_list = SSL_load_client_CA_file(ssl_ca_file)) == NULL)
ereport(FATAL,
(errmsg("could not load root certificate file \"%s\": %s",
ssl_ca_file, SSLerrmessage())));
}
/*----------
* Load the Certificate Revocation List (CRL).
* http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
*----------
*/
//.........这里部分代码省略.........
示例5: main
int main(int argc, char **argv)
{
int sockfd, new_fd;
socklen_t len;
struct sockaddr_in my_addr, their_addr;
unsigned int myport, lisnum;
char buf[MAXBUF + 1];
SSL_CTX *ctx;
/* 指定监听端口 */
if (argc > 1 && argv[1]) {
myport = atoi(argv[1]);
} else {
myport = 8888;
}
/* 最大客户端连接数 */
if (argv[2]) {
lisnum = atoi(argv[2]);
} else {
lisnum = 2;
}
/* SSL 库初始化 */
SSL_library_init();
/* 载入所有SSL 算法 */
OpenSSL_add_all_algorithms();
/* 载入所有SSL 错误消息 */
SSL_load_error_strings();
/* 以SSL V2 和V3 标准兼容方式产生一个SSL_CTX ,即SSL Content Text */
ctx = SSL_CTX_new(SSLv23_server_method());
/* 也可以用SSLv2_server_method() 或SSLv3_server_method() 单独表示V2 或V3标准
*/
if (ctx == NULL) {
ERR_print_errors_fp(stdout);
exit(1);
}
/* 载入用户的数字证书, 此证书用来发送给客户端。证书里包含有公钥 */
if (SSL_CTX_use_certificate_file(ctx, argv[4], SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stdout);
exit(1);
}
/* 载入用户私钥 */
if (SSL_CTX_use_PrivateKey_file(ctx, argv[5], SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stdout);
exit(1);
}
/* 检查用户私钥是否正确 */
if (!SSL_CTX_check_private_key(ctx)) {
ERR_print_errors_fp(stdout);
exit(1);
}
/* 开启一个socket 监听 */
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(1);
} else {
printf("socket created\n");
}
bzero(&my_addr, sizeof(my_addr));
my_addr.sin_family = PF_INET;
my_addr.sin_port = htons(myport);
/* 设置监听的IP */
if (argv[3]) {
my_addr.sin_addr.s_addr = inet_addr(argv[3]);
} else {
/* 如果用户没有指定监听端口,则默认监听0.0.0.0(任意IP) */
my_addr.sin_addr.s_addr = INADDR_ANY;
}
if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) ==
-1) {
perror("bind");
exit(1);
} else {
printf("binded\n");
}
if (listen(sockfd, lisnum) == -1) {
perror("listen");
exit(1);
} else {
printf("begin listen\n");
}
while (1) {
SSL *ssl;
len = sizeof(struct sockaddr);
/* 等待客户端连上来 */
if ((new_fd = accept(sockfd, (struct sockaddr *)&their_addr, &len)) ==
-1) {
perror("accept");
exit(errno);
} else {
printf("server: got connection from %s, port %d, socket %d\n",
inet_ntoa(their_addr.sin_addr), ntohs(their_addr.sin_port),
new_fd);
}
/* 基于ctx 产生一个新的SSL */
ssl = SSL_new(ctx);
/* 将连接用户的socket 加入到SSL */
SSL_set_fd(ssl, new_fd);
/* 建立SSL 连接 */
if (SSL_accept(ssl) == -1) {
//.........这里部分代码省略.........
示例6: main
void main() {
int err;
int listen_sock;
int sock;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
size_t client_len;
char *str;
char buffer[4096];
SSL_CTX *ctx;
SSL *ssl;
SSL_METHOD *meth;
X509 *client_cert = NULL;
short int s_port = 5555;
/* inicializar la librería SSL y registrar los métodos de cifrado soportados */
SSL_library_init();
/* cargar mensajes de error que serán usados */
SSL_load_error_strings();
/* añade soporte para las versión SSL 2 y 3 */
meth = SSLv23_method();
/* crea un nuevo contexto para la utilización de la capa SSL */
ctx = SSL_CTX_new(meth);
if (!ctx) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* especificar el certificado que utilizará nuestra aplicación */
if (SSL_CTX_use_certificate_file(ctx, RSA_SERVER_CERT, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* clave privada de nuestra aplicación */
if (SSL_CTX_use_PrivateKey_file(ctx, RSA_SERVER_KEY, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* verifica si la clave esta asociada al certificado */
if (!SSL_CTX_check_private_key(ctx)) {
fprintf(stderr,"Hay un problema con el certificado y clave privada del servidor\n");
exit(1);
}
/* CA utilizado para validar los certificados recibidos por la aplicación */
if (!SSL_CTX_load_verify_locations(ctx, RSA_SERVER_CA_CERT, NULL)) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* garantizar que se verifica la autenticidad del otro extremo */
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);
SSL_CTX_set_verify_depth(ctx,1);
listen_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
RETURN_ERR(listen_sock, "socket");
memset (&sa_serv, '\0', sizeof(sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (s_port);
err = bind(listen_sock, (struct sockaddr*)&sa_serv,sizeof(sa_serv));
RETURN_ERR(err, "bind");
err = listen(listen_sock, 5);
RETURN_ERR(err, "listen");
client_len = sizeof(sa_cli);
sock = accept(listen_sock, (struct sockaddr*)&sa_cli, &client_len);
RETURN_ERR(sock, "accept");
close (listen_sock);
char clientIpString[INET_ADDRSTRLEN];
int clientIpInt = sa_cli.sin_addr.s_addr;
inet_ntop( AF_INET, &clientIpInt, clientIpString, INET_ADDRSTRLEN );
printf ("Conexion con %s en el puerto %x\n",
clientIpString,
sa_cli.sin_port);
/* crear una estructura SSL */
ssl = SSL_new(ctx);
//.........这里部分代码省略.........
示例7: new_ssl_stream
static int
new_ssl_stream(const char *name, int fd, enum session_type type,
enum ssl_state state, struct stream **streamp)
{
struct ssl_stream *sslv;
SSL *ssl = NULL;
int retval;
/* Check for all the needful configuration. */
retval = 0;
if (!private_key.read) {
VLOG_ERR("Private key must be configured to use SSL");
retval = ENOPROTOOPT;
}
if (!certificate.read) {
VLOG_ERR("Certificate must be configured to use SSL");
retval = ENOPROTOOPT;
}
if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) {
VLOG_ERR("CA certificate must be configured to use SSL");
retval = ENOPROTOOPT;
}
if (!retval && !SSL_CTX_check_private_key(ctx)) {
VLOG_ERR("Private key does not match certificate public key: %s",
ERR_error_string(ERR_get_error(), NULL));
retval = ENOPROTOOPT;
}
if (retval) {
goto error;
}
/* Disable Nagle.
* On windows platforms, this can only be called upon TCP connected.
*/
if (state == STATE_SSL_CONNECTING) {
setsockopt_tcp_nodelay(fd);
}
/* Create and configure OpenSSL stream. */
ssl = SSL_new(ctx);
if (ssl == NULL) {
VLOG_ERR("SSL_new: %s", ERR_error_string(ERR_get_error(), NULL));
retval = ENOPROTOOPT;
goto error;
}
if (SSL_set_fd(ssl, fd) == 0) {
VLOG_ERR("SSL_set_fd: %s", ERR_error_string(ERR_get_error(), NULL));
retval = ENOPROTOOPT;
goto error;
}
if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) {
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
}
/* Create and return the ssl_stream. */
sslv = xmalloc(sizeof *sslv);
stream_init(&sslv->stream, &ssl_stream_class, EAGAIN, name);
sslv->state = state;
sslv->type = type;
sslv->fd = fd;
sslv->ssl = ssl;
sslv->txbuf = NULL;
sslv->rx_want = sslv->tx_want = SSL_NOTHING;
sslv->session_nr = next_session_nr++;
sslv->n_head = 0;
if (VLOG_IS_DBG_ENABLED()) {
SSL_set_msg_callback(ssl, ssl_protocol_cb);
SSL_set_msg_callback_arg(ssl, sslv);
}
*streamp = &sslv->stream;
return 0;
error:
if (ssl) {
SSL_free(ssl);
}
closesocket(fd);
return retval;
}示例8: ssl_init
/* $begin ssl init */
void ssl_init(void)
{
static char crypto[]="RC4-MD5";
certfile= DEFAULT_CERTFILE;
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
ssl_ctx = SSL_CTX_new( SSLv23_server_method() );
if ( certfile[0] != '\0' )
if ( SSL_CTX_use_certificate_file( ssl_ctx, certfile, SSL_FILETYPE_PEM ) == 0 || SSL_CTX_use_PrivateKey_file( ssl_ctx, certfile, SSL_FILETYPE_PEM ) == 0 || SSL_CTX_check_private_key( ssl_ctx ) == 0 )
{
ERR_print_errors_fp( stderr );
exit( 1 );
}
if ( crypto != (char*) 0 )
{
if ( SSL_CTX_set_cipher_list( ssl_ctx, crypto ) == 0 )
{
ERR_print_errors_fp( stderr );
exit( 1 );
}
}
}示例9: lws_context_init_client_ssl
//.........这里部分代码省略.........
if (!method) {
error = ERR_get_error();
lwsl_err("problem creating ssl method %lu: %s\n",
error, ERR_error_string(error,
(char *)context->service_buffer));
return 1;
}
/* create context */
context->ssl_client_ctx = SSL_CTX_new(method);
if (!context->ssl_client_ctx) {
error = ERR_get_error();
lwsl_err("problem creating ssl context %lu: %s\n",
error, ERR_error_string(error,
(char *)context->service_buffer));
return 1;
}
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(context->ssl_client_ctx,
SSL_OP_NO_COMPRESSION);
#endif
SSL_CTX_set_options(context->ssl_client_ctx,
SSL_OP_CIPHER_SERVER_PREFERENCE);
if (info->ssl_cipher_list)
SSL_CTX_set_cipher_list(context->ssl_client_ctx,
info->ssl_cipher_list);
#ifdef LWS_SSL_CLIENT_USE_OS_CA_CERTS
if (!(info->options & LWS_SERVER_OPTION_DISABLE_OS_CA_CERTS))
/* loads OS default CA certs */
SSL_CTX_set_default_verify_paths(context->ssl_client_ctx);
#endif
/* openssl init for cert verification (for client sockets) */
if (!info->ssl_ca_filepath) {
if (!SSL_CTX_load_verify_locations(
context->ssl_client_ctx, NULL,
LWS_OPENSSL_CLIENT_CERTS))
lwsl_err(
"Unable to load SSL Client certs from %s "
"(set by --with-client-cert-dir= "
"in configure) -- client ssl isn't "
"going to work", LWS_OPENSSL_CLIENT_CERTS);
} else
if (!SSL_CTX_load_verify_locations(
context->ssl_client_ctx, info->ssl_ca_filepath,
NULL))
lwsl_err(
"Unable to load SSL Client certs "
"file from %s -- client ssl isn't "
"going to work", info->ssl_ca_filepath);
else
lwsl_info("loaded ssl_ca_filepath\n");
/*
* callback allowing user code to load extra verification certs
* helping the client to verify server identity
*/
/* support for client-side certificate authentication */
if (info->ssl_cert_filepath) {
n = SSL_CTX_use_certificate_chain_file(
context->ssl_client_ctx,
info->ssl_cert_filepath);
if (n != 1) {
lwsl_err("problem getting cert '%s' %lu: %s\n",
info->ssl_cert_filepath,
ERR_get_error(),
ERR_error_string(ERR_get_error(),
(char *)context->service_buffer));
return 1;
}
}
if (info->ssl_private_key_filepath) {
lws_ssl_bind_passphrase(context->ssl_client_ctx, info);
/* set the private key from KeyFile */
if (SSL_CTX_use_PrivateKey_file(context->ssl_client_ctx,
info->ssl_private_key_filepath, SSL_FILETYPE_PEM) != 1) {
lwsl_err("use_PrivateKey_file '%s' %lu: %s\n",
info->ssl_private_key_filepath,
ERR_get_error(),
ERR_error_string(ERR_get_error(),
(char *)context->service_buffer));
return 1;
}
/* verify private key */
if (!SSL_CTX_check_private_key(
context->ssl_client_ctx)) {
lwsl_err("Private SSL key doesn't match cert\n");
return 1;
}
}
context->protocols[0].callback(context, NULL,
LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
context->ssl_client_ctx, NULL, 0);
return 0;
}示例10: tls_ctx_load_priv_file
int
tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_engine,
const char *priv_key_file
#if ENABLE_INLINE_FILES
, const char *priv_key_file_inline
#endif
)
{
int status;
SSL_CTX *ssl_ctx = NULL;
BIO *in = NULL;
EVP_PKEY *pkey = NULL;
int ret = 1;
ASSERT(NULL != ctx);
ssl_ctx = ctx->ctx;
#if ENABLE_INLINE_FILES
if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_file_inline)
in = BIO_new_mem_buf ((char *)priv_key_file_inline, -1);
else
#endif /* ENABLE_INLINE_FILES */
in = BIO_new_file (priv_key_file, "r");
if (!in)
goto end;
if (priv_key_engine) {
ENGINE *engine;
ENGINE_load_builtin_engines();
engine = ENGINE_by_id(priv_key_engine);
if (!ENGINE_init(engine)) {
msg (M_WARN|M_SSL, "Cannot init engine %s", priv_key_engine);
goto end;
}
pkey = ENGINE_load_private_key(engine, priv_key_file, UI_OpenSSL(), NULL);
} else {
pkey = PEM_read_bio_PrivateKey (in, NULL,
ssl_ctx->default_passwd_callback,
ssl_ctx->default_passwd_callback_userdata);
}
if (!pkey)
goto end;
if (!SSL_CTX_use_PrivateKey (ssl_ctx, pkey))
{
#ifdef ENABLE_MANAGEMENT
if (management && (ERR_GET_REASON (ERR_peek_error()) == EVP_R_BAD_DECRYPT))
management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
#endif
msg (M_WARN|M_SSL, "Cannot load private key file %s", priv_key_file);
goto end;
}
warn_if_group_others_accessible (priv_key_file);
/* Check Private Key */
if (!SSL_CTX_check_private_key (ssl_ctx))
msg (M_SSLERR, "Private key does not match the certificate");
ret = 0;
end:
if (pkey)
EVP_PKEY_free (pkey);
if (in)
BIO_free (in);
return ret;
}示例11: vs_init_ssl
/*
* \brief Initialize OpenSSl of Verse server
*/
static int vs_init_ssl(VS_CTX *vs_ctx)
{
/* Set up the library */
SSL_library_init();
ERR_load_BIO_strings();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
/* Set up SSL context for TLS */
if( (vs_ctx->tls_ctx = SSL_CTX_new(TLSv1_server_method())) == NULL ) {
v_print_log(VRS_PRINT_ERROR, "Setting up SSL_CTX failed.\n");
ERR_print_errors_fp(v_log_file());
return -1;
}
/* Load certificate chain file from CA */
if(vs_ctx->ca_cert_file != NULL) {
if(SSL_CTX_use_certificate_chain_file(vs_ctx->tls_ctx, vs_ctx->ca_cert_file) != 1) {
v_print_log(VRS_PRINT_ERROR, "TLS: Loading certificate chain file: %s failed.\n",
vs_ctx->ca_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
}
/* Load certificate with public key for TLS */
if(SSL_CTX_use_certificate_file(vs_ctx->tls_ctx, vs_ctx->public_cert_file, SSL_FILETYPE_PEM) != 1) {
v_print_log(VRS_PRINT_ERROR, "TLS: Loading certificate file: %s failed.\n",
vs_ctx->public_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
/* Load private key for TLS */
if(SSL_CTX_use_PrivateKey_file(vs_ctx->tls_ctx, vs_ctx->private_cert_file, SSL_FILETYPE_PEM) != 1) {
v_print_log(VRS_PRINT_ERROR, "TLS: Loading private key file: %s failed.\n",
vs_ctx->private_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
/* Check the consistency of a private key with the corresponding
* certificate loaded into ssl_ctx */
if(SSL_CTX_check_private_key(vs_ctx->tls_ctx) != 1) {
v_print_log(VRS_PRINT_ERROR, "TLS: Private key does not match the certificate public key\n");
ERR_print_errors_fp(v_log_file());
return -1;
}
/* When CA certificate file was set, then try to load it */
if(vs_ctx->ca_cert_file != NULL) {
if(SSL_CTX_load_verify_locations(vs_ctx->tls_ctx, vs_ctx->ca_cert_file, NULL) != 1) {
v_print_log(VRS_PRINT_ERROR, "TLS: Loading CA certificate file: %s failed.\n",
vs_ctx->ca_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
}
#if OPENSSL_VERSION_NUMBER>=0x10000000
/* Set up SSL context for DTLS */
if( (vs_ctx->dtls_ctx = SSL_CTX_new(DTLSv1_server_method())) == NULL ) {
v_print_log(VRS_PRINT_ERROR, "Setting up SSL_CTX failed.\n");
ERR_print_errors_fp(v_log_file());
return -1;
}
/* Load certificate chain file from CA */
if(vs_ctx->ca_cert_file != NULL) {
if(SSL_CTX_use_certificate_chain_file(vs_ctx->dtls_ctx, vs_ctx->ca_cert_file) != 1) {
v_print_log(VRS_PRINT_ERROR, "DTLS: Loading certificate chain file: %s failed.\n",
vs_ctx->ca_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
}
/* Load certificate with public key for DTLS */
if (SSL_CTX_use_certificate_file(vs_ctx->dtls_ctx, vs_ctx->public_cert_file, SSL_FILETYPE_PEM) != 1) {
v_print_log(VRS_PRINT_ERROR, "DTLS: Loading certificate file: %s failed.\n",
vs_ctx->public_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
/* Load private key for DTLS */
if(SSL_CTX_use_PrivateKey_file(vs_ctx->dtls_ctx, vs_ctx->private_cert_file, SSL_FILETYPE_PEM) != 1) {
v_print_log(VRS_PRINT_ERROR, "DTLS: Loading private key file: %s failed.\n",
vs_ctx->private_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
/* Check the consistency of a private key with the corresponding
* certificate loaded into ssl_ctx */
if(SSL_CTX_check_private_key(vs_ctx->dtls_ctx) != 1) {
//.........这里部分代码省略.........
示例12: tls_ctx_load_pkcs12
int
tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
#if ENABLE_INLINE_FILES
const char *pkcs12_file_inline,
#endif /* ENABLE_INLINE_FILES */
bool load_ca_file
)
{
FILE *fp;
EVP_PKEY *pkey;
X509 *cert;
STACK_OF(X509) *ca = NULL;
PKCS12 *p12;
int i;
char password[256];
ASSERT(NULL != ctx);
#if ENABLE_INLINE_FILES
if (!strcmp (pkcs12_file, INLINE_FILE_TAG) && pkcs12_file_inline)
{
BIO *b64 = BIO_new(BIO_f_base64());
BIO *bio = BIO_new_mem_buf((void *) pkcs12_file_inline,
(int) strlen(pkcs12_file_inline));
ASSERT(b64 && bio);
BIO_push(b64, bio);
p12 = d2i_PKCS12_bio(b64, NULL);
if (!p12)
msg(M_SSLERR, "Error reading inline PKCS#12 file");
BIO_free(b64);
BIO_free(bio);
}
else
#endif
{
/* Load the PKCS #12 file */
if (!(fp = platform_fopen(pkcs12_file, "rb")))
msg(M_SSLERR, "Error opening file %s", pkcs12_file);
p12 = d2i_PKCS12_fp(fp, NULL);
fclose(fp);
if (!p12)
msg(M_SSLERR, "Error reading PKCS#12 file %s", pkcs12_file);
}
/* Parse the PKCS #12 file */
if (!PKCS12_parse(p12, "", &pkey, &cert, &ca))
{
pem_password_callback (password, sizeof(password) - 1, 0, NULL);
/* Reparse the PKCS #12 file with password */
ca = NULL;
if (!PKCS12_parse(p12, password, &pkey, &cert, &ca))
{
#ifdef ENABLE_MANAGEMENT
if (management && (ERR_GET_REASON (ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE))
management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
#endif
PKCS12_free(p12);
return 1;
}
}
PKCS12_free(p12);
/* Load Certificate */
if (!SSL_CTX_use_certificate (ctx->ctx, cert))
msg (M_SSLERR, "Cannot use certificate");
/* Load Private Key */
if (!SSL_CTX_use_PrivateKey (ctx->ctx, pkey))
msg (M_SSLERR, "Cannot use private key");
warn_if_group_others_accessible (pkcs12_file);
/* Check Private Key */
if (!SSL_CTX_check_private_key (ctx->ctx))
msg (M_SSLERR, "Private key does not match the certificate");
/* Set Certificate Verification chain */
if (load_ca_file)
{
if (ca && sk_X509_num(ca))
{
for (i = 0; i < sk_X509_num(ca); i++)
{
if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i)))
msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
if (!SSL_CTX_add_client_CA(ctx->ctx, sk_X509_value(ca, i)))
msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
}
}
}
return 0;
}示例13: check_key
static int check_key(lua_State *L)
{
SSL_CTX *ctx = lsec_checkcontext(L, 1);
lua_pushboolean(L, SSL_CTX_check_private_key(ctx));
return 1;
}示例14: swSSL_get_context
SSL_CTX* swSSL_get_context(int method, char *cert_file, char *key_file)
{
if (!openssl_init)
{
swSSL_init();
}
SSL_CTX *ssl_context = SSL_CTX_new(swSSL_get_method(method));
if (ssl_context == NULL)
{
ERR_print_errors_fp(stderr);
return NULL;
}
SSL_CTX_set_options(ssl_context, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
SSL_CTX_set_options(ssl_context, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
SSL_CTX_set_options(ssl_context, SSL_OP_MSIE_SSLV2_RSA_PADDING);
SSL_CTX_set_options(ssl_context, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
SSL_CTX_set_options(ssl_context, SSL_OP_TLS_D5_BUG);
SSL_CTX_set_options(ssl_context, SSL_OP_TLS_BLOCK_PADDING_BUG);
SSL_CTX_set_options(ssl_context, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
SSL_CTX_set_options(ssl_context, SSL_OP_SINGLE_DH_USE);
if (cert_file)
{
/*
* set the local certificate from CertFile
*/
if (SSL_CTX_use_certificate_file(ssl_context, cert_file, SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp(stderr);
return NULL;
}
/*
* if the crt file have many certificate entry ,means certificate chain
* we need call this function
*/
if (SSL_CTX_use_certificate_chain_file(ssl_context, cert_file) <= 0)
{
ERR_print_errors_fp(stderr);
return NULL;
}
/*
* set the private key from KeyFile (may be the same as CertFile)
*/
if (SSL_CTX_use_PrivateKey_file(ssl_context, key_file, SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp(stderr);
return NULL;
}
/*
* verify private key
*/
if (!SSL_CTX_check_private_key(ssl_context))
{
swWarn("Private key does not match the public certificate");
return NULL;
}
}
return ssl_context;
}示例15: __ssl_setup
static int __ssl_setup(struct ast_tls_config *cfg, int client)
{
#ifndef DO_SSL
cfg->enabled = 0;
return 0;
#else
if (!cfg->enabled) {
return 0;
}
/* Get rid of an old SSL_CTX since we're about to
* allocate a new one
*/
if (cfg->ssl_ctx) {
SSL_CTX_free(cfg->ssl_ctx);
cfg->ssl_ctx = NULL;
}
if (client) {
#ifndef OPENSSL_NO_SSL2
if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
} else
#endif
if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
} else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
} else {
/* SSLv23_client_method() sends SSLv2, this was the original
* default for ssl clients before the option was given to
* pick what protocol a client should use. In order not
* to break expected behavior it remains the default. */
cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
}
} else {
/* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */
cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
}
if (!cfg->ssl_ctx) {
ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
cfg->enabled = 0;
return 0;
}
SSL_CTX_set_verify(cfg->ssl_ctx,
ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
NULL);
if (!ast_strlen_zero(cfg->certfile)) {
char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {
if (!client) {
/* Clients don't need a certificate, but if its setup we can use it */
ast_verb(0, "SSL error loading cert file. <%s>\n", cfg->certfile);
cfg->enabled = 0;
SSL_CTX_free(cfg->ssl_ctx);
cfg->ssl_ctx = NULL;
return 0;
}
}
if ((SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, tmpprivate, SSL_FILETYPE_PEM) == 0) || (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 )) {
if (!client) {
/* Clients don't need a private key, but if its setup we can use it */
ast_verb(0, "SSL error loading private key file. <%s>\n", tmpprivate);
cfg->enabled = 0;
SSL_CTX_free(cfg->ssl_ctx);
cfg->ssl_ctx = NULL;
return 0;
}
}
}
if (!ast_strlen_zero(cfg->cipher)) {
if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
if (!client) {
ast_verb(0, "SSL cipher error <%s>\n", cfg->cipher);
cfg->enabled = 0;
SSL_CTX_free(cfg->ssl_ctx);
cfg->ssl_ctx = NULL;
return 0;
}
}
}
if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0) {
ast_verb(0, "SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
}
}
ast_verb(0, "SSL certificate ok\n");
return 1;
#endif
}