本文整理汇总了C++中SSL_get_ex_data_X509_STORE_CTX_idx函数的典型用法代码示例。如果您正苦于以下问题:C++ SSL_get_ex_data_X509_STORE_CTX_idx函数的具体用法?C++ SSL_get_ex_data_X509_STORE_CTX_idx怎么用?C++ SSL_get_ex_data_X509_STORE_CTX_idx使用的例子?那么, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了SSL_get_ex_data_X509_STORE_CTX_idx函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: verify_callback
static int verify_callback(int ok, X509_STORE_CTX *store)
{
epdata_t *epd = SSL_get_ex_data(X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx()), ssl_epd_idx);
epd->ssl_verify = ok;
return ok;
}示例2: certVerifyCallback
static int certVerifyCallback(int ok, X509_STORE_CTX* ctx)
{
// whether the verification of the certificate in question was passed (preverify_ok=1) or not (preverify_ok=0)
unsigned err = X509_STORE_CTX_get_error(ctx);
if (!err)
return 1;
SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
SSL_CTX* sslctx = SSL_get_SSL_CTX(ssl);
ResourceHandle* job = reinterpret_cast<ResourceHandle*>(SSL_CTX_get_app_data(sslctx));
String host = job->firstRequest().url().host();
ResourceHandleInternal* d = job->getInternal();
d->m_sslErrors = sslCertificateFlag(err);
#if PLATFORM(WIN)
HashMap<String, ListHashSet<String>>::iterator it = allowedHosts.find(host);
ok = (it != allowedHosts.end());
#else
ListHashSet<String> certificates;
if (!pemData(ctx, certificates))
return 0;
ok = sslIgnoreHTTPSCertificate(host.lower(), certificates);
#endif
if (ok) {
// if the host and the certificate are stored for the current handle that means is enabled,
// so don't need to curl verifies the authenticity of the peer's certificate
curl_easy_setopt(d->m_handle, CURLOPT_SSL_VERIFYPEER, false);
}
return ok;
}示例3: my_verify_callback
static int my_verify_callback(int ok, X509_STORE_CTX *ctx)
{
X509 *check_cert;
SSL *ssl;
MYSQL *mysql;
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
mysql= (MYSQL *)SSL_get_app_data(ssl);
/* skip verification if no ca_file/path was specified */
if (!mysql->options.ssl_ca && !mysql->options.ssl_capath)
{
ok= 1;
return 1;
}
if (!ok)
{
uint depth;
if (!(check_cert= X509_STORE_CTX_get_current_cert(ctx)))
return 0;
depth= X509_STORE_CTX_get_error_depth(ctx);
if (depth == 0)
ok= 1;
}
return ok;
}示例4: cert_check
NOEXPORT int cert_check(X509_STORE_CTX *callback_ctx, int preverify_ok) {
SSL *ssl=X509_STORE_CTX_get_ex_data(callback_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
CLI *c=SSL_get_ex_data(ssl, cli_index);
int depth=X509_STORE_CTX_get_error_depth(callback_ctx);
if(preverify_ok) {
s_log(LOG_DEBUG, "CERT: preverify ok");
} else {
/* remote site sent an invalid certificate */
if(c->opt->verify_level>=4 && depth>0) {
s_log(LOG_INFO, "CERT: Invalid CA certificate ignored");
return 1; /* accept */
} else {
s_log(LOG_WARNING, "CERT: Verification error: %s",
X509_verify_cert_error_string(
X509_STORE_CTX_get_error(callback_ctx)));
/* retain the STORE_CTX error produced by pre-verification */
return 0; /* reject */
}
}
if(c->opt->verify_level>=3 && depth==0)
if(!cert_check_local(callback_ctx))
return 0; /* reject */
return 1; /* accept */
}示例5: engine_verify_callback
static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
X509* err_cert;
SSL* ssl;
int bytes;
unsigned char* buf = NULL;
if(!preverify_ok) {
err_cert = X509_STORE_CTX_get_current_cert(ctx);
if(err_cert) {
/*
* Save the failed certificate for inspection/logging.
*/
bytes = i2d_X509(err_cert, &buf);
if(bytes > 0) {
ms_cert_buf* cert_buf = (ms_cert_buf*)malloc(sizeof(ms_cert_buf));
cert_buf->buf = buf;
cert_buf->bytes = bytes;
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
SSL_set_app_data(ssl, cert_buf);
}
}
}
return preverify_ok;
}示例6: tls_verify_certificate_callback
int tls_verify_certificate_callback(int ok, X509_STORE_CTX *ctx)
{
char buf[CCERT_BUFSIZ];
X509 *cert;
int err;
int depth;
int max_depth;
SSL *con;
TLS_SESS_STATE *TLScontext;
/* May be NULL as of OpenSSL 1.0, thanks for the API change! */
cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
con = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
TLScontext = SSL_get_ex_data(con, TLScontext_index);
depth = X509_STORE_CTX_get_error_depth(ctx);
/* Don't log the internal root CA unless there's an unexpected error. */
if (ok && TLScontext->tadepth > 0 && depth > TLScontext->tadepth)
return (1);
/*
* Certificate chain depth limit violations are mis-reported by the
* OpenSSL library, from SSL_CTX_set_verify(3):
*
* The certificate verification depth set with SSL[_CTX]_verify_depth()
* stops the verification at a certain depth. The error message produced
* will be that of an incomplete certificate chain and not
* X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected.
*
* We set a limit that is one higher than the user requested limit. If this
* higher limit is reached, we raise an error even a trusted root CA is
* present at this depth. This disambiguates trust chain truncation from
* an incomplete trust chain.
*/
max_depth = SSL_get_verify_depth(con) - 1;
/*
* We never terminate the SSL handshake in the verification callback,
* rather we allow the TLS handshake to continue, but mark the session as
* unverified. The application is responsible for closing any sessions
* with unverified credentials.
*/
if (max_depth >= 0 && depth > max_depth) {
X509_STORE_CTX_set_error(ctx, err = X509_V_ERR_CERT_CHAIN_TOO_LONG);
ok = 0;
}
if (ok == 0)
update_error_state(TLScontext, depth, cert, err);
if (TLScontext->log_mask & TLS_LOG_VERBOSE) {
if (cert)
X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
else
strcpy(buf, "<unknown>");
msg_info("%s: depth=%d verify=%d subject=%s",
TLScontext->namaddr, depth, ok, printable(buf, '?'));
}
return (1);
}示例7: verify_cb
/**
* This callback implements the "continue on error" flag and log the errors.
*/
static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
int err;
int verify;
SSL *ssl;
SSL_CTX *ctx;
p_context pctx;
lua_State *L;
/* Short-circuit optimization */
if (preverify_ok)
return 1;
ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
ctx = SSL_get_SSL_CTX(ssl);
pctx = (p_context)SSL_CTX_get_app_data(ctx);
L = pctx->L;
/* Get verify flags */
luaL_getmetatable(L, "SSL:Verify:Registry");
lua_pushlightuserdata(L, (void*)ctx);
lua_gettable(L, -2);
verify = (int)lua_tonumber(L, -1);
lua_pop(L, 2); /* Remove values from stack */
err = X509_STORE_CTX_get_error(x509_ctx);
if (err != X509_V_OK)
add_cert_error(L, ssl, err, X509_STORE_CTX_get_error_depth(x509_ctx));
return (verify & LSEC_VERIFY_CONTINUE ? 1 : preverify_ok);
}示例8: verify_callback
NOEXPORT int verify_callback(int preverify_ok, X509_STORE_CTX *callback_ctx) {
/* our verify callback function */
SSL *ssl;
CLI *c;
/* retrieve application specific data */
ssl=X509_STORE_CTX_get_ex_data(callback_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
c=SSL_get_ex_data(ssl, cli_index);
if(c->opt->verify_level<1) {
s_log(LOG_INFO, "Certificate verification disabled");
return 1; /* accept */
}
if(verify_checks(preverify_ok, callback_ctx))
return 1; /* accept */
if(c->opt->option.client || c->opt->protocol)
return 0; /* reject */
if(c->opt->redirect_addr.num) { /* pre-resolved addresses */
addrlist_dup(&c->connect_addr, &c->opt->redirect_addr);
s_log(LOG_INFO, "Redirecting connection");
return 1; /* accept */
}
/* delayed lookup */
if(namelist2addrlist(&c->connect_addr,
c->opt->redirect_list, DEFAULT_LOOPBACK)) {
s_log(LOG_INFO, "Redirecting connection");
return 1; /* accept */
}
return 0; /* reject */
}示例9: OpenSSL_verify_callback
static int
OpenSSL_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
SSL *ssl;
int n;
struct lws *wsi;
union lws_tls_cert_info_results ir;
X509 *topcert = X509_STORE_CTX_get_current_cert(x509_ctx);
ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
/*
* !!! nasty openssl requires the index to come as a library-scope
* static
*/
wsi = SSL_get_ex_data(ssl, openssl_websocket_private_data_index);
n = lws_tls_openssl_cert_info(topcert, LWS_TLS_CERT_INFO_COMMON_NAME,
&ir, sizeof(ir.ns.name));
if (!n)
lwsl_info("%s: client cert CN '%s'\n", __func__, ir.ns.name);
else
lwsl_info("%s: couldn't get client cert CN\n", __func__);
n = wsi->vhost->protocols[0].callback(wsi,
LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION,
x509_ctx, ssl, preverify_ok);
/* convert return code from 0 = OK to 1 = OK */
return !n;
}示例10: verify_callback
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
int ret = preverify_ok;
/* determine the status for the current cert */
X509_STORE_CTX_get_current_cert(ctx);
int err = X509_STORE_CTX_get_error(ctx);
int depth = X509_STORE_CTX_get_error_depth(ctx);
/* conjure the stream & context to use */
SSL *ssl = (SSL*)X509_STORE_CTX_get_ex_data
(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
SSLSocket *stream =
(SSLSocket*)SSL_get_ex_data(ssl, SSLSocket::GetSSLExDataIndex());
/* if allow_self_signed is set, make sure that verification succeeds */
if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT &&
stream->getContext()["allow_self_signed"].toBoolean()) {
ret = 1;
}
/* check the depth */
Variant vdepth = stream->getContext()["verify_depth"];
if (vdepth.toBoolean() && depth > vdepth.toInt64()) {
ret = 0;
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_CHAIN_TOO_LONG);
}
return ret;
}示例11: ssl_verify_wrapper
extern "C" int ssl_verify_wrapper(int preverify_ok, X509_STORE_CTX *ctx)
{
// if the pre verification has failed, then don't bother validating via ruby
if (preverify_ok != 1) {
return preverify_ok;
}
unsigned long binding;
X509 *cert;
SSL *ssl;
BUF_MEM *buf;
BIO *out;
int result;
cert = X509_STORE_CTX_get_current_cert(ctx);
ssl = (SSL*) X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
binding = (unsigned long) SSL_get_ex_data(ssl, 0);
out = BIO_new(BIO_s_mem());
PEM_write_bio_X509(out, cert);
BIO_write(out, "\0", 1);
BIO_get_mem_ptr(out, &buf);
ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject(binding));
result = (cd->VerifySslPeer(buf->data) == true ? 1 : 0);
BUF_MEM_free(buf);
return result;
}示例12: verify_callback
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
printf("*** Verify callback function called\n");
char buf[256];
X509 *err_cert;
int err, depth;
SSL *ssl;
err_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx);
/*
* Retrieve the pointer to the SSL of the connection currently treated
* and the application specific data stored into the SSL object.
*/
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
//mydata = SSL_get_ex_data(ssl, mydata_index);
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
/*
* Catch a too long certificate chain. The depth limit set using
* SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so
* that whenever the "depth>verify_depth" condition is met, we
* have violated the limit and want to log this error condition.
* We must do it here, because the CHAIN_TOO_LONG error would not
* be found explicitly; only errors introduced by cutting off the
* additional certificates would be logged.
*/
#if 0
if (depth > mydata->verify_depth) {
preverify_ok = 0;
err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
X509_STORE_CTX_set_error(ctx, err);
}
#endif
if (!preverify_ok) {
printf("verify error:num=%d:%s:depth=%d:%s\n", err,
X509_verify_cert_error_string(err), depth, buf);
}
printf("depth=%d:%s\n", depth, buf);
/*
* At this point, err contains the last verification error. We can use
* it for something special
*/
if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
printf("issuer= %s\n", buf);
}
#if 0
if (mydata->always_continue)
return 1;
else
#endif
return preverify_ok;
}示例13: verify_callback
static int verify_callback(int ok, X509_STORE_CTX *store) {
SSL *ssl;
struct stream_fd *sfd;
struct packet_stream *ps;
struct call_media *media;
ssl = X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx());
sfd = SSL_get_app_data(ssl);
if (sfd->dtls.ssl != ssl)
return 0;
ps = sfd->stream;
if (!ps)
return 0;
if (PS_ISSET(ps, FINGERPRINT_VERIFIED))
return 1;
media = ps->media;
if (!media)
return 0;
if (ps->dtls_cert)
X509_free(ps->dtls_cert);
ps->dtls_cert = X509_dup(X509_STORE_CTX_get_current_cert(store));
if (!media->fingerprint.hash_func)
return 1; /* delay verification */
if (dtls_verify_cert(ps))
return 0;
return 1;
}示例14: _mosquitto_server_certificate_verify
int _mosquitto_server_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx)
{
/* Preverify should have already checked expiry, revocation.
* We need to verify the hostname. */
struct mosquitto *mosq;
SSL *ssl;
X509 *cert;
/* Always reject if preverify_ok has failed. */
if(!preverify_ok) return 0;
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
mosq = SSL_get_ex_data(ssl, tls_ex_index_mosq);
if(!mosq) return 0;
if(mosq->tls_insecure == false){
if(X509_STORE_CTX_get_error_depth(ctx) == 0){
/* FIXME - use X509_check_host() etc. for sufficiently new openssl (>=1.1.x) */
cert = X509_STORE_CTX_get_current_cert(ctx);
/* This is the peer certificate, all others are upwards in the chain. */
#if defined(WITH_BROKER)
return _mosquitto_verify_certificate_hostname(cert, mosq->bridge->addresses[mosq->bridge->cur_address].address);
#else
return _mosquitto_verify_certificate_hostname(cert, mosq->host);
#endif
}else{
return preverify_ok;
}
}else{
return preverify_ok;
}
}示例15: swSSL_verify_callback
static int swSSL_verify_callback(int ok, X509_STORE_CTX *x509_store)
{
#if 0
char *subject, *issuer;
int err, depth;
X509 *cert;
X509_NAME *sname, *iname;
X509_STORE_CTX_get_ex_data(x509_store, SSL_get_ex_data_X509_STORE_CTX_idx());
cert = X509_STORE_CTX_get_current_cert(x509_store);
err = X509_STORE_CTX_get_error(x509_store);
depth = X509_STORE_CTX_get_error_depth(x509_store);
sname = X509_get_subject_name(cert);
subject = sname ? X509_NAME_oneline(sname, NULL, 0) : "(none)";
iname = X509_get_issuer_name(cert);
issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)";
swWarn("verify:%d, error:%d, depth:%d, subject:\"%s\", issuer:\"%s\"", ok, err, depth, subject, issuer);
if (sname)
{
OPENSSL_free(subject);
}
if (iname)
{
OPENSSL_free(issuer);
}
#endif
return 1;
}