本文整理汇总了C++中SSL_get_peer_certificate函数的典型用法代码示例。如果您正苦于以下问题:C++ SSL_get_peer_certificate函数的具体用法?C++ SSL_get_peer_certificate怎么用?C++ SSL_get_peer_certificate使用的例子?那么, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了SSL_get_peer_certificate函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: MAKEWORD
void *thread_main (void *arg)
{
int err, buflen, read;
int sd;
SSL_CTX *ctx = (SSL_CTX *) arg;
struct sockaddr_in dest_sin;
int sock;
#ifdef _WIN32
PHOSTENT phe;
WORD wVersionRequested;
WSADATA wsaData;
#endif /* */
SSL *ssl;
X509 *server_cert;
char *str;
char buf[1024];
SSL_METHOD *meth;
FILE *fp;
#ifdef _WIN32
wVersionRequested = MAKEWORD (2, 2);
err = WSAStartup (wVersionRequested, &wsaData);
if (err != 0)
{
printf ("WSAStartup err\n");
return -1;
}
#endif /* */
//首先建立连接
sock = socket (AF_INET, SOCK_STREAM, 0);
dest_sin.sin_family = AF_INET;
dest_sin.sin_addr.s_addr = inet_addr ("127.0.0.1");
dest_sin.sin_port = htons (8888);
again:err = connect (sock, (struct sockaddr_in *) &dest_sin, sizeof (dest_sin));
if (err < 0)
{
sleep (1);
goto again;
}
//安全连接要求在连接建立后进行握手
ssl = SSL_new (ctx);
if (ssl == NULL)
{
printf ("ss new err\n");
return;
}
SSL_set_fd (ssl, sock);
//请求SSL连接
err = SSL_connect (ssl);
if (err < 0)
{
printf ("SSL_connect err\n");
return;
}
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
//
server_cert = SSL_get_peer_certificate (ssl);
printf ("Server certificate:\n");
//获得服务端证书subject并转变成字符型,以便进行打印
str = X509_NAME_oneline (X509_get_subject_name (server_cert), 0, 0);
printf ("\t subject: %s\n", str);
OPENSSL_free (str);
//获得客户端证书issuer并转变成字符型,以便进行打印
str = X509_NAME_oneline (X509_get_issuer_name (server_cert), 0, 0);
printf ("\t issuer: %s\n", str);
OPENSSL_free (str);
X509_free (server_cert);
//进行安全会话
err = SSL_write (ssl, "Hello World!", strlen ("Hello World!"));
if (err < 0)
{
printf ("ssl write err\n");
return;
//.........这里部分代码省略.........
示例2: _SSL_get_cert_info
/*
FIXME: Master-Key, Extensions, CA bits
(openssl x509 -text -in servcert.pem)
*/
int
_SSL_get_cert_info (struct cert_info *cert_info, SSL * ssl)
{
X509 *peer_cert;
EVP_PKEY *peer_pkey;
/* EVP_PKEY *ca_pkey; */
/* EVP_PKEY *tmp_pkey; */
char notBefore[64];
char notAfter[64];
int alg;
int sign_alg;
if (!(peer_cert = SSL_get_peer_certificate (ssl)))
return (1); /* FATAL? */
X509_NAME_oneline (X509_get_subject_name (peer_cert), cert_info->subject,
sizeof (cert_info->subject));
X509_NAME_oneline (X509_get_issuer_name (peer_cert), cert_info->issuer,
sizeof (cert_info->issuer));
broke_oneline (cert_info->subject, cert_info->subject_word);
broke_oneline (cert_info->issuer, cert_info->issuer_word);
alg = OBJ_obj2nid (peer_cert->cert_info->key->algor->algorithm);
sign_alg = OBJ_obj2nid (peer_cert->sig_alg->algorithm);
ASN1_TIME_snprintf (notBefore, sizeof (notBefore),
X509_get_notBefore (peer_cert));
ASN1_TIME_snprintf (notAfter, sizeof (notAfter),
X509_get_notAfter (peer_cert));
peer_pkey = X509_get_pubkey (peer_cert);
strncpy (cert_info->algorithm,
(alg == NID_undef) ? "Unknown" : OBJ_nid2ln (alg),
sizeof (cert_info->algorithm));
cert_info->algorithm_bits = EVP_PKEY_bits (peer_pkey);
strncpy (cert_info->sign_algorithm,
(sign_alg == NID_undef) ? "Unknown" : OBJ_nid2ln (sign_alg),
sizeof (cert_info->sign_algorithm));
/* EVP_PKEY_bits(ca_pkey)); */
cert_info->sign_algorithm_bits = 0;
strncpy (cert_info->notbefore, notBefore, sizeof (cert_info->notbefore));
strncpy (cert_info->notafter, notAfter, sizeof (cert_info->notafter));
EVP_PKEY_free (peer_pkey);
/* SSL_SESSION_print_fp(stdout, SSL_get_session(ssl)); */
/*
if (ssl->session->sess_cert->peer_rsa_tmp) {
tmp_pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(tmp_pkey, ssl->session->sess_cert->peer_rsa_tmp);
cert_info->rsa_tmp_bits = EVP_PKEY_bits (tmp_pkey);
EVP_PKEY_free(tmp_pkey);
} else
fprintf(stderr, "REMOTE SIDE DOESN'T PROVIDES ->peer_rsa_tmp\n");
*/
cert_info->rsa_tmp_bits = 0;
X509_free (peer_cert);
return (0);
}示例3: FinishConnection
/* This function is called on a socket file descriptor once the connection has been
* established and we're ready to negotiate SSL. If the SSL handshake fails for some
* reason (such as the host on the other end not using SSL), it will return 0 for
* failure. Success returns 1.
*/
static int FinishConnection(TCLinkCon *c, int sd)
{
int ssl_connected, is_error, errcode, res;
X509 *server_cert;
time_t start, remaining;
fd_set in, out, err;
struct timeval tv;
/* check if socket has connected successfully */
int val;
int /*socklen_t*/ size = 4;
getsockopt(sd, SOL_SOCKET, SO_ERROR, (char*)&val, &size);
if (val != 0)
return 0;
SSL_clear(c->ssl);
SSL_set_fd(c->ssl, sd);
ssl_connected = 0;
is_error = 0;
start = time(0);
while (!ssl_connected && !is_error)
{
remaining = 5 - (time(0) - start);
if (remaining <= 0) {
is_error = 1;
break;
}
res = SSL_connect(c->ssl);
ssl_connected = ((res == 1) && SSL_is_init_finished(c->ssl));
if (!ssl_connected)
{
FD_ZERO(&in); FD_SET((unsigned)sd, &in);
FD_ZERO(&out); FD_SET((unsigned)sd, &out);
FD_ZERO(&err); FD_SET((unsigned)sd, &err);
/* the documentation does not suggest that both error types occur at the same time so
* the retry logic will consume all the outstanding events
* we do not actually use oob data, but if it is sent, it is treated as an error all the
* same
*/
errcode = SSL_get_error(c->ssl, res);
switch (errcode)
{
case SSL_ERROR_NONE:
/* no error, we should have a connection, check again */
break;
case SSL_ERROR_WANT_READ:
/* no error, just wait for more data */
tv.tv_sec = remaining; tv.tv_usec = 0;
/* posix-2001 says the function will modify the appropriate descriptors */
if (select(sd+1, &in, NULL, &err, &tv) < 0 ||
FD_ISSET((unsigned)sd, &err)
)
is_error = 1;
break;
case SSL_ERROR_WANT_WRITE:
/* no error, just wait for more data */
tv.tv_sec = remaining; tv.tv_usec = 0;
if (select(sd+1, NULL, &out, &err, &tv) < 0 ||
FD_ISSET((unsigned)sd, &err)
)
is_error = 1;
break;
case SSL_ERROR_ZERO_RETURN: /* peer closed the connection */
case SSL_ERROR_SSL: /* error in SSL handshake */
default:
is_error = 1;
}
}
}
if (is_error) {
return 0;
}
#ifdef WIN32
u_long param = 0;
ioctlsocket(sd, FIONBIO, ¶m); // make the socket blocking again
#else
fcntl(sd, F_SETFL, 0); /* make the socket blocking again */
#endif
/* verify that server certificate is authentic */
server_cert = SSL_get_peer_certificate(c->ssl);
if (!server_cert) {
X509_free(server_cert);
return 0;
//.........这里部分代码省略.........
示例4: socket
ResponseCode OpenSSLConnection::ConnectInternal() {
ResponseCode networkResponse = ResponseCode::SUCCESS;
X509_VERIFY_PARAM *param = nullptr;
server_tcp_socket_fd_ = socket(AF_INET, SOCK_STREAM, 0);
if (-1 == server_tcp_socket_fd_) {
return ResponseCode::NETWORK_TCP_SETUP_ERROR;
}
AWS_LOG_DEBUG(OPENSSL_WRAPPER_LOG_TAG, "Root CA : %s", root_ca_location_.c_str());
if (!SSL_CTX_load_verify_locations(p_ssl_context_, root_ca_location_.c_str(), NULL)) {
AWS_LOG_ERROR(OPENSSL_WRAPPER_LOG_TAG, " Root CA Loading error");
return ResponseCode::NETWORK_SSL_ROOT_CRT_PARSE_ERROR;
}
if (0 < device_cert_location_.length() && 0 < device_private_key_location_.length()) {
AWS_LOG_DEBUG(OPENSSL_WRAPPER_LOG_TAG, "Device crt : %s", device_cert_location_.c_str());
if (!SSL_CTX_use_certificate_file(p_ssl_context_, device_cert_location_.c_str(), SSL_FILETYPE_PEM)) {
AWS_LOG_ERROR(OPENSSL_WRAPPER_LOG_TAG, " Device Certificate Loading error");
return ResponseCode::NETWORK_SSL_DEVICE_CRT_PARSE_ERROR;
}
AWS_LOG_DEBUG(OPENSSL_WRAPPER_LOG_TAG, "Device privkey : %s", device_private_key_location_.c_str());
if (1 != SSL_CTX_use_PrivateKey_file(p_ssl_context_,
device_private_key_location_.c_str(),
SSL_FILETYPE_PEM)) {
AWS_LOG_ERROR(OPENSSL_WRAPPER_LOG_TAG, " Device Private Key Loading error");
return ResponseCode::NETWORK_SSL_KEY_PARSE_ERROR;
}
}
p_ssl_handle_ = SSL_new(p_ssl_context_);
// Requires OpenSSL v1.0.2 and above
if (server_verification_flag_) {
param = SSL_get0_param(p_ssl_handle_);
// Enable automatic hostname checks
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
// Check if it is an IPv4 or an IPv6 address to enable ip checking
// Enable host name check otherwise
char dst[INET6_ADDRSTRLEN];
if (inet_pton(AF_INET, endpoint_.c_str(), (void *) dst) ||
inet_pton(AF_INET6, endpoint_.c_str(), (void *) dst)) {
X509_VERIFY_PARAM_set1_ip_asc(param, endpoint_.c_str());
} else {
X509_VERIFY_PARAM_set1_host(param, endpoint_.c_str(), 0);
}
}
// Configure a non-zero callback if desired
SSL_set_verify(p_ssl_handle_, SSL_VERIFY_PEER, nullptr);
networkResponse = ConnectTCPSocket();
if (ResponseCode::SUCCESS != networkResponse) {
AWS_LOG_ERROR(OPENSSL_WRAPPER_LOG_TAG, "TCP Connection error");
return networkResponse;
}
SSL_set_fd(p_ssl_handle_, server_tcp_socket_fd_);
networkResponse = SetSocketToNonBlocking();
if (ResponseCode::SUCCESS != networkResponse) {
AWS_LOG_ERROR(OPENSSL_WRAPPER_LOG_TAG, " Unable to set the socket to Non-Blocking");
return networkResponse;
}
networkResponse = AttemptConnect();
if (X509_V_OK != SSL_get_verify_result(p_ssl_handle_)) {
AWS_LOG_ERROR(OPENSSL_WRAPPER_LOG_TAG, " Server Certificate Verification failed.");
networkResponse = ResponseCode::NETWORK_SSL_CONNECT_ERROR;
} else {
// ensure you have a valid certificate returned, otherwise no certificate exchange happened
if (nullptr == SSL_get_peer_certificate(p_ssl_handle_)) {
AWS_LOG_ERROR(OPENSSL_WRAPPER_LOG_TAG, " No certificate exchange happened");
networkResponse = ResponseCode::NETWORK_SSL_CONNECT_ERROR;
}
}
if (ResponseCode::SUCCESS == networkResponse) {
is_connected_ = true;
}
return networkResponse;
}示例5: tls_drv_control
//.........这里部分代码省略.........
die_unless(d->ssl, "SSL not initialized");
res = SSL_write(d->ssl, buf, len);
if (res <= 0)
{
res = SSL_get_error(d->ssl, res);
if (res == SSL_ERROR_WANT_READ || res == SSL_ERROR_WANT_WRITE)
{
b = driver_alloc_binary(1);
b->orig_bytes[0] = 2;
*rbuf = (char *)b;
return 1;
} else {
die_unless(0, "SSL_write failed");
}
}
break;
case GET_ENCRYPTED_OUTPUT:
die_unless(d->ssl, "SSL not initialized");
size = BIO_ctrl_pending(d->bio_write) + 1;
b = driver_alloc_binary(size);
b->orig_bytes[0] = 0;
BIO_read(d->bio_write, b->orig_bytes + 1, size - 1);
*rbuf = (char *)b;
return size;
case GET_DECRYPTED_INPUT:
if (!SSL_is_init_finished(d->ssl))
{
res = SSL_do_handshake(d->ssl);
if (res <= 0)
die_unless(SSL_get_error(d->ssl, res) == SSL_ERROR_WANT_READ,
"SSL_do_handshake failed");
} else {
size = BUF_SIZE + 1;
rlen = 1;
b = driver_alloc_binary(size);
b->orig_bytes[0] = 0;
while ((res = SSL_read(d->ssl,
b->orig_bytes + rlen, BUF_SIZE)) > 0)
{
//printf("%d bytes of decrypted data read from state machine\r\n",res);
rlen += res;
size += BUF_SIZE;
b = driver_realloc_binary(b, size);
}
if (res < 0)
{
int err = SSL_get_error(d->ssl, res);
if (err == SSL_ERROR_WANT_READ)
{
//printf("SSL_read wants more data\r\n");
//return 0;
}
// TODO
}
b = driver_realloc_binary(b, rlen);
*rbuf = (char *)b;
return rlen;
}
break;
case GET_PEER_CERTIFICATE:
cert = SSL_get_peer_certificate(d->ssl);
if (cert == NULL)
{
b = driver_alloc_binary(1);
b->orig_bytes[0] = 1;
*rbuf = (char *)b;
return 1;
} else {
unsigned char *tmp_buf;
rlen = i2d_X509(cert, NULL);
if (rlen >= 0)
{
rlen++;
b = driver_alloc_binary(rlen);
b->orig_bytes[0] = 0;
tmp_buf = (unsigned char *)&b->orig_bytes[1];
i2d_X509(cert, &tmp_buf);
X509_free(cert);
*rbuf = (char *)b;
return rlen;
} else
X509_free(cert);
}
break;
case GET_VERIFY_RESULT:
b = driver_alloc_binary(1);
b->orig_bytes[0] = SSL_get_verify_result(d->ssl);
*rbuf = (char *)b;
return 1;
break;
}
b = driver_alloc_binary(1);
b->orig_bytes[0] = 0;
*rbuf = (char *)b;
return 1;
}示例6: ssl_handshake
int ssl_handshake(struct Client *cptr) {
char *str;
int err;
cptr->ssl = (struct SSL*) SSL_new (ctx);
// cptr->use_ssl=1;
CHK_NULL (cptr->ssl);
SSL_set_fd ((SSL *)cptr->ssl, cptr->fd);
set_non_blocking(cptr->fd);
err = ircd_SSL_accept (cptr, cptr->fd);
if ((err)==-1) {
irclog(L_ERROR,"Lost connection to %s:Error in SSL_accept()",
get_client_name(cptr, TRUE));
SSL_shutdown((SSL *)cptr->ssl);
SSL_free((SSL *)cptr->ssl);
cptr->ssl = NULL;
return 0;
}
/* Get the cipher - opt */
SetSecure(cptr);
irclog (L_DEBUG, "SSL connection using %s", SSL_get_cipher ((SSL *)cptr->ssl));
/* Get client's certificate (note: beware of dynamic
* allocation) - opt */
cptr->client_cert = (struct X509*)SSL_get_peer_certificate ((SSL *)cptr->ssl);
if (cptr->client_cert != NULL)
{
irclog (L_DEBUG,"Client certificate:");
str = X509_NAME_oneline (X509_get_subject_name ((X509*)cptr->client_cert), 0, 0);
CHK_NULL (str);
irclog (L_DEBUG, "\t subject: %s", str);
// Bejvavalo
// Free (str);
free(str);
str = X509_NAME_oneline (X509_get_issuer_name ((X509*)cptr->client_cert), 0, 0);
CHK_NULL (str);
irclog (L_DEBUG, "\t issuer: %s", str);
// Bejvavalo
// Free (str);
free(str);
/* We could do all sorts of certificate
* verification stuff here before
* deallocating the certificate. */
X509_free ((X509*)cptr->client_cert);
}
else
irclog (L_DEBUG, "Client does not have certificate.");
return 1;
}示例7: tcp_stream_create_ssl_from_fd
tcp_stream_t *
tcp_stream_create_ssl_from_fd(int fd, const char *hostname,
const tcp_ssl_info_t *tsi,
char *errbuf, size_t errlen)
{
char errmsg[120];
tcp_stream_t *ts = calloc(1, sizeof(tcp_stream_t));
ts->ts_fd = fd;
if((ts->ts_ssl = SSL_new(ssl_ctx)) == NULL)
goto bad_ssl;
if(SSL_set_fd(ts->ts_ssl, fd) == 0)
goto bad_ssl;
if(tsi->key != NULL) {
BIO *cbio = BIO_new_mem_buf((char *)tsi->key, -1);
EVP_PKEY *key = PEM_read_bio_PrivateKey(cbio, NULL, NULL, NULL);
BIO_free(cbio);
if(key == NULL) {
snprintf(errbuf, errlen, "Unable to load private key");
goto bad;
}
SSL_use_PrivateKey(ts->ts_ssl, key);
EVP_PKEY_free(key);
}
if(tsi->cert != NULL) {
BIO *cbio = BIO_new_mem_buf((char *)tsi->cert, -1);
X509 *cert = PEM_read_bio_X509(cbio, NULL, 0, NULL);
BIO_free(cbio);
if(cert == NULL) {
snprintf(errbuf, errlen, "Unable to load certificate");
goto bad;
}
SSL_use_certificate(ts->ts_ssl, cert);
X509_free(cert);
}
if(SSL_connect(ts->ts_ssl) <= 0) {
goto bad_ssl;
}
SSL_set_mode(ts->ts_ssl, SSL_MODE_AUTO_RETRY);
X509 *peer = SSL_get_peer_certificate(ts->ts_ssl);
if(peer == NULL) {
goto bad_ssl;
}
int err = SSL_get_verify_result(ts->ts_ssl);
if(err != X509_V_OK) {
snprintf(errbuf, errlen, "Certificate error: %s",
X509_verify_cert_error_string(err));
X509_free(peer);
goto bad;
}
if(verify_hostname(hostname, peer, errbuf, errlen)) {
X509_free(peer);
goto bad;
}
X509_free(peer);
ts->ts_fd = fd;
htsbuf_queue_init(&ts->ts_spill, INT32_MAX);
htsbuf_queue_init(&ts->ts_sendq, INT32_MAX);
ts->ts_write = ssl_write;
ts->ts_read = ssl_read;
return ts;
bad_ssl:
ERR_error_string(ERR_get_error(), errmsg);
snprintf(errbuf, errlen, "SSL: %s", errmsg);
bad:
tcp_close(ts);
return NULL;
}示例8: check_san
/**
Search for a hostname match in the SubjectAlternativeNames.
*/
uint32_t
check_san (SSL *ssl, const char *hostname)
{
X509 *cert;
int extcount, ok = 0;
/* What an OpenSSL mess ... */
if (NULL == (cert = SSL_get_peer_certificate(ssl)))
{
die ("Getting certificate failed\n");
}
if ((extcount = X509_get_ext_count(cert)) > 0)
{
int i;
for (i = 0; i < extcount; ++i)
{
const char *extstr;
X509_EXTENSION *ext;
ext = X509_get_ext(cert, i);
extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
if (!strcmp(extstr, "subjectAltName"))
{
int j;
void *extvalstr;
const unsigned char *tmp;
STACK_OF(CONF_VALUE) *val;
CONF_VALUE *nval;
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
const
#endif
X509V3_EXT_METHOD *method;
if (!(method = X509V3_EXT_get(ext)))
{
break;
}
tmp = ext->value->data;
if (method->it)
{
extvalstr = ASN1_item_d2i(NULL, &tmp, ext->value->length,
ASN1_ITEM_ptr(method->it));
} else {
extvalstr = method->d2i(NULL, &tmp, ext->value->length);
}
if (!extvalstr)
{
break;
}
if (method->i2v)
{
val = method->i2v(method, extvalstr, NULL);
for (j = 0; j < sk_CONF_VALUE_num(val); ++j)
{
nval = sk_CONF_VALUE_value(val, j);
if ((!strcasecmp(nval->name, "DNS") &&
!strcasecmp(nval->value, hostname) ) ||
(!strcasecmp(nval->name, "iPAddress") &&
!strcasecmp(nval->value, hostname)))
{
verb ("V: subjectAltName matched: %s, type: %s\n", nval->value, nval->name); // We matched this; so it's safe to print
ok = 1;
break;
}
// Attempt to match subjectAltName DNS names
if (!strcasecmp(nval->name, "DNS"))
{
ok = check_wildcard_match_rfc2595(hostname, nval->value);
if (ok)
{
break;
}
}
verb ("V: subjectAltName found but not matched: %s, type: %s\n", nval->value, nval->name); // XXX: Clean this string!
}
}
} else {
verb ("V: found non subjectAltName extension\n");
}
if (ok)
{
break;
}
}
} else {
verb ("V: no X509_EXTENSION field(s) found\n");
}
X509_free(cert);
return ok;
}示例9: ssl_get_certificate
Str
ssl_get_certificate(SSL * ssl, char *hostname)
{
BIO *bp;
X509 *x;
X509_NAME *xn;
char *p;
int len;
Str s;
char buf[2048];
Str amsg = NULL;
Str emsg;
char *ans;
if (ssl == NULL)
return NULL;
x = SSL_get_peer_certificate(ssl);
if (x == NULL) {
if (accept_this_site
&& strcasecmp(accept_this_site->ptr, hostname) == 0)
ans = "y";
else {
/* FIXME: gettextize? */
emsg = Strnew_charp("No SSL peer certificate: accept? (y/n)");
ans = inputAnswer(emsg->ptr);
}
if (ans && TOLOWER(*ans) == 'y')
/* FIXME: gettextize? */
amsg = Strnew_charp
("Accept SSL session without any peer certificate");
else {
/* FIXME: gettextize? */
char *e = "This SSL session was rejected "
"to prevent security violation: no peer certificate";
disp_err_message(e, FALSE);
free_ssl_ctx();
return NULL;
}
if (amsg)
disp_err_message(amsg->ptr, FALSE);
ssl_accept_this_site(hostname);
/* FIXME: gettextize? */
s = amsg ? amsg : Strnew_charp("valid certificate");
return s;
}
/* check the cert chain.
* The chain length is automatically checked by OpenSSL when we
* set the verify depth in the ctx.
*/
if (ssl_verify_server) {
long verr;
if ((verr = SSL_get_verify_result(ssl))
!= X509_V_OK) {
const char *em = X509_verify_cert_error_string(verr);
if (accept_this_site
&& strcasecmp(accept_this_site->ptr, hostname) == 0)
ans = "y";
else {
/* FIXME: gettextize? */
emsg = Sprintf("%s: accept? (y/n)", em);
ans = inputAnswer(emsg->ptr);
}
if (ans && TOLOWER(*ans) == 'y') {
/* FIXME: gettextize? */
amsg = Sprintf("Accept unsecure SSL session: "
"unverified: %s", em);
}
else {
/* FIXME: gettextize? */
char *e =
Sprintf("This SSL session was rejected: %s", em)->ptr;
disp_err_message(e, FALSE);
free_ssl_ctx();
return NULL;
}
}
}
emsg = ssl_check_cert_ident(x, hostname);
if (emsg != NULL) {
if (accept_this_site
&& strcasecmp(accept_this_site->ptr, hostname) == 0)
ans = "y";
else {
Str ep = Strdup(emsg);
if (ep->length > COLS - 16)
Strshrink(ep, ep->length - (COLS - 16));
Strcat_charp(ep, ": accept? (y/n)");
ans = inputAnswer(ep->ptr);
}
if (ans && TOLOWER(*ans) == 'y') {
/* FIXME: gettextize? */
amsg = Strnew_charp("Accept unsecure SSL session:");
Strcat(amsg, emsg);
}
else {
/* FIXME: gettextize? */
char *e = "This SSL session was rejected "
"to prevent security violation";
disp_err_message(e, FALSE);
free_ssl_ctx();
//.........这里部分代码省略.........
示例10: np_net_ssl_check_cert
int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
# ifdef USE_OPENSSL
X509 *certificate=NULL;
X509_NAME *subj=NULL;
char timestamp[50] = "";
char cn[MAX_CN_LENGTH]= "";
int cnlen =-1;
int status=STATE_UNKNOWN;
ASN1_STRING *tm;
int offset;
struct tm stamp;
float time_left;
int days_left;
int time_remaining;
time_t tm_t;
certificate=SSL_get_peer_certificate(s);
if (!certificate) {
printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
return STATE_CRITICAL;
}
/* Extract CN from certificate subject */
subj=X509_get_subject_name(certificate);
if (!subj) {
printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
return STATE_CRITICAL;
}
cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
if (cnlen == -1)
strcpy(cn, _("Unknown CN"));
/* Retrieve timestamp of certificate */
tm = X509_get_notAfter(certificate);
/* Generate tm structure to process timestamp */
if (tm->type == V_ASN1_UTCTIME) {
if (tm->length < 10) {
printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
return STATE_CRITICAL;
} else {
stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
if (stamp.tm_year < 50)
stamp.tm_year += 100;
offset = 0;
}
} else {
if (tm->length < 12) {
printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
return STATE_CRITICAL;
} else {
stamp.tm_year =
(tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
(tm->data[2] - '0') * 10 + (tm->data[3] - '0');
stamp.tm_year -= 1900;
offset = 2;
}
}
stamp.tm_mon =
(tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
stamp.tm_mday =
(tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
stamp.tm_hour =
(tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
stamp.tm_min =
(tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
stamp.tm_sec =
(tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
stamp.tm_isdst = -1;
time_left = difftime(timegm(&stamp), time(NULL));
days_left = time_left / 86400;
tm_t = mktime (&stamp);
strftime(timestamp, 50, "%c", localtime(&tm_t));
if (days_left > 0 && days_left <= days_till_exp_warn) {
printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);
if (days_left > days_till_exp_crit)
status = STATE_WARNING;
else
status = STATE_CRITICAL;
} else if (days_left == 0 && time_left > 0) {
if (time_left >= 3600)
time_remaining = (int) time_left / 3600;
else
time_remaining = (int) time_left / 60;
printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),
(days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,
time_left >= 3600 ? "hours" : "minutes", timestamp);
if ( days_left > days_till_exp_crit)
status = STATE_WARNING;
else
status = STATE_CRITICAL;
} else if (time_left < 0) {
printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
//.........这里部分代码省略.........
示例11: connect_to
//construct an SSL connection to the server at the desired address
//gives back a struct containing the BIO and SSL constructs necessary
//to manage a connection.
//
//Requires a directory where require certificates and public keys are stored and their names
struct ssl_connection * connect_to(char *address, char *certpath, char *cacert, char *cert, char *privkey)
{
struct ssl_connection *conn = calloc(1, sizeof *conn);
//BIO *bio;
//SSL *ssl;
SSL_CTX *ctx = (SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
printf("LOADING CA CERT\n");
//load our ca certificate
if(SSL_CTX_load_verify_locations(ctx, string_cat(3,certpath,"/",cacert), NULL) == 0)
{
printf("FAILING\n");
ssl_error("Server cert load fail");
exit(1);
}
printf("LOADING CLIENT CERT\n");
//load our certificate used to send files
if(SSL_CTX_use_certificate_file(ctx, string_cat(3,certpath,"/",cert), SSL_FILETYPE_PEM) < 1)
{
ssl_error("failed to load client cert");
exit(1);
}
printf("LOADING PRIVATE KEY\n");
//load our private key
if(SSL_CTX_use_PrivateKey_file(ctx, string_cat(3,certpath,"/",privkey), SSL_FILETYPE_PEM) < 1)
{
ssl_error("failed to load private key");
exit(1);
}
SSL_CTX_set_timeout(ctx, 5);
conn->bio = BIO_new_ssl_connect(ctx);
if(conn->bio == NULL)
{
ssl_error("bio creation fail");
exit(1);
}
//set up connection
BIO_get_ssl(conn->bio, &conn->ssl);
SSL_set_mode(conn->ssl, SSL_MODE_AUTO_RETRY);
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
//client stuff goes here
//set server hostname
if(BIO_set_conn_hostname(conn->bio, address) <= 0)
{
printf("Address error\n");
ssl_error("BIO connect error");
exit(1);
}
//printf("attempting to connect to %s\n",address);
//test connection
if(BIO_do_connect(conn->bio) <= 0)
{
printf("CONNECTION ERROR!?!?!?\n");
ssl_error("BIO connect error");
exit(1);
}
//verify the certificate
if(BIO_do_handshake(conn->bio) > 0) {
//printf("HANDSHAKE SUCCESS\n");
if(SSL_get_verify_result(conn->ssl) == X509_V_OK) {
X509 *server_cert = SSL_get_peer_certificate(conn->ssl);
if(server_cert == NULL) {
printf("Didn't get a server certificate\n");
return NULL;
}
return conn;
} else
printf("CANNOT VERIFY SERVER CERTIFICATE! SHUTTING DOWN!!!\n");
} else
printf("HANDSHAKE FAIL\n");
return NULL; //FAILURE
}示例12: SSL_get_error
//.........这里部分代码省略.........
return -1;
case SSL_ERROR_ZERO_RETURN:
#ifndef HEADER_OPENSSLV_H
if(ssl->last_error == GNUTLS_E_INTERRUPTED || ssl->last_error == GNUTLS_E_AGAIN)
return -1;
#endif
throw SocketException(STRING(CONNECTION_CLOSED));
default:
{
ssl.reset();
// @todo replace 80 with MAX_ERROR_SZ or whatever's appropriate for yaSSL in some nice way...
char errbuf[80];
/* TODO: better message for SSL_ERROR_SYSCALL
* If the error queue is empty (i.e. ERR_get_error() returns 0), ret can be used to find out more about the error:
* If ret == 0, an EOF was observed that violates the protocol. If ret == -1, the underlying BIO reported an I/O error
* (for socket I/O on Unix systems, consult errno for details).
*/
int error = ERR_get_error();
sprintf(errbuf, "%s %d: %s", CSTRING(SSL_ERROR), err, (error == 0) ? CSTRING(CONNECTION_CLOSED) : ERR_reason_error_string(error));
throw SSLSocketException(errbuf);
}
}
}
return ret;
}
int SSLSocket::wait(uint64_t millis, int waitFor) throw(SocketException) {
#ifdef HEADER_OPENSSLV_H
if(ssl && (waitFor & Socket::WAIT_READ)) {
/** @todo Take writing into account as well if reading is possible? */
char c;
if(SSL_peek(ssl, &c, 1) > 0)
return WAIT_READ;
}
#endif
return Socket::wait(millis, waitFor);
}
bool SSLSocket::isTrusted() throw() {
if(!ssl) {
return false;
}
#ifdef HEADER_OPENSSLV_H
if(SSL_get_verify_result(ssl) != X509_V_OK) {
return false;
}
#else
if(gnutls_certificate_verify_peers(((SSL*)ssl)->gnutls_state) != 0) {
return false;
}
#endif
X509* cert = SSL_get_peer_certificate(ssl);
if(!cert) {
return false;
}
X509_free(cert);
return true;
}
std::string SSLSocket::getCipherName() throw() {
if(!ssl)
return Util::emptyString;
return SSL_get_cipher_name(ssl);
}
std::string SSLSocket::getDigest() const throw() {
#ifdef HEADER_OPENSSLV_H
if(!ssl)
return Util::emptyString;
X509* x509 = SSL_get_peer_certificate(ssl);
if(!x509)
return Util::emptyString;
return ssl::X509_digest(x509, EVP_sha1());
#else
return Util::emptyString;
#endif
}
void SSLSocket::shutdown() throw() {
if(ssl)
SSL_shutdown(ssl);
}
void SSLSocket::close() throw() {
if(ssl) {
ssl.reset();
}
Socket::shutdown();
Socket::close();
}
} // namespace dcpp示例13: client_mgr
/*********************parent process tcp connection use to manage************************/
void client_mgr(char *ip, int serverPort, int pipefd, int pid)
{
int flag = 0;
char *p;
char name[256], passwd[256];
char realName[512];
int err, fd, i;
struct sockaddr_in sa;
char buf[4096];
SSL_CTX* ctx;
SSL* ssl;
//create a TCP socket
fd = socket (AF_INET, SOCK_STREAM, 0);
CHK_ERR(fd, "socket");
memset (&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr(ip);
sa.sin_port = htons(serverPort);
//connect step
err = connect(fd, (struct sockaddr*) &sa, sizeof(sa));
CHK_ERR(err, "connect");
sleep(2);
puts("Please input the common name: ");
scanf("%s", realName);
setupCTX(&ctx);
//build SSL on the TCP connection
ssl = SSL_new(ctx);
CHK_NULL(ssl);
SSL_set_fd (ssl, fd);
err = SSL_connect(ssl);
CHK_SSL(err);
//check certificate
SSL_CTX_load_verify_locations(ctx, CACERT, NULL);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
int result = SSL_get_verify_result(ssl);
if(result == X509_V_OK || result == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) {
printf("The certificate is valid.\n");
}
else {
printf("Invalid certificate %d\n", result);
exit(1);
}
X509* server_cert = SSL_get_peer_certificate(ssl);
CHK_NULL(server_cert);
char *str = X509_NAME_oneline(X509_get_subject_name(server_cert),0,0);
CHK_NULL(str);
OPENSSL_free(str);
str = X509_NAME_oneline(X509_get_issuer_name(server_cert),0,0);
CHK_NULL(str);
OPENSSL_free(str);
X509_NAME *xname = X509_get_subject_name(server_cert);
X509_NAME_get_text_by_NID(xname, NID_commonName, commonName, 512);
if( strcasecmp(commonName, realName) !=0 )
{
printf("commonName is wrong.\n");
exit(1);
}
printf("commonName is right.\n");
printf("Server authentication is successful.\n");
//release!
X509_free(server_cert);
sleep(2);
while(!flag)
{
//handle the login part
printf("username: ");
scanf("%s",name);
getchar();
//safe mode
set_disp_mode(STDIN_FILENO, 0);
getpasswd(passwd, sizeof(passwd));
p = passwd;
while(*p != '\n')
p++;
*p = '\0';
//OK!
set_disp_mode(STDIN_FILENO, 1);
sendName(ssl, name);
sendPass(ssl, passwd);
SSL_read(ssl, buf, sizeof(buf) - 1);
putchar(10);
if( buf[0] == 'o' )
{
puts("Connect successfully");
flag = 1;
}
else {
puts("wrong password, please try again!");
}
//.........这里部分代码省略.........
示例14: amqp_ssl_socket_open
static int
amqp_ssl_socket_open(void *base, const char *host, int port, struct timeval *timeout)
{
struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base;
long result;
int status;
amqp_time_t deadline;
X509 *cert;
BIO *bio;
if (-1 != self->sockfd) {
return AMQP_STATUS_SOCKET_INUSE;
}
ERR_clear_error();
self->ssl = SSL_new(self->ctx);
if (!self->ssl) {
self->internal_error = ERR_peek_error();
status = AMQP_STATUS_SSL_ERROR;
goto exit;
}
status = amqp_time_from_now(&deadline, timeout);
if (AMQP_STATUS_OK != status) {
return status;
}
self->sockfd = amqp_open_socket_inner(host, port, deadline);
if (0 > self->sockfd) {
status = self->sockfd;
self->internal_error = amqp_os_socket_error();
self->sockfd = -1;
goto error_out1;
}
bio = BIO_new(amqp_openssl_bio());
if (!bio) {
status = AMQP_STATUS_NO_MEMORY;
goto error_out2;
}
BIO_set_fd(bio, self->sockfd, BIO_NOCLOSE);
SSL_set_bio(self->ssl, bio, bio);
start_connect:
status = SSL_connect(self->ssl);
if (status != 1) {
self->internal_error = SSL_get_error(self->ssl, status);
switch (self->internal_error) {
case SSL_ERROR_WANT_READ:
status = amqp_poll(self->sockfd, AMQP_SF_POLLIN, deadline);
break;
case SSL_ERROR_WANT_WRITE:
status = amqp_poll(self->sockfd, AMQP_SF_POLLOUT, deadline);
break;
default:
status = AMQP_STATUS_SSL_CONNECTION_FAILED;
}
if (AMQP_STATUS_OK == status) {
goto start_connect;
}
goto error_out2;
}
cert = SSL_get_peer_certificate(self->ssl);
if (self->verify_peer) {
if (!cert) {
self->internal_error = 0;
status = AMQP_STATUS_SSL_PEER_VERIFY_FAILED;
goto error_out3;
}
result = SSL_get_verify_result(self->ssl);
if (X509_V_OK != result) {
self->internal_error = result;
status = AMQP_STATUS_SSL_PEER_VERIFY_FAILED;
goto error_out4;
}
}
if (self->verify_hostname) {
if (!cert) {
self->internal_error = 0;
status = AMQP_STATUS_SSL_HOSTNAME_VERIFY_FAILED;
goto error_out3;
}
if (AMQP_HVR_MATCH_FOUND != amqp_ssl_validate_hostname(host, cert)) {
self->internal_error = 0;
status = AMQP_STATUS_SSL_HOSTNAME_VERIFY_FAILED;
goto error_out4;
}
}
X509_free(cert);
self->internal_error = 0;
status = AMQP_STATUS_OK;
exit:
return status;
//.........这里部分代码省略.........
示例15: connect_local
NOEXPORT int connect_local(CLI *c) { /* spawn local process */
char *name, host[40];
int fd[2], pid;
X509 *peer;
#ifdef HAVE_PTHREAD_SIGMASK
sigset_t newmask;
#endif
if(c->opt->option.pty) {
char tty[64];
if(pty_allocate(fd, fd+1, tty))
longjmp(c->err, 1);
s_log(LOG_DEBUG, "TTY=%s allocated", tty);
} else
if(make_sockets(fd))
longjmp(c->err, 1);
pid=fork();
c->pid=(unsigned long)pid;
switch(pid) {
case -1: /* error */
closesocket(fd[0]);
closesocket(fd[1]);
ioerror("fork");
longjmp(c->err, 1);
case 0: /* child */
closesocket(fd[0]);
set_nonblock(fd[1], 0); /* switch back to blocking mode */
/* dup2() does not copy FD_CLOEXEC flag */
dup2(fd[1], 0);
dup2(fd[1], 1);
if(!global_options.option.foreground)
dup2(fd[1], 2);
closesocket(fd[1]); /* not really needed due to FD_CLOEXEC */
if(!getnameinfo(&c->peer_addr.sa, c->peer_addr_len,
host, 40, NULL, 0, NI_NUMERICHOST)) {
/* just don't set these variables if getnameinfo() fails */
putenv(str_printf("REMOTE_HOST=%s", host));
if(c->opt->option.transparent_src) {
#ifndef LIBDIR
#define LIBDIR "."
#endif
#ifdef MACH64
putenv("LD_PRELOAD_32=" LIBDIR "/libstunnel.so");
putenv("LD_PRELOAD_64=" LIBDIR "/" MACH64 "/libstunnel.so");
#elif __osf /* for Tru64 _RLD_LIST is used instead */
putenv("_RLD_LIST=" LIBDIR "/libstunnel.so:DEFAULT");
#else
putenv("LD_PRELOAD=" LIBDIR "/libstunnel.so");
#endif
}
}
if(c->ssl) {
peer=SSL_get_peer_certificate(c->ssl);
if(peer) {
name=X509_NAME_oneline(X509_get_subject_name(peer), NULL, 0);
safestring(name);
putenv(str_printf("SSL_CLIENT_DN=%s", name));
name=X509_NAME_oneline(X509_get_issuer_name(peer), NULL, 0);
safestring(name);
putenv(str_printf("SSL_CLIENT_I_DN=%s", name));
X509_free(peer);
}
}
#ifdef HAVE_PTHREAD_SIGMASK
sigemptyset(&newmask);
sigprocmask(SIG_SETMASK, &newmask, NULL);
#endif
signal(SIGCHLD, SIG_DFL);
signal(SIGHUP, SIG_DFL);
signal(SIGUSR1, SIG_DFL);
signal(SIGPIPE, SIG_DFL);
signal(SIGTERM, SIG_DFL);
signal(SIGQUIT, SIG_DFL);
signal(SIGINT, SIG_DFL);
execvp(c->opt->execname, c->opt->execargs);
ioerror(c->opt->execname); /* execvp failed */
_exit(1);
default: /* parent */
s_log(LOG_INFO, "Local mode child started (PID=%lu)", c->pid);
closesocket(fd[1]);
return fd[0];
}
}