1 char *cksslv = "SSL/TLS support, 9.0.227, 04 Aug 2020";
3 C K _ S S L . C -- OpenSSL Interface for C-Kermit
5 Copyright (C) 1985, 2010,
6 Trustees of Columbia University in the City of New York.
7 All rights reserved. See the C-Kermit COPYING.TXT file or the
8 copyright text in the ckcmai.c module for disclaimer and permissions.
10 Author: Jeffrey E Altman (jaltman@secure-endpoints.com)
11 Secure Endpoints Inc., New York City
15 . Telnet Auth SSL option compatible with Tim Hudson's hack.
16 . Telnet START_TLS option
17 . Configuration of certificate and key files
18 . Certificate verification and revocation list checks
19 . Client certificate to user id routine
21 Note: This code is written to be compatible with OpenSSL 0.9.6[abcdefgh]
22 and 0.9.7 beta 5 (and, presumably, later).
23 It will also compile with version 0.9.5 although that is discouraged
24 due to security weaknesses in that release.
37 #include <netinet/in.h>
39 #include <arpa/inet.h>
46 #endif /* DEC_TCPIP */
51 char * GetAppData(int);
55 extern int quiet; /* fdc - Mon Nov 28 11:44:15 2005 */
57 static int ssl_installed = 1;
65 extern HINSTANCE hCRYPTO;
67 extern HMODULE hCRYPTO;
69 debug(F111,"ck_ssh_is_installed","hCRYPTO",hCRYPTO);
70 return(ssl_installed && (hCRYPTO != NULL));
72 return(ssl_installed);
81 ck_ssleay_is_installed(void)
83 ck_ssleay_is_installed()
89 extern HINSTANCE hSSL, hCRYPTO;
91 extern HMODULE hSSL, hCRYPTO;
93 debug(F111,"ck_ssleay_is_installed","hSSL",hSSL);
94 debug(F111,"ck_ssleay_is_installed","hCRYPTO",hCRYPTO);
95 return(ssl_installed && (hSSL != NULL) && (hCRYPTO != NULL));
97 return(ssl_installed);
106 #include "ckucmd.h" /* For struct keytab */
110 #include <pwd.h> /* Password file for home directory */
120 int ssl_finished_messages = 0;
122 #ifdef OPENSSL_VERSION_NUMBER
123 int ssl_finished_messages = (OPENSSL_VERSION_NUMBER >= 0x0090581fL);
125 !ERROR This module requires OpenSSL 0.9.5a or higher
126 #endif /* OPENSSL_VERSION_NUMBER */
129 static int auth_ssl_valid = 0;
130 static char *auth_ssl_name = 0; /* this holds the oneline name */
131 char ssl_err[SSL_ERR_BFSZ]="";
134 X509_STORE *crl_store = NULL;
138 SSL *ssl_ftp_con = NULL;
139 SSL_CTX *ssl_ftp_ctx = NULL;
140 SSL *ssl_ftp_data_con = NULL;
141 int ssl_ftp_active_flag = 0;
142 int ssl_ftp_data_active_flag = 0;
147 SSL *tls_http_con = NULL;
148 SSL_CTX *tls_http_ctx = NULL;
149 int tls_http_active_flag = 0;
150 int ssl_http_initialized = 0;
153 SSL_CTX *ssl_ctx = NULL;
155 int ssl_debug_flag = 0;
156 int ssl_verbose_flag = 0;
157 int ssl_only_flag = 0;
158 int ssl_raw_flag = 0;
159 int ssl_active_flag = 0;
160 int ssl_verify_flag = SSL_VERIFY_PEER;
161 int ssl_certsok_flag = 0;
162 char *ssl_rsa_cert_file = NULL;
163 char *ssl_rsa_cert_chain_file = NULL;
164 char *ssl_rsa_key_file = NULL;
165 char *ssl_dsa_cert_file = NULL;
166 char *ssl_dsa_cert_chain_file = NULL;
167 char *ssl_dh_key_file = NULL;
168 char *ssl_crl_file = NULL;
169 char *ssl_crl_dir = NULL;
170 char *ssl_verify_file = NULL;
171 char *ssl_verify_dir = NULL;
172 char *ssl_dh_param_file = NULL;
173 char *ssl_cipher_list = NULL;
174 char *ssl_rnd_file = NULL;
176 SSL_CTX *tls_ctx = NULL;
178 int tls_only_flag = 0;
179 int tls_raw_flag = 0;
180 int tls_active_flag = 0;
182 int ssl_initialized = 0;
183 int ssl_verify_depth = -1; /* used to track depth in verify routines */
185 /* compile this set to 1 to negotiate SSL/TLS but not actually start it */
186 int ssl_dummy_flag=0;
190 extern int accept_complete;
191 extern char szHostName[], szUserNameRequested[], szUserNameAuthenticated[];
193 _PROTOTYP(int X509_to_user,(X509 *, char *, int));
195 static int verbosity = 0; /* Message control */
198 verbosity = ssl_verbose_flag;
199 if (quiet) verbosity = 0;
204 ssl_server_verify_callback(int ok, X509_STORE_CTX * ctx)
206 ssl_server_verify_callback(ok, ctx)
209 #endif /* CK_ANSIC */
211 static char *saved_subject=NULL;
212 char *subject=NULL, *issuer=NULL;
216 if ( ssl_certsok_flag )
221 error=X509_STORE_CTX_get_error(ctx);
222 depth=X509_STORE_CTX_get_error_depth(ctx);
223 xs=X509_STORE_CTX_get_current_cert(ctx);
227 if (saved_subject!=NULL) {
231 if (auth_ssl_name!=NULL) {
238 if (ssl_debug_flag && !inserver) {
239 printf("ssl:server_verify_callback:depth=%d ok=%d err=%d-%s\r\n",
240 depth,ok,error,X509_verify_cert_error_string(error));
243 /* first thing is to have a meaningful name for the current
244 * certificate that is being verified ... and if we cannot
245 * determine that then something is seriously wrong!
248 (char *)X509_NAME_oneline(X509_get_subject_name(xs),NULL,0));
250 (char *)X509_NAME_oneline(X509_get_issuer_name(xs),NULL,0));
251 if (!subject || !subject[0] || !issuer || !issuer[0]) {
256 if (verbosity && !inserver && depth != ssl_verify_depth) {
257 printf("[%d] Certificate Subject:\r\n%s\r\n",depth,subject);
258 printf("[%d] Certificate Issuer:\r\n%s\r\n",depth,issuer);
259 ssl_verify_depth = depth;
262 /* make sure that the certificate that has been presented */
263 /* has not been revoked (if we have been given a CRL. */
264 ok = ssl_verify_crl(ok, ctx);
266 /* if we have any form of error in secure mode we reject the connection */
267 if (error!=X509_V_OK) {
270 if (ckxsyslog >= SYSLG_LI && ckxlogging) {
271 cksyslog(SYSLG_LI, 0,
272 "X.509 Certificate verify failure",
274 (char *)X509_verify_cert_error_string(error)
277 #endif /* CKSYSLOG */
280 if ( ssl_verify_flag &
281 (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
286 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
287 printf("Certificate is self signed.\r\n");
289 case X509_V_ERR_CERT_HAS_EXPIRED:
290 printf("Certificate has expired.\r\n");
292 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
294 "Certificate issuer's certificate isn't available locally.\r\n");
296 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
297 printf("Unable to verify leaf signature.\r\n");
299 case X509_V_ERR_CERT_REVOKED:
300 printf("Certificate revoked.\r\n");
303 printf("Error %d while verifying certificate.\r\n",
308 ok = !(ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
310 /* if we got all the way to the top of the tree then
311 * we *can* use this certificate for a username to
312 * match ... in all other cases we must not!
314 auth_ssl_name = saved_subject;
315 saved_subject = NULL;
320 /* save the name if at least the first level is okay */
321 if (depth == 0 && ok)
322 makestr(&saved_subject,subject);
324 /* clean up things */
335 ssl_client_verify_callback(int ok, X509_STORE_CTX * ctx)
337 ssl_client_verify_callback(ok, ctx)
342 char subject[256]="", issuer[256]="";
343 int depth, error, len;
348 xs=X509_STORE_CTX_get_current_cert(ctx);
349 error=X509_STORE_CTX_get_error(ctx);
350 depth=X509_STORE_CTX_get_error_depth(ctx);
352 if ( ssl_debug_flag )
353 printf("ssl:client_verify_callback:depth=%d ok=%d err=%d-%s\r\n",
354 depth,ok,error,X509_verify_cert_error_string(error));
356 if ( ssl_certsok_flag ) {
360 /* first thing is to have a meaningful name for the current
361 * certificate that is being verified ... and if we cannot
362 * determine that then something is seriously wrong!
364 #ifdef XN_FLAG_SEP_MULTILINE
365 X509_NAME_print_ex(bio_err,X509_get_subject_name(xs),4,
366 XN_FLAG_SEP_MULTILINE);
367 len = BIO_read(bio_err,subject,256);
368 subject[len < 256 ? len : 255] = '\0';
370 ERR_print_errors(bio_err);
371 len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
372 ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
373 uq_ok("X.509 Subject Name unavailable", ssl_err, 1, NULL, 0);
378 X509_NAME_print_ex(bio_err,X509_get_issuer_name(xs),4,
379 XN_FLAG_SEP_MULTILINE);
380 len = BIO_read(bio_err,issuer,256);
381 issuer[len < 256 ? len : 255] = '\0';
383 ERR_print_errors(bio_err);
384 len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
385 ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
386 uq_ok("X.509 Issuer Name unavailable", ssl_err, 1, NULL, 0);
390 #else /* XN_FLAG_SEP_MULTILINE */
391 X509_NAME_oneline(X509_get_subject_name(xs),subject,256);
394 ERR_print_errors(bio_err);
395 len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
396 ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
397 uq_ok("X.509 Subject Name unavailable", ssl_err, 1, NULL, 0);
402 X509_NAME_oneline(X509_get_issuer_name(xs),issuer,256);
405 ERR_print_errors(bio_err);
406 len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
407 ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
408 uq_ok("X.509 Issuer Name unavailable", ssl_err, 1, NULL, 0);
412 #endif /* XN_FLAG_SEP_MULTILINE */
414 if (verbosity && depth != ssl_verify_depth) {
415 printf("[%d] Certificate Subject:\r\n%s\r\n",depth,subject);
416 printf("[%d] Certificate Issuer:\r\n%s\r\n",depth,issuer);
417 ssl_verify_depth = depth;
420 ok = ssl_verify_crl(ok, ctx);
424 /* if the server is using a self signed certificate then
425 * we need to decide if that is good enough for us to
430 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: {
431 if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
432 /* make 100% sure that in secure more we drop the
433 * connection if the server does not have a
436 ckmakxmsg(prefix,1024,
437 "Error: Server has a self-signed certificate\n",
438 "[",ckitoa(depth),"] Certificate Subject=\n",subject,
439 "\n[",ckitoa(depth),"] Certificate Issuer=\n",issuer,
442 uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
444 /* sometimes it is really handy to be able to debug things
445 * and still get a connection!
447 if (ssl_debug_flag) {
448 printf("SSL: debug -> ignoring cert required!\r\n");
454 } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
455 ckmakxmsg(prefix,1024,
456 "Warning: Server has a self-signed certificate\n",
457 "[",ckitoa(depth),"] Certificate Subject=\n",subject,
458 "\n[",ckitoa(depth),"] Certificate Issuer=\n",issuer,
469 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
470 if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
471 /* make 100% sure that in secure more we drop the
472 * connection if the server does not have a
475 ckmakxmsg(prefix,1024,
477 (char *)X509_verify_cert_error_string(error),
478 "\nCertificate Issuer=\n",issuer,
479 NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
480 uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
482 /* sometimes it is really handy to be able to debug things
483 * and still get a connection!
485 if (ssl_debug_flag) {
486 printf("SSL: debug -> ignoring cert required!\r\n");
492 } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
493 ckmakxmsg(prefix,1024,
495 (char *)X509_verify_cert_error_string(error),
496 "\nCertificate Issuer=\n",issuer,
497 NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
498 ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
502 case X509_V_ERR_CERT_NOT_YET_VALID:
503 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
504 if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
506 /* make 100% sure that in secure more we drop the
507 * connection if the server does not have a
510 ASN1_TIME_print(bio_err,X509_get_notBefore(xs));
511 len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
512 ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
513 ckmakxmsg(prefix,1024,
515 (char *)X509_verify_cert_error_string(error),
516 "\nCertificate Subject=\n",subject,
517 "\nnotBefore=",ssl_err,
518 NULL,NULL,NULL,NULL,NULL,NULL);
519 uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
520 /* sometimes it is really handy to be able to debug things
521 * and still get a connection!
523 if (ssl_debug_flag) {
524 printf("SSL: debug -> ignoring cert required!\r\n");
530 } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
532 ASN1_TIME_print(bio_err,X509_get_notBefore(xs));
533 len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
534 ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
535 ckmakxmsg(prefix,1024,
537 (char *)X509_verify_cert_error_string(error),
538 "\nCertificate Subject=\n",subject,
539 "\n notBefore=",ssl_err,
540 NULL,NULL,NULL,NULL,NULL,NULL);
541 ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
544 case X509_V_ERR_CERT_HAS_EXPIRED:
545 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
546 if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
548 /* make 100% sure that in secure more we drop the
549 * connection if the server does not have a
552 ASN1_TIME_print(bio_err,X509_get_notAfter(xs));
553 len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
554 ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
556 ckmakxmsg(prefix,1024,
558 (char *)X509_verify_cert_error_string(error),
559 "\nCertificate Subject=\n",subject,
560 "\n notAfter=",ssl_err,
561 NULL,NULL,NULL,NULL,NULL,NULL);
562 uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
564 /* sometimes it is really handy to be able to debug things
565 * and still get a connection!
567 if (ssl_debug_flag) {
568 printf("SSL: debug -> ignoring cert required!\r\n");
574 } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
576 ASN1_TIME_print(bio_err,X509_get_notAfter(xs));
577 len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
578 ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
579 ckmakxmsg(prefix,1024,
581 (char *)X509_verify_cert_error_string(error),
582 "\nCertificate Subject=\n",subject,
583 "\n notAfter=",ssl_err,
584 NULL,NULL,NULL,NULL,NULL,NULL);
585 ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
588 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
589 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
591 * When an SSL server sends its certificates to the client there
592 * are two" conventions": one is to send the complete certificate
593 * chain and the other is to send the whole chain apart from the
596 * You don't usually need the root because the root is normally
597 * stored and trusted locally.
599 * So if you get the whole chain it will complain about the self
600 * signed certificate whereas if the root is missing it says it
601 * can't find the issuer certificate.
603 if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
604 /* make 100% sure that in secure more we drop the
605 * connection if the server does not have a
608 ckmakxmsg(prefix,1024,
610 (char *)X509_verify_cert_error_string(error),
611 "\nCertificate Issuer=\n",issuer,
612 NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
613 uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
614 /* sometimes it is really handy to be able to debug things
615 * and still get a connection!
617 if (ssl_debug_flag) {
618 printf("SSL: debug -> ignoring cert required!\r\n");
624 } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
625 ckmakxmsg(prefix,1024,
627 (char *)X509_verify_cert_error_string(error),
628 "\nCertificate Issuer=\n",issuer,
629 NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
630 ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
633 /* if the user decides to accept the certificate
634 * offer to store it for future connections in
635 * the user's private store
638 "Do you wish to store the certificate to verify future connections?",
639 "Continue (Y/N)", 3, NULL, 0);
641 ck_X509_save_cert_to_user_store(xs);
646 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
647 case X509_V_ERR_UNABLE_TO_GET_CRL:
648 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
649 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
650 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
651 case X509_V_ERR_CERT_SIGNATURE_FAILURE:
652 case X509_V_ERR_CRL_SIGNATURE_FAILURE:
653 case X509_V_ERR_CRL_NOT_YET_VALID:
654 case X509_V_ERR_CRL_HAS_EXPIRED:
655 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
656 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
657 case X509_V_ERR_OUT_OF_MEM:
658 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
659 case X509_V_ERR_CERT_REVOKED:
660 case X509_V_ERR_APPLICATION_VERIFICATION:
662 if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
663 /* make 100% sure that in secure mode we drop the
664 * connection if the server does not have a
667 ckmakxmsg(prefix,1024,
669 (char *)X509_verify_cert_error_string(error),
670 "\nCertificate Subject=\n",subject,
671 NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
672 uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
674 /* sometimes it is really handy to be able to debug things
675 * and still get a connection!
677 if (ssl_debug_flag) {
678 printf("SSL: debug -> ignoring cert required!\r\n");
684 } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
685 ckmakxmsg(prefix,1024,
687 (char *)X509_verify_cert_error_string(error),
688 "\nCertificate Subject=\n",subject,
689 NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
690 ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
697 if ( ssl_debug_flag )
698 printf("ssl:client_verify_callback => ok: %d\r\n",ok);
704 ssl_client_info_callback(const SSL *s, int where, int ret)
706 ssl_client_info_callback(s,where,ret)
710 #endif /* CK_ANSIC */
712 if (inserver || !ssl_debug_flag)
718 case SSL_CB_CONNECT_LOOP:
719 printf("SSL_connect:%s %s\r\n",
720 SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
722 case SSL_CB_CONNECT_EXIT:
724 printf("SSL_connect:failed in %s %s\r\n",
725 SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
726 } else if (ret < 0) {
727 printf("SSL_connect:error in %s %s\r\n",
728 SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
731 case SSL_CB_ACCEPT_LOOP:
732 printf("SSL_accept:%s %s\r\n",
733 SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
735 case SSL_CB_ACCEPT_EXIT:
737 printf("SSL_accept:failed in %s %s\r\n",
738 SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
739 } else if (ret < 0) {
740 printf("SSL_accept:error in %s %s\r\n",
741 SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
744 case SSL_CB_READ_ALERT:
745 printf("SSL_read_alert\r\n");
747 case SSL_CB_WRITE_ALERT:
748 printf("SSL_write_alert\r\n");
750 case SSL_CB_HANDSHAKE_START:
751 printf("SSL_handshake:%s %s\r\n",
752 SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
754 case SSL_CB_HANDSHAKE_DONE:
755 printf("SSL_handshake:%s %s\r\n",
756 SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
762 /* Return 1, client cert is available */
763 /* Return 0, no client cert is available */
764 /* Return -1, callback must be called again. SSL_want_x509_lookup() == 1 */
767 ssl_client_cert_callback(SSL * s, X509 ** x509, EVP_PKEY ** pkey)
769 ssl_client_cert_callback(s, x509, pkey)
773 #endif /* CK_ANSIC */
777 if ( ssl_debug_flag ) {
778 const char * cipher_list=SSL_get_cipher(s);
779 printf("ssl_client_cert_callback called (%s)\r\n",
780 cipher_list?cipher_list:"UNKNOWN");
783 if ( s == tls_con ) {
784 if (tls_load_certs(tls_cts,tls_con,0)) {
785 *x509 = SSL_get_certificate(s);
786 *pkey = SSL_get_privatekey(s);
789 } else if ( s == ssl_con ) {
790 if (tls_load_certs(ssl_ctx,ssl_con,0)) {
791 *x509 = SSL_get_certificate(s);
792 *pkey = SSL_get_privatekey(s);
801 #endif /* USE_CERT_CB */
805 #endif /* MS_CALLBACK */
807 static RSA MS_CALLBACK *
809 tmp_rsa_cb(SSL * s, int export, int keylength)
811 tmp_rsa_cb(s,export,keylength)
815 #endif /* CK_ANSIC */
817 static RSA *rsa_tmp=NULL;
823 printf("Generating temporary (%d bit) RSA key...\r\n",keylength);
825 rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL);
832 printf("Unable to generate temporary RSA key...\r\n");
839 static unsigned char dh512_p[]={
840 0xE9,0x4E,0x3A,0x64,0xFA,0x65,0x5F,0xA6,0x44,0xC7,0xFC,0xF1,
841 0x16,0x8B,0x11,0x11,0x7A,0xF0,0xB2,0x49,0x80,0x56,0xA3,0xF8,
842 0x0F,0x7D,0x01,0x68,0x5D,0xF6,0x8A,0xEA,0x8C,0xDD,0x01,0xDC,
843 0x43,0x18,0xE0,0xC4,0x89,0x80,0xE6,0x2D,0x44,0x77,0x45,0xFD,
844 0xBA,0xFC,0x43,0x35,0x12,0xC0,0xED,0x32,0xD3,0x16,0xEF,0x51,
847 static unsigned char dh512_g[]={
851 static unsigned char dh768_p[]={
852 0x8B,0x2A,0x8C,0x6C,0x0F,0x87,0xC7,0x34,0xEE,0x2E,0xFB,0x60,
853 0x94,0xB3,0xBF,0x95,0xBA,0x84,0x74,0x86,0xEA,0xE0,0xA4,0x33,
854 0xE0,0x8F,0x7C,0x79,0x5C,0x62,0xE2,0x91,0xC5,0x6D,0x68,0xB9,
855 0x6C,0x5E,0x4E,0x94,0x0C,0x8E,0x56,0x8E,0xEB,0x98,0x7C,0x6E,
856 0x0E,0xF2,0xD5,0xAA,0x22,0x27,0x3F,0x0F,0xAF,0x10,0xB5,0x0B,
857 0x16,0xCC,0x05,0x27,0xBB,0x58,0x6D,0x61,0x4B,0x2B,0xAB,0xDC,
858 0x6A,0x15,0xBC,0x36,0x75,0x4D,0xEC,0xAB,0xFA,0xB6,0xE1,0xB1,
859 0x13,0x70,0xD8,0x77,0xCD,0x5E,0x51,0x77,0x81,0x0D,0x77,0x43,
861 static unsigned char dh768_g[]={
865 static unsigned char dh1024_p[]={
866 0xA4,0x75,0xCF,0x35,0x00,0xAF,0x3C,0x17,0xCE,0xB0,0xD0,0x52,
867 0x43,0xA0,0x0E,0xFA,0xA2,0xC9,0xBE,0x0B,0x76,0x7A,0xD9,0x2E,
868 0xF4,0x97,0xAC,0x02,0x24,0x69,0xF6,0x36,0x4F,0xAB,0xCC,0x43,
869 0xC1,0x74,0xFF,0xA3,0xD4,0x04,0x0F,0x11,0x2B,0x6D,0x8C,0x47,
870 0xC9,0xCF,0x40,0x93,0x9B,0x7D,0x1E,0x52,0x85,0xB2,0x17,0x55,
871 0x9C,0xF2,0x41,0x02,0x2A,0x9D,0x5F,0x24,0x22,0xC6,0x04,0xC4,
872 0xAB,0x92,0x6D,0xC7,0xC8,0xF3,0x41,0x58,0x6C,0x86,0xFD,0xB8,
873 0x0F,0x2D,0xDD,0xBF,0xA8,0x40,0x0C,0x58,0xC8,0xF2,0x3F,0x18,
874 0xEF,0xF1,0x93,0x3E,0xBA,0x16,0x41,0xBE,0x32,0x6C,0xC5,0x63,
875 0xFF,0x8A,0x02,0x3D,0xAC,0xD5,0x5A,0x49,0x64,0x34,0x14,0x2E,
876 0xFB,0x2E,0xE7,0x39,0x1A,0x0F,0x3C,0x33,
878 static unsigned char dh1024_g[]={
882 static unsigned char dh1536_p[]={
883 0xA3,0x2B,0x75,0x0E,0x7B,0x31,0x82,0xCA,0xF2,0xFC,0xF3,0x3D,
884 0xCE,0x5F,0xCD,0x5B,0x95,0xF6,0x2F,0xA4,0x5D,0x08,0x26,0xD2,
885 0x5F,0xC0,0x3F,0xC5,0xD8,0xA2,0xFE,0x83,0x26,0xBC,0xEB,0x7D,
886 0xF0,0x4E,0xD2,0xA6,0xBB,0x3C,0x88,0x63,0xCE,0x98,0xDE,0x08,
887 0xE2,0xE1,0xAF,0xE2,0x38,0xA8,0xFA,0x68,0x76,0x8D,0xBF,0xDF,
888 0xBB,0x30,0x15,0xFE,0xBD,0x22,0xCC,0x03,0x4E,0x5E,0x33,0xA3,
889 0x6D,0xD6,0x68,0x12,0x97,0x17,0x4B,0xB5,0x84,0x5F,0x5F,0xA3,
890 0x5C,0x2F,0xA4,0x10,0xC1,0xAD,0xBF,0xAC,0x30,0xCA,0x47,0x64,
891 0x63,0xFE,0xEE,0xEE,0xA1,0x64,0x73,0x70,0xAA,0xF9,0xFE,0xC6,
892 0xAD,0x5E,0xF6,0xF3,0x9C,0xDF,0x34,0x53,0x34,0x72,0xA6,0xA4,
893 0xBB,0x81,0x5A,0x43,0x41,0xFD,0x41,0x05,0x5B,0x77,0x7B,0x84,
894 0x03,0xFA,0x8A,0xFA,0xF7,0x8E,0x0F,0xCB,0x51,0xA2,0xB8,0x45,
895 0xFF,0x59,0x42,0xEF,0xCF,0xF6,0x25,0x37,0xE2,0x6D,0xFF,0x69,
896 0x11,0xF5,0x77,0x59,0x79,0x1C,0x5F,0x05,0xFC,0x7A,0x65,0x81,
897 0x03,0x4A,0x78,0xC6,0xE9,0x48,0x73,0xF6,0x10,0xBC,0x99,0x1C,
898 0xEE,0x44,0x2F,0x8B,0x70,0xCA,0xA8,0xB6,0x02,0x83,0x3E,0x0B,
900 static unsigned char dh1536_g[]={
904 static unsigned char dh2048_p[]={
905 0xFA,0x4E,0xE4,0x3B,0xFA,0xC1,0x87,0xDD,0xE7,0xC6,0x8B,0xE6,
906 0x13,0x85,0xBC,0x9B,0x2B,0x8B,0x5B,0x46,0xBB,0x8B,0x86,0x6D,
907 0xD7,0xB6,0xD5,0x49,0xC5,0x54,0xF2,0x3E,0xD2,0x39,0x64,0x9B,
908 0x0E,0x33,0x39,0x8F,0xFA,0xFA,0xD9,0x78,0xED,0x34,0x82,0x29,
909 0x37,0x58,0x4D,0x5D,0x40,0xCB,0x69,0xE3,0x8A,0x9F,0x17,0x0C,
910 0x01,0x23,0x6B,0x05,0x01,0xAF,0x33,0xDE,0xDF,0x1A,0xBB,0x7B,
911 0x6A,0x9F,0xD8,0xED,0x8D,0x5E,0x44,0x19,0x5B,0xE0,0xB6,0x23,
912 0xF9,0x7A,0x96,0x6E,0x94,0x33,0x31,0x49,0xBA,0x84,0xD5,0x12,
913 0xD7,0x6D,0xDC,0x35,0x54,0x64,0xA3,0xD8,0x04,0x26,0xC5,0xAF,
914 0x7F,0xE3,0xFE,0x6F,0xBE,0xD5,0x17,0x72,0x4B,0xA6,0xD0,0xA7,
915 0x5F,0x18,0xF5,0xF0,0x2D,0x11,0x9A,0xF6,0xD5,0x3B,0x6C,0x61,
916 0x3C,0x6F,0x8E,0x09,0x4F,0x2C,0xE1,0x26,0x06,0x51,0xB3,0x19,
917 0x85,0x85,0x13,0xF9,0xC2,0x6E,0x80,0x28,0x9E,0x8A,0xA0,0x01,
918 0x46,0xD1,0x85,0x44,0x8C,0xE6,0xEE,0x7E,0x1E,0x17,0x3D,0xBA,
919 0x54,0xFF,0xE8,0x0E,0xDD,0x51,0xF3,0x74,0x7F,0x0D,0x0B,0xAB,
920 0xCA,0x84,0x8D,0x24,0x5D,0x56,0xD4,0x47,0x02,0xFC,0x93,0x9F,
921 0xAE,0x9B,0x5C,0xDB,0x63,0xEB,0x65,0x01,0x38,0xC2,0x7B,0x30,
922 0x1E,0x17,0x1C,0x75,0xF5,0x16,0x3B,0x4F,0x5F,0x41,0x32,0xB5,
923 0xFF,0x9E,0x61,0xFD,0xD2,0x62,0x6E,0xFD,0x8A,0x28,0x93,0x59,
924 0x2D,0x70,0x14,0x4D,0xE1,0x86,0xD5,0x90,0xB4,0xDF,0x72,0x71,
925 0xE0,0xB4,0xD0,0xD6,0x82,0x3A,0x4A,0x04,0x58,0x32,0x0B,0xD3,
928 static unsigned char dh2048_g[]={
937 if ((dh=DH_new()) == NULL)
939 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
940 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
941 if ((dh->p == NULL) || (dh->g == NULL))
951 if ((dh=DH_new()) == NULL)
953 dh->p=BN_bin2bn(dh768_p,sizeof(dh768_p),NULL);
954 dh->g=BN_bin2bn(dh768_g,sizeof(dh768_g),NULL);
955 if ((dh->p == NULL) || (dh->g == NULL))
965 if ((dh=DH_new()) == NULL)
967 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
968 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
969 if ((dh->p == NULL) || (dh->g == NULL))
979 if ((dh=DH_new()) == NULL)
981 dh->p=BN_bin2bn(dh1536_p,sizeof(dh1536_p),NULL);
982 dh->g=BN_bin2bn(dh1536_g,sizeof(dh1536_g),NULL);
983 if ((dh->p == NULL) || (dh->g == NULL))
993 if ((dh=DH_new()) == NULL)
995 dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
996 dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
997 if ((dh->p == NULL) || (dh->g == NULL))
1003 static DH MS_CALLBACK *
1005 tmp_dh_cb(SSL * s, int export, int keylength)
1006 #else /* CK_ANSIC */
1007 tmp_dh_cb(s,export,keylength)
1011 #endif /* CK_ANSIC */
1013 static DH *dh_tmp=NULL;
1019 if (ssl_dh_param_file &&
1020 (bio=BIO_new_file(ssl_dh_param_file,"r")) != NULL)
1021 dh_tmp=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
1025 if ( dh_tmp == NULL ) {
1026 if ( keylength < 768 )
1027 dh_tmp = get_dh512();
1028 else if ( keylength < 1024 )
1029 dh_tmp = get_dh768();
1030 else if ( keylength < 1536 )
1031 dh_tmp = get_dh1024();
1032 else if ( keylength < 2048 )
1033 dh_tmp = get_dh1536();
1035 dh_tmp = get_dh2048();
1040 printf("DH not supported...\r\n");
1046 ssl_display_comp(SSL * ssl)
1048 if ( quiet ) /* fdc - Mon Nov 28 11:44:15 2005 */
1051 if ( !ck_ssleay_is_installed() )
1057 if (ssl->expand == NULL || ssl->expand->meth == NULL)
1058 printf("Compression: None\r\n");
1060 printf("Compression: %s\r\n",ssl->expand->meth->name);
1066 ssl_display_connect_details(SSL * ssl_con, int server, int verbose)
1067 #else /* CK_ANSIC */
1068 ssl_display_connect_details(ssl_con,server,verbose)
1072 #endif /* CK_ANSIC */
1075 SSL_CIPHER * cipher;
1076 const char *cipher_list;
1079 if ( quiet ) /* fdc - Mon Nov 28 11:44:15 2005 */
1082 if ( !ck_ssleay_is_installed() )
1085 if ( inserver && !tn_deb )
1088 /* the cipher list *can* be NULL ... useless but it happens! */
1089 cipher = SSL_get_current_cipher(ssl_con);
1090 cipher_list = SSL_CIPHER_get_name(cipher);
1091 SSL_CIPHER_description(cipher,buf,sizeof(buf));
1092 if (cipher_list==NULL)
1093 cipher_list="<NULL>";
1094 printf("[TLS - %s",buf);
1095 ssl_display_comp(ssl_con);
1098 cipher_list=SSL_get_shared_ciphers(ssl_con,buf,512);
1099 if (cipher_list==NULL)
1100 cipher_list="<NULL>";
1101 printf("[TLS - shared ciphers=%s]\r\n",
1104 if ( server || tn_deb ) {
1105 peer=SSL_get_peer_certificate(ssl_con);
1107 X509_NAME_oneline(X509_get_subject_name(peer),buf,512);
1108 printf("[TLS - subject=%s]\r\n",buf);
1109 X509_NAME_oneline(X509_get_issuer_name(peer),buf,512);
1110 printf("[TLS - issuer=%s]\r\n",buf);
1111 /* X509_free(peer); */
1112 } else if (!tls_is_krb5(0)) {
1113 if ( !sstelnet && !tcp_incoming ) {
1114 printf("[TLS - No certificate provided.]\r\n");
1116 "[TLS - The identity of the host could not be verified.]\r\n");
1124 * Use SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *, void * userdata)
1125 * to set the value of the userdata. We are going to use it to store the
1131 ssl_passwd_callback(char *buf, int len, int rwflag, VOID * userdata)
1132 #else /* CK_ANSIC */
1133 ssl_passwd_callback(buf,len,rwflag,userdata)
1134 char * buf; int len; int rwflag; VOID *userdata;
1135 #endif /* CK_ANSIC */
1137 extern char pwbuf[];
1138 extern int pwflg, pwcrypt;
1142 if ( pwbuf[0] && pwflg ) {
1144 n = ckstrncpy(buf,pwbuf,len);
1147 ck_encrypt((char *)buf);
1152 if ( userdata == NULL )
1153 prompt="Enter certificate passphrase: ";
1155 prompt=(char*)userdata;
1156 ok = uq_txt(NULL,prompt,2,NULL,buf,len,NULL,DEFAULT_UQ_TIMEOUT);
1157 return(ok > 0 ? strlen(buf) : 0);
1161 /* Attempts to load certificate data into the TLS context structures */
1162 /* Returns 1 on success; 0 on failure */
1164 tls_load_certs(SSL_CTX * ctx, SSL * con, int server)
1168 if ( !ck_ssleay_is_installed() )
1171 debug(F110,"tls_load_certs","SSL_CTX",0);
1172 debug(F110,"tls_load_certs","SSL",0);
1173 debug(F110,"tls_load_certs","server",0);
1176 if (ssl_rsa_cert_file) {
1177 if ( ssl_debug_flag )
1178 printf("Loading RSA certificate into SSL\r\n");
1180 rc = SSL_use_certificate_file(con, ssl_rsa_cert_file,
1184 if ( !quiet || ssl_debug_flag )
1185 printf("Error loading certificate from %s\r\n",
1188 if (!ssl_rsa_key_file || !ssl_rsa_key_file[0])
1189 makestr(&ssl_rsa_key_file,ssl_rsa_cert_file);
1191 rc = SSL_use_PrivateKey_file(con, ssl_rsa_key_file,
1194 rc = SSL_use_PrivateKey_file(con, ssl_rsa_cert_file,
1198 if ( !quiet || ssl_debug_flag )
1199 printf("Error loading key from %s\r\n",
1202 rc = SSL_check_private_key(con);
1205 if ( ssl_debug_flag )
1207 "Private key does not match the certificate public key\r\n");
1213 if (ssl_dsa_cert_file) {
1214 if ( ssl_debug_flag )
1215 printf("Loading DSA certificate into SSL\r\n");
1217 rc = SSL_use_certificate_file(con, ssl_dsa_cert_file,
1221 if ( ssl_debug_flag ) {
1222 printf("Error loading certificate from %s\r\n",
1226 if (!ssl_dh_key_file || !ssl_dh_key_file[0])
1227 makestr(&ssl_dh_key_file,ssl_dsa_cert_file);
1228 rc = SSL_use_PrivateKey_file(con, ssl_dh_key_file,
1231 rc = SSL_use_PrivateKey_file(con, ssl_dsa_cert_file,
1235 if ( !quiet || ssl_debug_flag ) {
1236 printf("Error loading key from %s\r\n",
1240 rc = SSL_check_private_key(con);
1243 if ( ssl_debug_flag )
1245 "Private key does not match the certificate public key\n");
1251 if (ssl_rsa_cert_file) {
1252 if ( ssl_debug_flag )
1253 printf("Loading RSA certificate into SSL\r\n");
1255 rc = SSL_CTX_use_certificate_file(ctx, ssl_rsa_cert_file,
1259 if ( !quiet || ssl_debug_flag )
1260 printf("Error loading certificate from %s\r\n",
1263 if (!ssl_rsa_key_file || !ssl_rsa_key_file[0])
1264 makestr(&ssl_rsa_key_file,ssl_rsa_cert_file);
1266 rc = SSL_CTX_use_PrivateKey_file(ctx, ssl_rsa_key_file,
1269 rc = SSL_CTX_use_PrivateKey_file(ctx, ssl_rsa_cert_file,
1272 if ( ssl_debug_flag )
1273 printf("Error loading key from %s\r\n",ssl_rsa_key_file);
1275 rc = SSL_CTX_check_private_key(ctx);
1277 if ( ssl_debug_flag )
1279 "Private key does not match the certificate public key\r\n");
1284 if (ssl_dsa_cert_file) {
1285 if ( ssl_debug_flag )
1286 printf("Loading DSA certificate into SSL\r\n");
1288 rc = SSL_CTX_use_certificate_file(ctx, ssl_dsa_cert_file,
1291 if ( ssl_debug_flag ) {
1292 printf("Error loading certificate from %s\r\n",
1296 if (!ssl_dh_key_file || !ssl_dh_key_file[0])
1297 makestr(&ssl_dh_key_file,ssl_dsa_cert_file);
1298 rc = SSL_CTX_use_PrivateKey_file(ctx, ssl_dh_key_file,
1301 rc = SSL_CTX_use_PrivateKey_file(ctx, ssl_dsa_cert_file,
1304 if ( ssl_debug_flag )
1305 printf("Error loading key from %s\r\n",ssl_dh_key_file);
1307 rc = SSL_CTX_check_private_key(ctx);
1309 if ( ssl_debug_flag )
1311 "Private key does not match the certificate public key\n");
1318 if (ssl_rsa_cert_chain_file && server) {
1321 printf("Loading RSA Certificate Chain into SSL\r\n");
1322 if (!ckstrcmp(ssl_rsa_cert_chain_file,ssl_rsa_cert_file,-1,
1330 rc = SSL_CTX_use_certificate_chain_file(ctx,ssl_rsa_cert_chain_file);
1331 if (!rc && ssl_debug_flag)
1332 printf("Error loading RSA Certificate Chain into SSL\r\n");
1334 if (ssl_dsa_cert_chain_file && server) {
1337 printf("Loading DSA Certificate Chain into SSL\r\n");
1338 if (!ckstrcmp(ssl_dsa_cert_chain_file,ssl_dsa_cert_file,-1,
1346 rc = SSL_CTX_use_certificate_chain_file(ctx,ssl_dsa_cert_chain_file);
1347 if (!rc && ssl_debug_flag)
1348 printf("Error loading DSA Certificate Chain into SSL\r\n");
1358 #endif /* CK_ANSIC */
1363 if ( !ck_ssleay_is_installed() )
1366 OpenSSL does not provide for ABI compatibility between releases prior
1367 to version 1.0.0. If the version does not match, it is not safe to
1368 assume that any function you call takes the same parameters or does
1369 the same thing with them. Removing this test prior to the OpenSSL 1.0.0
1370 release will result in an increase in unexplained or incorrect behaviors.
1371 The test should be revised once OpenSSL 1.0.0 is released and we see what
1372 its claims are as to ABI compatibility.
1374 debug(F111,"Kermit built for OpenSSL",OPENSSL_VERSION_TEXT,SSLEAY_VERSION_NUMBER);
1376 debug(F111,"OpenSSL Library",SSLeay_version(SSLEAY_VERSION),
1378 debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_BUILT_ON),0);
1379 debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_CFLAGS),0);
1380 debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_PLATFORM),0);
1382 /* The following test is suggested by Richard Levitte */
1383 if (((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xffffff0f)
1385 || ckstrcmp(OPENSSL_VERSION_TEXT,(char *)SSLeay_version(SSLEAY_VERSION),-1,1)
1389 debug(F111,"OpenSSL Version does not match. Built with",
1390 SSLeay_version(SSLEAY_VERSION),SSLEAY_VERSION_NUMBER);
1391 printf("?OpenSSL libraries do not match required version:\r\n");
1392 printf(" . C-Kermit built with %s\r\n",OPENSSL_VERSION_TEXT);
1393 printf(" . Version found %s\r\n",SSLeay_version(SSLEAY_VERSION));
1394 printf(" OpenSSL versions prior to 1.0.0 must be the same.\r\n");
1398 printf(" Set CD_LIBRARY_PATH for %s.\r\n",OPENSSL_VERSION_TEXT);
1400 #endif /* SOLARIS */
1403 printf(" Set SHLIB_PATH for %s.\r\n",OPENSSL_VERSION_TEXT);
1408 printf(" Set LIBPATH for %s.\r\n",OPENSSL_VERSION_TEXT);
1413 printf(" Set LD_LIBRARY_PATH for %s.\r\n",OPENSSL_VERSION_TEXT);
1417 printf(" %sebuild C-Kermit from source on this computer to make \
1418 versions agree.\r\n",s);
1425 if (!*s) s = "(unknown)";
1426 printf(" C-Kermit makefile target: %s\r\n",s);
1428 #endif /* KTARGET */
1429 printf(" Or if that is what you did then try to find out why\r\n");
1430 printf(" the program loader (image activator) is choosing a\r\n");
1431 printf(" different OpenSSL library than the one specified in \
1432 the build.\r\n\r\n");
1433 printf(" All SSL/TLS features disabled.\r\n\r\n");
1437 ck_crypto_unloaddll();
1441 #endif /* OS2ONLY */
1443 /* init things so we will get meaningful error messages
1444 * rather than numbers
1446 SSL_load_error_strings();
1449 OPENSSL_add_all_algorithms_noconf();
1451 /* SSL_library_init() only loads those ciphers needs for SSL */
1452 /* These happen to be a similar set to those required for SSH */
1453 /* but they are not a complete set of ciphers provided by the */
1454 /* crypto library. */
1456 #endif /* SSHBUILTIN */
1460 if (cm != NULL && cm->type != NID_undef) {
1461 SSL_COMP_add_compression_method(0xe0, cm); /* EAY's ZLIB ID */
1465 if (cm != NULL && cm->type != NID_undef)
1466 SSL_COMP_add_compression_method(0xe1, cm); /* EAY's RLE ID */
1468 /* Ensure the Random number generator has enough entropy */
1469 if ( !RAND_status() ) {
1470 char buffer[256]="";
1471 char randombytes[256];
1472 int rc1 = -1, rc2 = 1; /* assume failure and success */
1474 debug(F110,"ssl_once_init","!RAND_status()",0);
1476 if ( ssl_rnd_file == NULL ) {
1477 debug(F110,"ssl_rnd_file","ssl_rnd_file is NULL",0);
1478 RAND_file_name(buffer,256);
1480 makestr(&ssl_rnd_file, buffer);
1482 makestr(&ssl_rnd_file,".rnd");
1484 debug(F110,"ssl_rnd_file",ssl_rnd_file,0);
1486 rc1 = RAND_egd(ssl_rnd_file);
1487 debug(F111,"ssl_once_init","RAND_egd()",rc1);
1489 rc2 = RAND_load_file(ssl_rnd_file, -1);
1490 debug(F111,"ssl_once_init","RAND_load_file()",rc1);
1493 if ( rc1 <= 0 && !rc2 )
1495 time_t t = time(NULL);
1496 int tlen = sizeof(time_t);
1498 int plen = sizeof(int);
1501 #define RAND_MAX 0x7FFF
1503 debug(F110,"ssl_once_init","calling RAND_seed()",0);
1505 RAND_seed((unsigned char *)&t, tlen);
1506 RAND_seed((unsigned char *)&pid, plen);
1508 srand((unsigned int)t);
1509 sprintf(buffer, "%.0f", (((double)(rand()%RAND_MAX)/RAND_MAX)*
1510 (sizeof(randombytes)-128-1)));
1511 n = (atoi(buffer)+1)%(sizeof(randombytes)-128-1);
1512 RAND_seed(randombytes, 128);
1515 if ( !RAND_status() ) {
1516 debug(F110,"ssl_once_init","Unable to initialize PRNG",0);
1517 printf(" Unable to load 'random state'\n");
1518 printf(" SSL and TLS are unavailble.\n");
1519 printf(" Use SET AUTH SSL RANDOM-FILE <file> command to provide random data.\n");
1520 printf(" Specified file will be overwritten with new random data after use.\n");
1524 if ( ssl_rnd_file ) {
1525 int rc = RAND_write_file(ssl_rnd_file);
1526 debug(F111,"ssl_once_init","RAND_write_file()",rc);
1531 // Initialize additional OID types for use when saving certs to a file
1532 OBJ_create("2.99999.3","SET.ex3","SET x509v3 extension 3");
1535 /* make sure we have somewhere we can log errors to */
1536 bio_err=BIO_new(BIO_s_mem());
1538 debug(F100,"ssl_once_init() complete","",0);
1543 ssl_tn_init(int mode)
1545 ssl_tn_init(mode) int mode;
1546 #endif /* CK_ANSIC */
1549 extern char * k5_keytab;
1550 extern char * krb5_d_srv;
1552 static int last_ssl_mode = -1;
1553 SSL * ssl_conx=NULL, * tls_conx=NULL;
1555 ssl_initialized = 0;
1557 if ( !ck_ssleay_is_installed() )
1560 debug(F111,"ssl_tn_init","mode",mode);
1563 printf("SSL_DEBUG_FLAG on\r\n");
1565 if (last_ssl_mode != mode) {
1567 SSL_CTX_free(ssl_ctx);
1571 SSL_CTX_free(tls_ctx);
1576 if ( (last_ssl_mode != mode) || !ssl_ctx || !tls_ctx ) {
1577 if ( mode == SSL_CLIENT ) {
1578 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
1579 /* This can fail because we do not have RSA available */
1581 debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
1582 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
1585 debug(F110,"ssl_tn_init","SSLv3_client_method failed",0);
1590 tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_client_method());
1592 tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
1593 /* This can fail because we do not have RSA available */
1595 debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
1596 tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
1598 #endif /* COMMENT */
1600 debug(F110,"ssl_tn_init","TLSv1_client_method failed",0);
1605 SSL_CTX_set_client_cert_cb(ssl_ctx,ssl_client_cert_callback);
1606 SSL_CTX_set_client_cert_cb(tls_ctx,ssl_client_cert_callback);
1607 #endif /* USE_CERT_CB */
1608 } else if (mode == SSL_SERVER) {
1609 /* We are a server */
1610 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_server_method());
1611 /* This can fail because we do not have RSA available */
1613 debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
1614 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method());
1617 debug(F110,"ssl_tn_init","SSLv3_server_method failed",0);
1622 tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_server_method());
1624 tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_server_method());
1625 /* This can fail because we do not have RSA available */
1627 debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
1628 tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_server_method());
1630 #endif /* COMMENT */
1632 debug(F110,"ssl_tn_init","TLSv1_server_method failed",0);
1636 } else /* Unknown mode */
1640 SSL_CTX_set_default_passwd_cb(ssl_ctx,
1641 (pem_password_cb *)ssl_passwd_callback);
1642 SSL_CTX_set_default_passwd_cb(tls_ctx,
1643 (pem_password_cb *)ssl_passwd_callback);
1646 /* for SSL switch on all the interoperability and bug
1647 * workarounds so that we will communicate with people
1648 * that cannot read poorly written specs :-)
1649 * for TLS be sure to prevent use of SSLv2
1651 SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2);
1652 SSL_CTX_set_options(tls_ctx,
1653 SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
1655 SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback);
1656 SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback);
1659 /* Set the proper caching mode */
1660 if ( mode == SSL_SERVER ) {
1661 SSL_CTX_set_session_cache_mode(ssl_ctx,SSL_SESS_CACHE_SERVER);
1662 SSL_CTX_set_session_cache_mode(tls_ctx,SSL_SESS_CACHE_SERVER);
1664 SSL_CTX_set_session_cache_mode(ssl_ctx,SSL_SESS_CACHE_CLIENT);
1665 SSL_CTX_set_session_cache_mode(tls_ctx,SSL_SESS_CACHE_CLIENT);
1667 SSL_CTX_set_session_id_context(ssl_ctx,(CHAR *)"1",1);
1668 SSL_CTX_set_session_id_context(tls_ctx,(CHAR *)"2",1);
1670 SSL_CTX_set_session_cache_mode(ssl_ctx,SSL_SESS_CACHE_OFF);
1671 SSL_CTX_set_session_cache_mode(tls_ctx,SSL_SESS_CACHE_OFF);
1672 #endif /* COMMENT */
1675 /* The server uses defaults for the certificate files. */
1676 /* The client does not. */
1677 if (mode == SSL_SERVER) {
1678 char cert_filepath[1024];
1679 const char * defdir = NULL;
1682 defdir = getenv("SSL_CERT_DIR");
1687 defdir = X509_get_default_cert_dir();
1689 debug(F110,"ssl_tn_init - setting default directory to",defdir,0);
1694 if (!ssl_rsa_cert_file) {
1695 /* we need to know the fullpath to the location of the
1696 * certificate that we will be running with as we cannot
1697 * be sure of the cwd when we are launched
1699 sprintf(cert_filepath,"%s/%s",defdir,"telnetd-rsa.pem");
1700 if (zchki(cert_filepath) > 0)
1701 makestr(&ssl_rsa_cert_file,cert_filepath);
1703 if (ssl_rsa_cert_file && !ssl_rsa_key_file) {
1704 /* we need to know the fullpath to the location of the
1705 * certificate that we will be running with as we cannot
1706 * be sure of the cwd when we are launched
1708 sprintf(cert_filepath,"%s/%s",defdir,"telnetd-rsa-key.pem");
1709 if (zchki(cert_filepath) > 0)
1710 makestr(&ssl_rsa_key_file,cert_filepath);
1712 if (!ssl_dsa_cert_file) {
1713 /* we need to know the fullpath to the location of the
1714 * certificate that we will be running with as we cannot
1715 * be sure of the cwd when we are launched
1717 sprintf(cert_filepath,"%s/%s",defdir,"telnetd-dsa.pem");
1718 if (zchki(cert_filepath) > 0)
1719 makestr(&ssl_dsa_cert_file,cert_filepath);
1721 if (ssl_dsa_cert_file && !ssl_dh_key_file) {
1722 /* we need to know the fullpath to the location of the
1723 * certificate that we will be running with as we cannot
1724 * be sure of the cwd when we are launched
1726 sprintf(cert_filepath,"%s/%s",defdir,"telnetd-dsa-key.pem");
1727 if (zchki(cert_filepath) > 0)
1728 makestr(&ssl_dh_key_file,cert_filepath);
1731 /* we need to know the fullpath to the location of the
1732 * certificate that we will be running with as we cannot
1733 * be sure of the cwd when we are launched
1735 sprintf(cert_filepath,"%s/crl",defdir);
1736 if (zchki(cert_filepath) > 0)
1737 makestr(&ssl_crl_dir,cert_filepath);
1740 if (ssl_only_flag && !tls_load_certs(ssl_ctx,ssl_con,1)) {
1741 debug(F110,"ssl_tn_init","Unable to load SSL certs",0);
1745 if (tls_only_flag && !tls_load_certs(tls_ctx,tls_con,1)) {
1746 debug(F110,"ssl_tn_init","Unable to load TLS certs",0);
1751 if ( (last_ssl_mode != mode) || !ssl_ctx || !tls_ctx ) {
1752 /* we may require a temp 512 bit RSA key because of the
1753 * wonderful way export things work ... if so we generate
1757 SSL_CTX_set_tmp_rsa_callback(ssl_ctx, tmp_rsa_cb);
1758 SSL_CTX_set_tmp_dh_callback( ssl_ctx, tmp_dh_cb);
1759 SSL_CTX_set_tmp_rsa_callback(tls_ctx, tmp_rsa_cb);
1760 SSL_CTX_set_tmp_dh_callback( tls_ctx, tmp_dh_cb);
1762 dh = tmp_dh_cb(NULL,0,512);
1763 SSL_CTX_set_tmp_dh(ssl_ctx,dh);
1764 SSL_CTX_set_tmp_dh(tls_ctx,dh);
1766 /* The following code is only called if we are using a
1767 * certificate with an RSA public key and where the
1768 * certificate has a key length less than 512 bits or is
1769 * marked for signing only. This is so we can support
1770 * the greatest legal privacy level with exportable clients.
1773 if (SSL_CTX_need_tmp_RSA(ssl_ctx) ||
1774 SSL_CTX_need_tmp_RSA(tls_ctx))
1778 if ( ssl_debug_flag )
1779 printf("Generating temp (512 bit) RSA key ...\r\n");
1780 rsa=RSA_generate_key(512,RSA_F4,NULL,NULL);
1781 if ( ssl_debug_flag )
1782 printf("Generation of temp (512 bit) RSA key done\r\n");
1784 if (SSL_CTX_need_tmp_RSA(ssl_ctx)) {
1785 if (!SSL_CTX_set_tmp_rsa(ssl_ctx,rsa)) {
1786 if ( ssl_debug_flag )
1788 "Failed to assign generated temp RSA key to SSL!\r\n");
1791 if (SSL_CTX_need_tmp_RSA(tls_ctx)) {
1792 if (!SSL_CTX_set_tmp_rsa(tls_ctx,rsa)) {
1793 if ( ssl_debug_flag )
1795 "Failed to assign generated temp RSA key to TLS!\r\n");
1799 if ( ssl_debug_flag )
1800 printf("Assigned temp (512 bit) RSA key\r\n");
1805 /* make sure we will find certificates in the standard
1806 * location ... otherwise we don't look anywhere for
1807 * these things which is going to make client certificate
1808 * exchange rather useless :-)
1809 * In OS2, default values for ssl_verify_file and ssl_verify_path.
1815 /* The defaults in the SSL crypto library are not appropriate for OS/2 */
1816 char path[CKMAXPATH];
1818 ckmakmsg(path,CKMAXPATH,exedir,"certs",NULL,NULL);
1820 SSL_CTX_load_verify_locations(tls_ctx,NULL,path) == 1) {
1821 debug(F110,"ssl_tn_init certificate verify dir",path,0);
1823 printf(" Certificate Verification Directory: %s\r\n",path);
1824 SSL_CTX_load_verify_locations(ssl_ctx,NULL,path);
1826 ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/certs",NULL,NULL);
1828 SSL_CTX_load_verify_locations(tls_ctx,NULL,path) == 1) {
1829 debug(F110,"ssl_tn_init certificate verify dir",path,0);
1831 printf(" Certificate Verification Directory: %s\r\n",path);
1832 SSL_CTX_load_verify_locations(ssl_ctx,NULL,path);
1834 ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/certs",NULL,NULL);
1836 SSL_CTX_load_verify_locations(tls_ctx,NULL,path) == 1) {
1837 debug(F110,"ssl_tn_init certificate verify dir",path,0);
1839 printf(" Certificate Verification Directory: %s\r\n",path);
1840 SSL_CTX_load_verify_locations(ssl_ctx,NULL,path);
1842 ckmakmsg(path,CKMAXPATH,exedir,"ca_certs.pem",NULL,NULL);
1843 if (zchki(path) > 0 &&
1844 SSL_CTX_load_verify_locations(tls_ctx,path,NULL) == 1) {
1845 debug(F110,"ssl_tn_init certificate verify file",path,0);
1847 printf(" Certificate Verification File: %s\r\n",path);
1848 SSL_CTX_load_verify_locations(ssl_ctx,path,NULL);
1850 ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/ca_certs.pem",NULL,NULL);
1851 if (zchki(path) > 0 &&
1852 SSL_CTX_load_verify_locations(tls_ctx,path,NULL) == 1) {
1853 debug(F110,"ssl_tn_init certificate verify file",path,0);
1855 printf(" Certificate Verification File: %s\r\n",path);
1856 SSL_CTX_load_verify_locations(ssl_ctx,path,NULL);
1858 ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/ca_certs.pem",NULL,NULL);
1859 if (zchki(path) > 0 &&
1860 SSL_CTX_load_verify_locations(tls_ctx,path,NULL) == 1) {
1861 debug(F110,"ssl_tn_init certificate verify file",path,0);
1863 printf(" Certificate Verification File: %s\r\n",path);
1864 SSL_CTX_load_verify_locations(ssl_ctx,path,NULL);
1869 /* The defaults in the SSL crypto library are not appropriate for OS/2 */
1870 char path[CKMAXPATH];
1872 ckmakmsg(path,CKMAXPATH,exedir,"certs",NULL,NULL);
1874 SSL_CTX_load_verify_locations(tls_ctx,NULL,path) == 1) {
1875 debug(F110,"ssl_tn_init certificate verify dir",path,0);
1877 printf(" Certificate Verification Directory: %s\r\n",path);
1878 SSL_CTX_load_verify_locations(ssl_ctx,NULL,path);
1880 ckmakmsg(path,CKMAXPATH,exedir,"ca_certs.pem",NULL,NULL);
1881 if (zchki(path) > 0 &&
1882 SSL_CTX_load_verify_locations(tls_ctx,path,NULL) == 1) {
1883 debug(F110,"ssl_tn_init certificate verify file",path,0);
1885 printf(" Certificate Verification File: %s\r\n",path);
1886 SSL_CTX_load_verify_locations(ssl_ctx,path,NULL);
1891 SSL_CTX_set_default_verify_paths(ssl_ctx);
1892 SSL_CTX_set_default_verify_paths(tls_ctx);
1895 if (ssl_verify_file) {
1896 if (zchki(ssl_verify_file) > 0 &&
1897 SSL_CTX_load_verify_locations(tls_ctx,ssl_verify_file,NULL) == 1) {
1898 debug(F110,"ssl_tn_init certificate verify file",ssl_verify_file,0);
1900 printf(" Certificate Verification File: %s\r\n",ssl_verify_file);
1901 SSL_CTX_load_verify_locations(ssl_ctx,ssl_verify_file,NULL);
1904 if (ssl_verify_dir && isdir(ssl_verify_dir)) {
1905 if (SSL_CTX_load_verify_locations(tls_ctx,NULL,ssl_verify_dir) == 1) {
1906 debug(F110,"ssl_tn_init certificate verify dir",ssl_verify_dir,0);
1908 printf(" Certificate Verification Directory: %s\r\n",ssl_verify_dir);
1909 SSL_CTX_load_verify_locations(ssl_ctx,NULL,ssl_verify_dir);
1912 if (mode == SSL_SERVER) {
1913 SSL_CTX_set_verify(ssl_ctx,
1914 ssl_verify_flag?ssl_verify_flag|SSL_VERIFY_CLIENT_ONCE:0,
1915 ssl_server_verify_callback);
1916 SSL_CTX_set_verify(tls_ctx,
1917 ssl_verify_flag?ssl_verify_flag|SSL_VERIFY_CLIENT_ONCE:0,
1918 ssl_server_verify_callback);
1920 SSL_CTX_set_verify(ssl_ctx,ssl_verify_flag,
1921 ssl_client_verify_callback);
1922 SSL_CTX_set_verify(tls_ctx,ssl_verify_flag,
1923 ssl_client_verify_callback);
1926 /* Free the existing CRL Store */
1928 X509_STORE_free(crl_store);
1932 /* set up the new CRL Store */
1933 crl_store = X509_STORE_new();
1936 char path[CKMAXPATH];
1938 ckmakmsg(path,CKMAXPATH,exedir,"crls",NULL,NULL);
1940 X509_STORE_load_locations(crl_store,NULL,path) == 1) {
1941 debug(F110,"ssl_tn_init crl dir",path,0);
1943 printf(" CRL Directory: %s\r\n",path);
1946 ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/crls",NULL,NULL);
1948 X509_STORE_load_locations(crl_store,NULL,path) == 1) {
1949 debug(F110,"ssl_tn_init crl dir",path,0);
1951 printf(" CRL Directory: %s\r\n",path);
1953 ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/crls",NULL,NULL);
1955 X509_STORE_load_locations(crl_store,NULL,path) == 1) {
1956 debug(F110,"ssl_tn_init crl dir",path,0);
1958 printf(" CRL Directory: %s\r\n",path);
1962 ckmakmsg(path,CKMAXPATH,exedir,"ca_crls.pem",NULL,NULL);
1963 if (zchki(path) > 0 &&
1964 X509_STORE_load_locations(crl_store,path,NULL) == 1) {
1965 debug(F110,"ssl_tn_init crl file",path,0);
1967 printf(" CRL File: %s\r\n",path);
1970 ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/ca_crls.pem",NULL,NULL);
1971 if (zchki(path) > 0 &&
1972 X509_STORE_load_locations(crl_store,path,NULL) == 1) {
1973 debug(F110,"ssl_tn_init crl file",path,0);
1975 printf(" CRL File: %s\r\n",path);
1977 ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/ca_crls.pem",NULL,NULL);
1978 if (zchki(path) > 0 &&
1979 X509_STORE_load_locations(crl_store,path,NULL) == 1) {
1980 debug(F110,"ssl_tn_init crl file",path,0);
1982 printf(" CRL File: %s\r\n",path);
1987 if (ssl_crl_file || ssl_crl_dir) {
1988 if (ssl_crl_file && zchki(ssl_crl_file) > 0 &&
1989 X509_STORE_load_locations(crl_store,ssl_crl_file,NULL) == 1) {
1990 debug(F110,"ssl_tn_init crl file",ssl_crl_file,0);
1992 printf(" CRL File: %s\r\n",ssl_crl_file);
1994 if (ssl_crl_dir && isdir(ssl_crl_dir) &&
1995 X509_STORE_load_locations(crl_store,NULL,ssl_crl_dir) == 1) {
1996 debug(F110,"ssl_tn_init crl dir",ssl_crl_dir,0);
1998 printf(" CRL Directory: %s\r\n",ssl_crl_dir);
2003 X509_STORE_set_default_paths(crl_store);
2010 ssl_con=(SSL *)SSL_new(ssl_ctx);
2012 debug(F110,"ssl_tn_init","SSL_new(ssl_con) failed",0);
2018 if ( mode == SSL_CLIENT ) {
2019 SSL_set_session(ssl_con, SSL_get_session(ssl_conx));
2022 if (ssl_conx->kssl_ctx) {
2023 kssl_ctx_free(ssl_conx->kssl_ctx);
2024 ssl_conx->kssl_ctx = NULL;
2026 #endif /* SSL_KRB5 */
2031 tls_con=(SSL *)SSL_new(tls_ctx);
2033 debug(F110,"ssl_tn_init","SSL_new(tls_con) failed",0);
2039 if ( mode == SSL_CLIENT )
2040 SSL_set_session(tls_con, SSL_get_session(tls_conx));
2042 if (tls_conx->kssl_ctx) {
2043 kssl_ctx_free(tls_conx->kssl_ctx);
2044 tls_conx->kssl_ctx = NULL;
2046 #endif /* SSL_KRB5 */
2051 /* I don't know why this does not work to reuse the connection. */
2054 SSL_set_session(ssl_con,NULL);
2055 SSL_set_accept_state(ssl_con) ;
2057 ssl_con=(SSL *)SSL_new(ssl_ctx);
2059 debug(F110,"ssl_tn_init","SSL_new(ssl_ctx) failed",0);
2068 SSL_set_session(tls_con,NULL);
2069 SSL_set_accept_state(tls_con) ;
2071 tls_con=(SSL *)SSL_new(tls_ctx);
2073 debug(F110,"ssl_tn_init","SSL_new(tls_ctx) failed",0);
2079 #endif /* COMMENT */
2082 #ifndef KRB5_SERVICE_NAME
2083 #define KRB5_SERVICE_NAME "host"
2086 if (ssl_con->kssl_ctx == NULL)
2087 ssl_con->kssl_ctx = kssl_ctx_new();
2088 if (tls_con->kssl_ctx == NULL)
2089 tls_con->kssl_ctx = kssl_ctx_new();
2090 if (mode == SSL_SERVER) {
2091 if (ssl_con->kssl_ctx != NULL)
2092 kssl_ctx_setstring(ssl_con->kssl_ctx, KSSL_KEYTAB, k5_keytab);
2093 if (tls_con->kssl_ctx != NULL)
2094 kssl_ctx_setstring(tls_con->kssl_ctx, KSSL_KEYTAB, k5_keytab);
2096 if (ssl_con->kssl_ctx != NULL)
2097 kssl_ctx_setstring(ssl_con->kssl_ctx, KSSL_SERVER, szHostName);
2098 if (tls_con->kssl_ctx != NULL)
2099 kssl_ctx_setstring(tls_con->kssl_ctx, KSSL_SERVER, szHostName);
2101 kssl_ctx_setstring(ssl_con->kssl_ctx, KSSL_SERVICE,
2102 krb5_d_srv ? krb5_d_srv : KRB5_SERVICE_NAME);
2103 kssl_ctx_setstring(tls_con->kssl_ctx, KSSL_SERVICE,
2104 krb5_d_srv ? krb5_d_srv : KRB5_SERVICE_NAME);
2105 #endif /* SSL_KRB5 */
2107 if (ssl_cipher_list) {
2108 SSL_set_cipher_list(ssl_con,ssl_cipher_list);
2109 SSL_set_cipher_list(tls_con,ssl_cipher_list);
2112 if (p = getenv("SSL_CIPHER")) {
2113 SSL_set_cipher_list(ssl_con,p);
2114 SSL_set_cipher_list(tls_con,p);
2116 SSL_set_cipher_list(ssl_con,DEFAULT_CIPHER_LIST);
2117 SSL_set_cipher_list(tls_con,DEFAULT_CIPHER_LIST);
2121 ssl_verify_depth = -1;
2123 if ( ssl_debug_flag )
2124 printf("SSL/TLS init done!\r\n");
2126 ssl_initialized = 1;
2127 last_ssl_mode = mode;
2128 debug(F110,"ssl_tn_init","done",0);
2135 ssl_http_init(char * hostname)
2137 ssl_http_init(hostname) char * hostname;
2138 #endif /* CK_ANSIC */
2141 extern char * k5_keytab;
2142 extern char * krb5_d_srv;
2144 SSL * tls_conx=NULL;
2146 ssl_http_initialized = 0;
2148 if ( !ck_ssleay_is_installed() )
2150 debug(F110,"ssl_http_init",hostname,0);
2153 printf("SSL_DEBUG_FLAG on\r\n");
2155 if (!tls_http_ctx ) {
2157 /* too many web servers still do not support TLSv1 */
2158 tls_http_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_client_method());
2160 tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
2161 /* This can fail because we do not have RSA available */
2162 if ( !tls_http_ctx ) {
2163 debug(F110,"ssl_http_init","SSLv23_client_method failed",0);
2164 tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
2166 #endif /* COMMENT */
2167 if ( !tls_http_ctx ) {
2168 debug(F110,"ssl_http_init","TLSv1_client_method failed",0);
2172 SSL_CTX_set_client_cert_cb(tls_http_ctx,ssl_client_cert_callback);
2173 #endif /* USE_CERT_CB */
2176 SSL_CTX_set_default_passwd_cb(tls_http_ctx,
2177 (pem_password_cb *)ssl_passwd_callback);
2179 /* for SSL switch on all the interoperability and bug
2180 * workarounds so that we will communicate with people
2181 * that cannot read poorly written specs :-)
2182 * for TLS be sure to prevent use of SSLv2
2184 SSL_CTX_set_options(tls_http_ctx,
2185 SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
2187 SSL_CTX_set_info_callback(tls_http_ctx,ssl_client_info_callback);
2190 SSL_CTX_set_session_cache_mode(tls_http_ctx,SSL_SESS_CACHE_CLIENT);
2191 SSL_CTX_set_session_id_context(tls_http_ctx,(CHAR *)"3",1);
2193 SSL_CTX_set_session_cache_mode(tls_http_ctx,SSL_SESS_CACHE_OFF);
2194 #endif /* COMMENT */
2196 /* make sure we will find certificates in the standard
2197 * location ... otherwise we don't look anywhere for
2198 * these things which is going to make client certificate
2199 * exchange rather useless :-)
2205 /* The defaults in the SSL crypto library are not appropriate for OS/2 */
2206 char path[CKMAXPATH];
2208 ckmakmsg(path,CKMAXPATH,exedir,"certs",NULL,NULL);
2209 if (SSL_CTX_load_verify_locations(tls_http_ctx,NULL,path) == 0) {
2210 debug(F110,"ssl_http_init unable to load path",path,0);
2212 printf("?Unable to load verify-dir: %s\r\n",path);
2215 ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/certs",NULL,NULL);
2216 if (SSL_CTX_load_verify_locations(tls_http_ctx,NULL,path) == 0) {
2217 debug(F110,"ssl_http_init unable to load path",path,0);
2219 printf("?Unable to load verify-dir: %s\r\n",path);
2222 ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/certs",NULL,NULL);
2223 if (SSL_CTX_load_verify_locations(tls_http_ctx,NULL,path) == 0) {
2224 debug(F110,"ssl_http_init unable to load path",path,0);
2226 printf("?Unable to load verify-dir: %s\r\n",path);
2229 ckmakmsg(path,CKMAXPATH,exedir,"ca_certs.pem",NULL,NULL);
2230 if (SSL_CTX_load_verify_locations(tls_http_ctx,path,NULL) == 0) {
2231 debug(F110,"ssl_http_init unable to load path",path,0);
2233 printf("?Unable to load verify-file: %s\r\n",path);
2236 ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/ca_certs.pem",NULL,NULL);
2237 if (SSL_CTX_load_verify_locations(tls_http_ctx,path,NULL) == 0) {
2238 debug(F110,"ssl_http_init unable to load path",path,0);
2240 printf("?Unable to load verify-file: %s\r\n",path);
2243 ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/ca_certs.pem",NULL,NULL);
2244 if (SSL_CTX_load_verify_locations(tls_http_ctx,path,NULL) == 0) {
2245 debug(F110,"ssl_http_init unable to load path",path,0);
2247 printf("?Unable to load verify-file: %s\r\n",path);
2252 /* The defaults in the SSL crypto library are not appropriate for OS/2 */
2253 char path[CKMAXPATH];
2255 ckmakmsg(path,CKMAXPATH,exedir,"certs",NULL,NULL);
2256 if (SSL_CTX_load_verify_locations(tls_http_ctx,NULL,path) == 0) {
2257 debug(F110,"ssl_http_init unable to load path",path,0);
2259 printf("?Unable to load verify-dir: %s\r\n",path);
2261 ckmakmsg(path,CKMAXPATH,exedir,"ca_certs.pem",NULL,NULL);
2262 if (SSL_CTX_load_verify_locations(tls_http_ctx,path,NULL) == 0) {
2263 debug(F110,"ssl_http_init unable to load path",path,0);
2265 printf("?Unable to load verify-file: %s\r\n",path);
2270 SSL_CTX_set_default_verify_paths(tls_http_ctx);
2273 if (ssl_verify_file &&
2274 SSL_CTX_load_verify_locations(tls_http_ctx,ssl_verify_file,NULL) == 0) {
2275 debug(F110,"ssl_http_init unable to load ssl_verify_file",ssl_verify_file,0);
2277 printf("?Unable to load verify-file: %s\r\n",ssl_verify_file);
2279 if (ssl_verify_dir &&
2280 SSL_CTX_load_verify_locations(tls_http_ctx,NULL,ssl_verify_dir) == 0) {
2281 debug(F110,"ssl_http_init unable to load ssl_verify_dir",ssl_verify_dir,0);
2283 printf("?Unable to load verify-dir: %s\r\n",ssl_verify_dir);
2286 SSL_CTX_set_verify(tls_http_ctx,ssl_verify_flag,
2287 ssl_client_verify_callback);
2289 /* Free the existing CRL Store */
2291 X509_STORE_free(crl_store);
2295 /* set up the new CRL Store */
2296 crl_store = X509_STORE_new();
2299 char path[CKMAXPATH];
2301 ckmakmsg(path,CKMAXPATH,exedir,"crls",NULL,NULL);
2302 if (X509_STORE_load_locations(crl_store,NULL,path) == 0) {
2303 debug(F110,"ssl_http_init unable to load dir",path,0);
2305 printf("?Unable to load crl-dir: %s\r\n",path);
2308 ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/crls",NULL,NULL);
2309 if (X509_STORE_load_locations(crl_store,NULL,path) == 0) {
2310 debug(F110,"ssl_http_init unable to load dir",path,0);
2312 printf("?Unable to load crl-dir: %s\r\n",path);
2314 ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/crls",NULL,NULL);
2315 if (X509_STORE_load_locations(crl_store,NULL,path) == 0) {
2316 debug(F110,"ssl_http_init unable to load dir",path,0);
2318 printf("?Unable to load crl-dir: %s\r\n",path);
2322 ckmakmsg(path,CKMAXPATH,exedir,"ca_crls.pem",NULL,NULL);
2323 if (X509_STORE_load_locations(crl_store,path,NULL) == 0) {
2324 debug(F110,"ssl_http_init unable to load file",path,0);
2326 printf("?Unable to load crl-file: %s\r\n",path);
2329 ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/ca_crls.pem",NULL,NULL);
2330 if (X509_STORE_load_locations(crl_store,path,NULL) == 0) {
2331 debug(F110,"ssl_http_init unable to load file",path,0);
2333 printf("?Unable to load crl-file: %s\r\n",path);
2335 ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/ca_crls.pem",NULL,NULL);
2336 if (X509_STORE_load_locations(crl_store,path,NULL) == 0) {
2337 debug(F110,"ssl_http_init unable to load file",path,0);
2339 printf("?Unable to load crl-file: %s\r\n",path);
2344 if (ssl_crl_file || ssl_crl_dir) {
2346 X509_STORE_load_locations(crl_store,ssl_crl_file,NULL) == 0) {
2347 debug(F110,"ssl_http_init unable to load ssl_crl_file",ssl_crl_file,0);
2349 printf("?Unable to load crl-file: %s\r\n",ssl_crl_file);
2352 X509_STORE_load_locations(crl_store,NULL,ssl_crl_dir) == 0) {
2353 debug(F110,"ssl_http_init unable to load ssl_crl_dir",ssl_crl_dir,0);
2355 printf("?Unable to load crl-dir: %s\r\n",ssl_crl_dir);
2358 X509_STORE_set_default_paths(crl_store);
2363 tls_conx = tls_http_con;
2364 tls_http_con=(SSL *)SSL_new(tls_http_ctx);
2365 if ( !tls_http_con ) {
2366 debug(F110,"ssl_http_init","SSL_new(tls_http_con) failed",0);
2367 tls_http_con = tls_conx;
2371 SSL_set_session(tls_http_con, SSL_get_session(tls_conx));
2373 if (tls_conx->kssl_ctx) {
2374 kssl_ctx_free(tls_conx->kssl_ctx);
2375 tls_conx->kssl_ctx = NULL;
2377 #endif /* SSL_KRB5 */
2382 /* I don't know why this does not work to reuse the connection. */
2383 if ( tls_http_con ) {
2384 SSL_clear(tls_http_con);
2385 SSL_set_session(tls_http_con,NULL);
2386 SSL_set_accept_state(tls_http_con) ;
2388 tls_http_con=(SSL *)SSL_new(tls_http_ctx);
2389 if ( !tls_http_con ) {
2390 debug(F110,"ssl_http_init","SSL_new(tls_http_ctx) failed",0);
2391 tls_http_con = tls_conx;
2395 #endif /* COMMENT */
2398 #ifndef KRB5_SERVICE_NAME
2399 #define KRB5_SERVICE_NAME "host"
2402 if (tls_http_con->kssl_ctx == NULL)
2403 tls_http_con->kssl_ctx = kssl_ctx_new();
2404 if (tls_http_con->kssl_ctx != NULL)
2405 kssl_ctx_setstring(tls_http_con->kssl_ctx, KSSL_SERVER, hostname);
2407 kssl_ctx_setstring(tls_http_con->kssl_ctx, KSSL_SERVICE,
2408 krb5_d_srv ? krb5_d_srv : KRB5_SERVICE_NAME);
2409 #endif /* SSL_KRB5 */
2411 if (ssl_cipher_list)
2412 SSL_set_cipher_list(tls_http_con,ssl_cipher_list);
2415 if (p = getenv("SSL_CIPHER")) {
2416 SSL_set_cipher_list(tls_http_con,p);
2418 SSL_set_cipher_list(tls_http_con,DEFAULT_CIPHER_LIST);
2422 ssl_verify_depth = -1;
2424 if ( ssl_debug_flag )
2425 printf("SSL/TLS init done!\r\n");
2427 ssl_http_initialized = 1;
2433 ssl_get_dNSName(ssl) SSL * ssl;
2435 static char *dns = NULL;
2436 X509 *server_cert = NULL;
2438 X509_EXTENSION *ext = NULL;
2439 STACK_OF(GENERAL_NAME) *ialt = NULL;
2440 GENERAL_NAME *gen = NULL;
2447 if (server_cert = SSL_get_peer_certificate(ssl)) {
2448 if ((i = X509_get_ext_by_NID(server_cert, NID_subject_alt_name, -1))<0)
2450 if (!(ext = X509_get_ext(server_cert, i)))
2452 X509V3_add_standard_extensions();
2453 if (!(ialt = X509V3_EXT_d2i(ext)))
2455 for (i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
2456 gen = sk_GENERAL_NAME_value(ialt, i);
2457 if (gen->type == GEN_DNS) {
2458 if (!gen->d.ia5 || !gen->d.ia5->length)
2460 if (strlen(gen->d.ia5->data) != gen->d.ia5->length) {
2461 /* Ignoring IA5String containing null character */
2464 dns = malloc(gen->d.ia5->length + 1);
2466 memcpy(dns, gen->d.ia5->data, gen->d.ia5->length);
2467 dns[gen->d.ia5->length] = 0;
2472 X509V3_EXT_cleanup();
2475 if (ialt) sk_GENERAL_NAME_free(ialt);
2476 if (server_cert) X509_free(server_cert);
2481 ssl_get_commonName(ssl) SSL * ssl; {
2482 static char name[256];
2488 if (server_cert = SSL_get_peer_certificate(ssl)) {
2490 X509_NAME_get_text_by_NID(X509_get_subject_name(server_cert),
2491 NID_commonName, name, sizeof(name));
2492 X509_free(server_cert);
2494 if (name_text_len <= 0) {
2495 /* Common Name was empty or not retrieved */
2497 } else if (strlen(name) != name_text_len) {
2498 /* Ignoring Common Name containing null character */
2510 ssl_get_issuer_name(ssl) SSL * ssl;
2512 static char name[256];
2516 if (server_cert = SSL_get_peer_certificate(ssl)) {
2517 X509_NAME_oneline(X509_get_issuer_name(server_cert),name,sizeof(name));
2518 X509_free(server_cert);
2523 fprintf(stderr, "Warning: No certificate from server!\r\n");
2524 #endif /* COMMENT */
2530 ssl_get_subject_name(ssl) SSL * ssl;
2532 static char name[256];
2536 if (server_cert = SSL_get_peer_certificate(ssl)) {
2537 X509_NAME_oneline(X509_get_subject_name(server_cert),name,sizeof(name));
2538 X509_free(server_cert);
2547 && !(ck_ssleay_is_installed() &&
2548 (tls_active_flag || ssl_active_flag) &&
2549 ssl_anonymous_cipher(tls_active_flag?tls_con:ssl_con))
2553 ssl_anonymous_cipher(ssl) SSL * ssl;
2558 cert = SSL_get_certificate(ssl);
2560 cert = SSL_get_peer_certificate(ssl);
2568 #endif /* COMMENT */
2571 This one is (very much!) based on work by
2572 Ralf S. Engelschall <rse@engelschall.com>.
2576 ssl_verify_crl(int ok, X509_STORE_CTX *ctx)
2579 X509_NAME *subject = NULL;
2580 X509_NAME *issuer = NULL;
2582 X509_CRL *crl = NULL;
2583 X509_REVOKED *revoked = NULL;
2584 X509_STORE_CTX * store_ctx = NULL;
2592 * Unless a revocation store for CRLs was created we
2593 * cannot do any CRL-based verification, of course.
2598 store_ctx = X509_STORE_CTX_new();
2603 * Determine certificate ingredients in advance
2605 xs = X509_STORE_CTX_get_current_cert(ctx);
2606 subject = X509_get_subject_name(xs);
2607 issuer = X509_get_issuer_name(xs);
2610 * OpenSSL provides the general mechanism to deal with CRLs but does not
2611 * use them automatically when verifying certificates, so we do it
2612 * explicitly here. We will check the CRL for the currently checked
2613 * certificate, if there is such a CRL in the store.
2615 * We come through this procedure for each certificate in the certificate
2616 * chain, starting with the root-CA's certificate. At each step we've to
2617 * both verify the signature on the CRL (to make sure it's a valid CRL)
2618 * and it's revocation list (to make sure the current certificate isn't
2619 * revoked). But because to check the signature on the CRL we need the
2620 * public key of the issuing CA certificate (which was already processed
2621 * one round before), we've a little problem. But we can both solve it and
2622 * at the same time optimize the processing by using the following
2623 * verification scheme (idea and code snippets borrowed from the GLOBUS
2626 * 1. We'll check the signature of a CRL in each step when we find a CRL
2627 * through the _subject_ name of the current certificate. This CRL
2628 * itself will be needed the first time in the next round, of course.
2629 * But we do the signature processing one round before this where the
2630 * public key of the CA is available.
2632 * 2. We'll check the revocation list of a CRL in each step when
2633 * we find a CRL through the _issuer_ name of the current certificate.
2634 * This CRLs signature was then already verified one round before.
2636 * This verification scheme allows a CA to revoke its own certificate as
2641 * Try to retrieve a CRL corresponding to the _subject_ of
2642 * the current certificate in order to verify it's integrity.
2644 memset((char *)&obj, 0, sizeof(obj));
2645 X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL);
2646 rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, &obj);
2647 X509_STORE_CTX_cleanup(store_ctx);
2649 if (rc > 0 && crl != NULL) {
2651 * Verify the signature on this CRL
2653 if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0) {
2654 fprintf(stderr, "Invalid signature on CRL!\n");
2655 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
2656 X509_OBJECT_free_contents(&obj);
2657 X509_STORE_CTX_free(store_ctx);
2662 * Check date of CRL to make sure it's not expired
2664 i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
2666 fprintf(stderr, "Found CRL has invalid nextUpdate field.\n");
2667 X509_STORE_CTX_set_error(ctx,
2668 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
2669 X509_OBJECT_free_contents(&obj);
2670 X509_STORE_CTX_free(store_ctx);
2675 "Found CRL is expired - revoking all certificates until you get updated CRL.\n"
2677 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED);
2678 X509_OBJECT_free_contents(&obj);
2679 X509_STORE_CTX_free(store_ctx);
2682 X509_OBJECT_free_contents(&obj);
2686 * Try to retrieve a CRL corresponding to the _issuer_ of
2687 * the current certificate in order to check for revocation.
2689 memset((char *)&obj, 0, sizeof(obj));
2690 X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL);
2691 rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, &obj);
2692 X509_STORE_CTX_free(store_ctx); /* calls X509_STORE_CTX_cleanup() */
2694 if (rc > 0 && crl != NULL) {
2696 * Check if the current certificate is revoked by this CRL
2698 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
2699 for (i = 0; i < n; i++) {
2700 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
2701 if (ASN1_INTEGER_cmp(revoked->serialNumber,
2702 X509_get_serialNumber(xs)) == 0) {
2704 serial = ASN1_INTEGER_get(revoked->serialNumber);
2705 cp = X509_NAME_oneline(issuer, NULL, 0);
2708 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
2709 X509_OBJECT_free_contents(&obj);
2713 X509_OBJECT_free_contents(&obj);
2719 tls_userid_from_client_cert(ssl) SSL * ssl;
2721 static char cn[256];
2722 static char *r = cn;
2726 if (client_cert = SSL_get_peer_certificate(ssl)) {
2727 /* call the custom function */
2728 err = X509_to_user(client_cert, cn, sizeof(cn));
2729 X509_free(client_cert);
2740 tls_get_SAN_objs(SSL * ssl, int type)
2741 /* returns NULL or an array of malloc'ed objects of type `type' from the server's
2742 * subjectAltName, remember to free() them all!
2745 #define NUM_SAN_OBJS 64
2746 static unsigned char *objs[NUM_SAN_OBJS];
2747 unsigned char **rv = NULL;
2748 X509 *server_cert = NULL;
2750 X509_EXTENSION *ext = NULL;
2751 STACK_OF(GENERAL_NAME) *ialt = NULL;
2752 GENERAL_NAME *gen = NULL;
2754 memset(objs, 0, sizeof(objs));
2755 if (server_cert = SSL_get_peer_certificate(ssl)) {
2756 if ((i = X509_get_ext_by_NID(server_cert, NID_subject_alt_name, -1)) < 0)
2758 if (!(ext = X509_get_ext(server_cert, i)))
2760 X509V3_add_standard_extensions();
2761 if (!(ialt = X509V3_EXT_d2i(ext)))
2764 for (i = 0, j = 0; i < sk_GENERAL_NAME_num(ialt) && j < NUM_SAN_OBJS - 2; i++) {
2765 gen = sk_GENERAL_NAME_value(ialt, i);
2766 /* The use of V_ASN1_CONTEXT_SPECIFIC is because OpenSSL 0.9.6 defined its
2767 * types | V_ASN1_CONTEXT_SPECIFIC. 0.9.7 does not. In case, we are built
2768 * with one and linked to the other we use this hack.
2770 if ((gen->type | V_ASN1_CONTEXT_SPECIFIC) == (type | V_ASN1_CONTEXT_SPECIFIC)) {
2771 if (!gen->d.ia5 || !gen->d.ia5->length)
2773 if (strlen(gen->d.ia5->data) != gen->d.ia5->length) {
2774 /* Ignoring IA5String containing null character */
2777 objs[j] = malloc(gen->d.ia5->length + 1);
2779 memcpy(objs[j], gen->d.ia5->data, gen->d.ia5->length);
2780 objs[j][gen->d.ia5->length] = 0;
2785 X509V3_EXT_cleanup();
2788 if (ialt) sk_GENERAL_NAME_free(ialt);
2789 if (server_cert) X509_free(server_cert);
2795 dNSName_cmp(const char *host, const char *dNSName)
2797 int c1 = 1, c2 = 1, num_comp, rv = -1;
2798 char *p, *p1, *p2, *host_copy=NULL, *dNSName_copy=NULL;
2800 /* first we count the number of domain name components in both parameters.
2801 * they should be equal many, or it's not a match
2804 while (p = strstr(p, ".")) {
2808 p = (char *) dNSName;
2809 while (p = strstr(p, ".")) {
2817 makestr(&host_copy,host);
2818 makestr(&dNSName_copy,dNSName);
2819 if (host_copy == NULL || dNSName_copy == NULL)
2821 /* make substrings by replacing '.' with '\0' */
2823 while (p = strstr(p, ".")) {
2828 while (p = strstr(p, ".")) {
2833 /* compare each component */
2836 for (; num_comp; num_comp--) {
2837 if (!ckmatch(p2, p1,0,1))
2840 p1 += strlen(p1) + 1;
2841 p2 += strlen(p2) + 1;
2847 if (dNSName_copy) free(dNSName_copy);
2848 if (host_copy) free(host_copy);
2855 show_hostname_warning(char *s1, char *s2)
2860 ckmakxmsg(prefix,1024,
2861 "Warning: Hostname (\"", s1,
2862 "\") does not match server's certificate (\"", s2, "\")",
2863 NULL,NULL,NULL,NULL,NULL,NULL,NULL);
2864 if (ssl_verify_flag)
2889 #define inet_aton INET_ATON
2890 #endif /* DEC_TCPIP */
2892 #ifndef NO_DCL_INET_ATON
2894 inet_aton(char * ipaddress, struct in_addr * ia) {
2895 struct stringarray * q;
2901 q = cksplit(1,0,ipaddress,".","0123456789abcdefACDEF",8,0,0);
2902 if (q->a_size == 4) {
2903 dummy.b[0] = atoi(q->a_head[1]);
2904 dummy.b[1] = atoi(q->a_head[2]);
2905 dummy.b[2] = atoi(q->a_head[3]);
2906 dummy.b[3] = atoi(q->a_head[4]);
2907 ia->s_addr = dummy.l;
2908 return(ia->s_addr != 0);
2912 #endif /* NO_DCL_INET_ATON */
2915 #endif /* SOLARIS7 */
2916 #endif /* SOLARIS8 */
2917 #endif /* SOLARIS9 */
2922 #endif /* NETBSD15 */
2923 #endif /* FREEBSD4 */
2924 #endif /* OpenBSD */
2925 #endif /* SCO_OSR505 */
2926 #endif /* HPUX1100 */
2931 ssl_check_server_name(SSL * ssl, char * hostname)
2932 /* returns 0 if hostname and server's cert matches, else -1 */
2935 unsigned char ** dNSName;
2936 unsigned char ** ipAddress;
2941 if (verbosity && !inserver) {
2942 if (dNSName = tls_get_SAN_objs(ssl,GEN_DNS)) {
2944 for (i = 0; dNSName[i]; i++) {
2945 printf("Certificate[0] altSubjectName DNS=%s\r\n",dNSName[i]);
2949 if (ipAddress = tls_get_SAN_objs(ssl,GEN_IPADD)) {
2954 for (i = 0; ipAddress[i]; i++) {
2956 ia.s_addr = *(unsigned long *)ipAddress[i];
2957 server_ip = inet_ntoa(ia);
2958 printf("Certificate[0] altSubjectName IPAddr=%s\r\n",server_ip);
2962 /* ipAddress points to a static - don't free */
2964 if (dNSName = tls_get_SAN_objs(ssl,GEN_EMAIL)) {
2966 for (i = 0; dNSName[i]; i++) {
2967 printf("Certificate[0] altSubjectName Email=%s\r\n",dNSName[i]);
2971 if (dNSName = tls_get_SAN_objs(ssl,GEN_URI)) {
2973 for (i = 0; dNSName[i]; i++) {
2974 printf("Certificate[0] altSubjectName URI=%s\r\n",dNSName[i]);
2978 if (dNSName = tls_get_SAN_objs(ssl,GEN_OTHERNAME)) {
2980 for (i = 0; dNSName[i]; i++) {
2981 printf("Certificate[0] altSubjectName Other=%s\r\n",dNSName[i]);
2987 /* first we check if `hostname' is in fact an ip address */
2988 if (inet_aton(hostname, &ia)) {
2989 ipAddress = tls_get_SAN_objs(ssl,GEN_IPADD);
2992 char *server_ip = "UNKNOWN";
2994 for (i = 0; ipAddress[i]; i++)
2995 if (*(unsigned long *)ipAddress[i] == ia.s_addr)
2998 if (ipAddress[i - 1]) {
2999 ia.s_addr = *(unsigned long *)ipAddress[i - 1];
3000 server_ip = inet_ntoa(ia);
3002 rv = show_hostname_warning(hostname, server_ip) ? 0 : -1;
3003 for (i = 0; ipAddress[i]; i++)
3006 rv = show_hostname_warning(hostname, "NO IP IN CERT") ? 0 : -1;
3011 /* look for dNSName(s) in subjectAltName in the server's certificate */
3012 dNSName = tls_get_SAN_objs(ssl,GEN_DNS);
3015 for (i = 0; dNSName[i]; i++) {
3016 if (!dNSName_cmp(hostname,(char *)dNSName[i]))
3019 rv = show_hostname_warning(hostname,
3020 (char *)((dNSName[i - 1] == NULL) ?
3021 (char *)"UNKNOWN" : (char *)dNSName[i - 1]))
3023 for (i = 0; dNSName[i]; i++)
3026 } else if ((commonName = ssl_get_commonName(ssl))) {
3027 /* so the server didn't have any dNSName's, check the commonName */
3028 if (!dNSName_cmp(hostname, commonName))
3031 return (show_hostname_warning(hostname, commonName) ? 0 : -1);
3036 /* Is 'user' authorized to access the system without a login */
3038 tls_is_user_valid(SSL * ssl, const char *user)
3043 if ( !ssl || !user || !user[0] )
3046 if (!(client_cert = SSL_get_peer_certificate(ssl)))
3049 /* Use user supplied function */
3050 r = X509_userok(client_cert,user);
3052 X509_free(client_cert);
3060 SSL_CIPHER * cipher;
3066 case 1: /* ftp command */
3067 if ( ssl_ftp_active_flag )
3072 case 2: /* ftp data */
3073 if ( ssl_ftp_data_active_flag )
3074 ssl = ssl_ftp_data_con;
3081 if (tls_active_flag)
3083 else if (ssl_active_flag)
3089 cipher = SSL_get_current_cipher(ssl);
3090 if (SSL_CIPHER_description(cipher,buf,sizeof(buf))) {
3091 if (ckindex("Au=None",buf,0,0,0) != 0)
3092 return(1); /* anonymous */
3093 return(0); /* known */
3095 /* could not get cipher description. Assume anonymous */
3104 SSL_CIPHER * cipher;
3110 case 1: /* ftp command */
3111 if ( ssl_ftp_active_flag )
3116 case 2: /* ftp data */
3117 if ( ssl_ftp_data_active_flag )
3118 ssl = ssl_ftp_data_con;
3126 if ( tls_http_active_flag )
3131 if (tls_active_flag)
3133 else if (ssl_active_flag)
3139 cipher = SSL_get_current_cipher(ssl);
3140 if (cipher && SSL_CIPHER_description(cipher,buf,sizeof(buf))) {
3141 if (ckindex("Au=KRB5",buf,0,0,0) != 0)
3142 return(1); /* krb5 */
3144 return(0); /* not */
3148 ssl_get_client_finished(char *buf, int count)
3150 #ifdef NO_GET_FINISHED
3153 if (sstelnet || tcp_incoming) {
3154 return(SSL_get_peer_finished(ssl_active_flag?ssl_con:tls_con,
3157 return(SSL_get_finished(ssl_active_flag?ssl_con:tls_con,
3160 #endif /* NO_GET_FINISHED */
3164 ssl_get_server_finished(char *buf, int count)
3166 #ifdef NO_GET_FINISHED
3169 if (sstelnet || tcp_incoming) {
3170 return(SSL_get_finished(ssl_active_flag?ssl_con:tls_con,
3173 return(SSL_get_peer_finished(ssl_active_flag?ssl_con:tls_con,
3176 #endif /* NO_GET_FINISHED */
3180 #ifdef CK_AUTHENTICATION
3183 ssl_reply(int how, unsigned char *data, int cnt)
3185 ssl_reply(how,data,cnt) int how; unsigned char *data; int cnt;
3191 data += 4; /* Point to status byte */
3195 auth_finished(AUTH_REJECT);
3196 return AUTH_FAILURE;
3201 if (tn_deb || debses)
3202 tn_debug("[SSL - handshake starting]");
3203 else if ( verbosity )
3204 printf("[SSL - handshake starting]\r\n");
3205 debug(F110,"ssl_reply","[SSL - handshake starting]",0);
3207 /* right ... now we drop into the SSL library */
3208 if (!ssl_only_flag) {
3209 if (ssl_dummy_flag) {
3210 if (tn_deb || debses)
3211 tn_debug("[SSL - Dummy Connected]");
3212 else if ( verbosity ) {
3213 printf("[SSL - Dummy Connected]\r\n");
3215 debug(F110,"ssl_reply","[SSL - Dummy Connected]",0);
3216 auth_finished(AUTH_UNKNOWN);
3217 accept_complete = 1;
3218 return AUTH_SUCCESS;
3221 if (SSL_connect(ssl_con) <= 0) {
3223 if (tn_deb || debses) {
3224 tn_debug("[SSL - FAILED]");
3225 ERR_print_errors(bio_err);
3226 len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
3227 ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
3229 } else if ( verbosity ) {
3230 printf("[SSL - FAILED]\r\n");
3231 ERR_print_errors(bio_err);
3232 len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
3233 ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
3236 debug(F110,"ssl_reply","[SSL - FAILED]",0);
3237 auth_finished(AUTH_REJECT);
3239 return AUTH_FAILURE;
3241 if (tn_deb || debses)
3242 tn_debug("[SSL - OK]");
3243 else if ( verbosity ) {
3244 printf("[SSL - OK]\r\n");
3246 debug(F110,"ssl_reply","[SSL - OK]",0);
3248 ssl_active_flag = 1;
3249 ssl_display_connect_details(ssl_con,0,verbosity);
3252 auth_finished(AUTH_UNKNOWN);
3253 accept_complete = 1;
3257 if (tn_deb || debses) {
3259 "[SSL - failed to switch on SSL - trying plaintext login]");
3260 } else if ( verbosity ) {
3261 printf("[SSL - failed to switch on SSL]\r\n");
3262 printf("Trying plaintext login:\r\n");
3264 debug(F110,"ssl_reply","[SSL - failed to switch on SSL]",0);
3265 auth_finished(AUTH_REJECT);
3266 return AUTH_FAILURE;
3269 return AUTH_FAILURE;
3271 return AUTH_SUCCESS;
3276 ssl_is(unsigned char *data, int cnt)
3278 ssl_is(data,cnt) unsigned char *data; int cnt;
3282 return AUTH_FAILURE;
3288 /* server starts the SSL stuff now ... */
3289 if (!ssl_only_flag) {
3290 if ( !tls_load_certs(ssl_ctx,ssl_con,1) ) {
3291 auth_finished(AUTH_REJECT);
3292 return AUTH_FAILURE;
3295 if (tn_deb || debses)
3296 tn_debug("[SSL - handshake starting]");
3297 else if ( verbosity )
3298 printf("[SSL - handshake starting]\r\n");
3299 debug(F110,"ssl_is","[SSL - handshake starting]",0);
3301 SendSSLAuthSB(SSL_ACCEPT, (void *)0, 0);
3305 if (ssl_dummy_flag) {
3306 if (tn_deb || debses)
3307 tn_debug("[SSL - Dummy Connected]");
3308 else if ( verbosity ) {
3309 printf("[SSL - Dummy Connected]\r\n");
3311 debug(F110,"ssl_is","[SSL - Dummy Connected]",0);
3312 accept_complete = 1;
3313 auth_finished(AUTH_UNKNOWN);
3314 return AUTH_SUCCESS;
3317 if (SSL_accept(ssl_con) <= 0) {
3320 sprintf(errbuf,"[SSL - SSL_accept error: %s",
3321 ERR_error_string(ERR_get_error(),NULL));
3323 if (tn_deb || debses)
3325 else if ( ssl_debug_flag )
3326 printf("%s\r\n",errbuf);
3327 else if ( verbosity )
3328 printf("[SSL - SSL_accept error]\r\n");
3330 debug(F110,"ssl_is",errbuf,0);
3332 auth_finished(AUTH_REJECT);
3334 return AUTH_FAILURE;
3337 if (tn_deb || debses)
3338 tn_debug("[SSL - OK]");
3339 else if ( verbosity ) {
3340 printf("[SSL - OK]\r\n");
3342 debug(F110,"ssl_is","[SSL - OK]",0);
3343 ssl_active_flag = 1;
3344 ssl_display_connect_details(ssl_con,1,verbosity);
3346 /* now check to see that we got exactly what we
3347 * wanted from the caller ... if a certificate is
3348 * required then we make 100% sure that we were
3349 * given one during the handshake (as it is an optional
3354 if ( tls_is_krb5(0) ) {
3355 if (ssl_con->kssl_ctx->client_princ)
3356 debug(F110,"ssl_is KRB5",ssl_con->kssl_ctx->client_princ,0);
3358 #endif /* SSL_KRB5 */
3359 if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
3360 X509 * peer = SSL_get_peer_certificate(ssl_con);
3362 if (tn_deb || debses)
3363 tn_debug("[SSL - peer check failed]");
3364 else if (ssl_debug_flag)
3365 printf("[SSL - peer check failed]\r\n");
3366 debug(F110,"ssl_is","[SSL - peer check failed]",0);
3368 /* LOGGING REQUIRED HERE! */
3369 auth_finished(AUTH_REJECT);
3370 return AUTH_FAILURE;
3373 auth_finished(AUTH_UNKNOWN);
3374 accept_complete = 1;
3379 SendSSLAuthSB(SSL_REJECT, (void *) "Unknown option received", -1);
3380 if (tn_deb || debses)
3381 tn_debug("[SSL - Unknown option received]");
3383 printf("Unknown SSL option %d\r\n", data[-1]);
3384 debug(F111,"ssl_is","[SSL - Unknown option received]",data[-1]);
3386 auth_finished(AUTH_REJECT);
3387 return(AUTH_FAILURE);
3389 return AUTH_SUCCESS;
3392 #endif /* CK_AUTHENTICATION */
3395 ck_tn_tls_negotiate(VOID)
3398 char str[256], *uid=NULL;
3399 extern int sstelnet;
3401 if ( !ck_ssleay_is_installed() )
3406 /* server starts the TLS stuff now ... */
3407 if (!tls_only_flag) {
3408 if ( !tls_load_certs(tls_ctx,tls_con,1) ) {
3409 auth_finished(AUTH_REJECT);
3413 if (tn_deb || debses)
3414 tn_debug("[TLS - handshake starting]");
3415 else if ( verbosity )
3416 printf("[TLS - handshake starting]\r\n");
3417 debug(F110,"ck_tn_tls_negotiate","[TLS - handshake starting]",0);
3419 if (ssl_dummy_flag) {
3420 if (tn_deb || debses)
3421 tn_debug("[TLS - Dummy Connected]");
3422 else if ( verbosity ) {
3423 printf("[TLS - Dummy Connected]\r\n");
3425 debug(F110,"ck_tn_tls_negotiate","[TLS - Dummy Connected]",0);
3426 accept_complete = 1;
3427 auth_finished(AUTH_REJECT);
3431 if (SSL_accept(tls_con) <= 0) {
3434 sprintf(errbuf,"[TLS - SSL_accept error: %s",
3435 ERR_error_string(ERR_get_error(),NULL));
3437 if (tn_deb || debses)
3439 else if ( ssl_debug_flag )
3440 printf("%s\r\n",errbuf);
3441 else if ( verbosity )
3442 printf("[TLS - SSL_accept error]\r\n");
3444 debug(F110,"ck_tn_tls_negotiate",errbuf,0);
3445 auth_finished(AUTH_REJECT);
3449 if (tn_deb || debses)
3450 tn_debug("[TLS - OK]");
3451 else if ( verbosity ) {
3452 printf("[TLS - OK]\r\n");
3455 debug(F110,"ck_tn_tls_negotiate","[TLS - OK]",0);
3456 tls_active_flag = 1;
3457 ssl_display_connect_details(tls_con,1,verbosity);
3461 if ( tls_is_krb5(0) ) {
3462 if (tls_con->kssl_ctx->client_princ) {
3464 ckstrncpy(szUserNameAuthenticated,
3465 tls_con->kssl_ctx->client_princ,
3467 ckstrncpy(szUserNameRequested,
3468 tls_con->kssl_ctx->client_princ,
3470 for ( p = szUserNameRequested; *p ; p++ ) {
3471 if ( *p == '@' || *p == '/' ) {
3477 szUserNameRequested[0] = '\0';
3478 szUserNameAuthenticated[0] = '\0';
3481 if (zvuser(szUserNameRequested))
3482 auth_finished(AUTH_VALID);
3484 #endif /* CK_LOGIN */
3485 auth_finished(AUTH_USER);
3487 #endif /* SSL_KRB5 */
3489 /* now check to see that we got exactly what we
3490 * wanted from the caller ... if a certificate is
3491 * required then we make 100% sure that we were
3492 * given one during the handshake (as it is an optional
3495 peer=SSL_get_peer_certificate(tls_con);
3497 debug(F100,"SSL_get_peer_certificate() == NULL","",0);
3498 auth_finished(AUTH_REJECT);
3499 if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
3500 if (tn_deb || debses)
3501 tn_debug("[TLS - peer check failed]");
3502 else if (ssl_debug_flag) {
3503 printf("[TLS - peer check failed]\r\n");
3506 "ck_tn_tls_negotiate",
3507 "[TLS - peer check failed]",
3510 /* LOGGING REQUIRED HERE! */
3514 debug(F100,"SSL_get_peer_certificate() != NULL","",0);
3515 X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
3520 printf("[TLS - commonName=%s]\r\n",str);
3522 X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
3523 #ifndef NID_x500UniqueIdentifier
3524 NID_uniqueIdentifier,
3526 NID_x500UniqueIdentifier,
3532 printf("[TLS - uniqueIdentifier=%s]\r\n",str);
3534 /* Try to determine user name */
3535 uid = tls_userid_from_client_cert(tls_con);
3537 /* This code is very questionable.
3538 * How should it behave?
3539 * The client has presented a certificate that
3540 * contains a username. We have validated the
3541 * certificate but we do not automatically
3542 * log the user in unless there is a .tlslogin
3546 ckstrncpy(szUserNameRequested,uid,UIDBUFLEN);
3549 auth_finished(AUTH_VALID);
3551 #endif /* CK_LOGIN */
3552 auth_finished(AUTH_USER);
3555 szUserNameRequested[0] = '\0';
3556 auth_finished(AUTH_REJECT);
3564 if (tn_deb || debses)
3565 tn_debug("[TLS - handshake starting]");
3566 else if ( verbosity )
3567 printf("[TLS - handshake starting]\r\n");
3568 debug(F110,"ck_tn_tls_negotiate","[TLS - handshake starting]",0);
3570 /* right ... now we drop into the SSL library */
3571 if (!tls_only_flag) {
3572 char *subject=NULL, *issuer=NULL, *commonName=NULL, *dNSName=NULL;
3574 if (ssl_dummy_flag) {
3575 if (tn_deb || debses)
3576 tn_debug("[TLS - Dummy Connected]");
3577 else if ( verbosity ) {
3578 printf("[TLS - Dummy Connected]\r\n");
3580 debug(F110,"ck_tn_tls_negotiate","[TLS - Dummy Connected]",0);
3581 auth_finished(AUTH_REJECT);
3582 accept_complete = 1;
3587 if (!tls_load_certs(tls_ctx,tls_con,0))
3589 #endif /* USE_CERT_CB */
3590 if (SSL_connect(tls_con) <= 0) {
3592 if (tn_deb || debses) {
3593 tn_debug("[TLS - FAILED]");
3594 ERR_print_errors(bio_err);
3595 len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
3596 ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
3598 } else if ( verbosity ) {
3599 printf("[TLS - FAILED]\r\n");
3600 ERR_print_errors(bio_err);
3601 len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
3602 ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
3605 debug(F110,"ck_tn_tls_negotiate","[TLS - FAILED]",0);
3606 auth_finished(AUTH_REJECT);
3610 tls_active_flag = 1;
3611 if ( !ssl_certsok_flag && (ssl_verify_flag & SSL_VERIFY_PEER)
3612 && !tls_is_krb5(0)) {
3614 subject = ssl_get_subject_name(tls_con);
3617 if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
3619 if (tn_deb || debses)
3620 tn_debug("[TLS - FAILED]");
3621 else if ( verbosity )
3622 printf("[TLS - FAILED]\r\n");
3623 debug(F110,"ck_tn_tls_negotiate","[TLS - FAILED]",0);
3624 auth_finished(AUTH_REJECT);
3628 ok = uq_ok("Warning: Server didn't provide a certificate",
3629 "Continue? (Y/N)", 3, NULL, 0);
3631 if (tn_deb || debses)
3632 tn_debug("[TLS - FAILED]");
3633 else if ( verbosity )
3634 printf("[TLS - FAILED]\r\n");
3636 "ck_tn_tls_negotiate","[TLS - FAILED]",0);
3637 auth_finished(AUTH_REJECT);
3641 } else if (ssl_check_server_name(tls_con, szHostName)) {
3642 if (tn_deb || debses)
3643 tn_debug("[TLS - FAILED]");
3644 else if ( verbosity )
3645 printf("[TLS - FAILED]\r\n");
3647 "ck_tn_tls_negotiate","[TLS - FAILED]",0);
3648 auth_finished(AUTH_REJECT);
3653 if ( ssl_debug_flag && ssl_finished_messages) {
3656 extern char tn_msg[], hexbuf[];
3659 len = ssl_get_client_finished(msg,len);
3661 for ( i=0;i<len;i++ ) {
3662 sprintf(hexbuf,"%02X ",msg[i]);
3663 ckstrncat(tn_msg,hexbuf,TN_MSG_LEN);
3665 printf("TLS client finished: %s\r\n",tn_msg);
3668 len = ssl_get_server_finished(msg,len);
3670 for ( i=0;i<len;i++ ) {
3671 sprintf(hexbuf,"%02X ",msg[i]);
3672 ckstrncat(tn_msg,hexbuf,TN_MSG_LEN);
3674 printf("TLS server finished: %s\r\n",tn_msg);
3678 if (tn_deb || debses)
3679 tn_debug("[TLS - OK]");
3680 else if ( verbosity )
3681 printf("[TLS - OK]\r\n");
3682 debug(F110,"ck_tn_tls_negotiate","[TLS - OK]",0);
3684 ssl_display_connect_details(tls_con,0,verbosity);
3686 auth_finished(AUTH_REJECT);
3688 accept_complete = 1;
3694 ck_ssl_incoming(fd) int fd;
3696 /* if we are not running in debug then any error
3697 * stuff from SSL debug *must* not go down
3698 * the socket (which 0,1,2 are all pointing to by
3705 if ( !ck_ssleay_is_installed() )
3708 /* do the SSL stuff now ... before we play with pty's */
3709 SSL_set_fd(ssl_con,fd);
3710 SSL_set_fd(tls_con,fd);
3712 if (tls_only_flag) {
3713 if (tn_deb || debses)
3714 tn_debug("[TLS - handshake starting]");
3715 else if ( verbosity )
3716 printf("[TLS - handshake starting]\r\n");
3717 debug(F110,"ck_ssl_incoming","[TLS - handshake starting]",0);
3719 /* hmm ... only when running talking to things like
3720 * https servers should we hit this code and then
3721 * we really don't care *who* we talk to :-)
3723 if (SSL_accept(tls_con) <= 0) {
3726 sprintf(errbuf,"[TLS - SSL_accept error: %s",
3727 ERR_error_string(ERR_get_error(),NULL));
3729 if (tn_deb || debses)
3731 else if ( ssl_debug_flag )
3732 printf("%s\r\n",errbuf);
3733 else if ( verbosity )
3734 printf("[TLS - SSL_accept error]\r\n");
3736 debug(F110,"ck_ssl_incoming",errbuf,0);
3739 if (tn_deb || debses)
3740 tn_debug("[TLS - OK]");
3741 else if ( verbosity )
3742 printf("[TLS - OK]\r\n");
3743 debug(F110,"ck_ssl_incoming","[TLS - OK]",0);
3744 tls_active_flag = 1;
3746 } else if (ssl_only_flag) {
3747 if (tn_deb || debses)
3748 tn_debug("[SSL - handshake starting]");
3749 else if ( verbosity )
3750 printf("[SSL - handshake starting]\r\n");
3751 debug(F110,"ck_ssl_incoming","[SSL - handshake starting]",0);
3753 /* hmm ... only when running talking to things like
3754 * https servers should we hit this code and then
3755 * we really don't care *who* we talk to :-)
3757 if (SSL_accept(ssl_con) <= 0) {
3760 sprintf(errbuf,"[SSL - SSL_accept error: %s",
3761 ERR_error_string(ERR_get_error(),NULL));
3763 if (tn_deb || debses)
3765 else if ( ssl_debug_flag )
3766 printf("%s\r\n",errbuf);
3767 else if ( verbosity )
3768 printf("[SSL - SSL_accept error]\r\n");
3770 debug(F110,"ck_ssl_incoming",errbuf,0);
3773 if (tn_deb || debses)
3774 tn_debug("[SSL - OK]");
3775 else if ( verbosity )
3776 printf("[SSL - OK]\r\n");
3777 debug(F110,"ssl_is","[SSL - OK]",0);
3778 ssl_active_flag = 1;
3781 if (ssl_active_flag || tls_active_flag) {
3783 char str[256], *uid=NULL;
3785 /* now check to see that we got exactly what we
3786 * wanted from the caller ... if a certificate is
3787 * required then we make 100% sure that we were
3788 * given on during the handshake (as it is an optional
3789 * part of SSL and TLS)
3792 if ( tls_active_flag ) {
3793 peer=SSL_get_peer_certificate(tls_con);
3794 } else if ( ssl_active_flag ) {
3795 peer=SSL_get_peer_certificate(ssl_con);
3799 debug(F100,"SSL_get_peer_certificate() == NULL","",0);
3800 auth_finished(AUTH_REJECT);
3802 if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
3803 if (tn_deb || debses)
3804 tn_debug("[SSL/TLS - peer check failed]");
3805 else if (ssl_debug_flag) {
3806 printf("[SSL/TLS - peer check failed]\r\n");
3809 "ck_tn_tls_negotiate",
3810 "[SSL/TLS - peer check failed]",
3813 /* LOGGING REQUIRED HERE! */
3818 debug(F100,"SSL_get_peer_certificate() != NULL","",0);
3819 X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
3823 printf("[TLS - commonName=%s]\r\n",str);
3825 X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
3826 #ifndef NID_x500UniqueIdentifier
3827 NID_uniqueIdentifier,
3829 NID_x500UniqueIdentifier,
3833 printf("[TLS - uniqueIdentifier=%s]\r\n",str);
3835 /* Try to determine user name */
3836 uid = tls_userid_from_client_cert(tls_con);
3838 /* This code is very questionable.
3839 * How should it behave?
3840 * The client has presented a certificate that
3841 * contains a username. We have validated the
3842 * certificate but we do not automatically
3843 * log the user in unless there is a .tlslogin
3847 ckstrncpy(szUserNameRequested,uid,UIDBUFLEN);
3850 auth_finished(AUTH_VALID);
3852 #endif /* CK_LOGIN */
3853 auth_finished(AUTH_USER);
3856 szUserNameRequested[0] = '\0';
3857 auth_finished(AUTH_REJECT);
3861 return(0); /* success */
3865 ck_ssl_outgoing(fd) int fd;
3870 if ( !ck_ssleay_is_installed() )
3873 /* bind in the network descriptor */
3874 SSL_set_fd(ssl_con,fd);
3875 SSL_set_fd(tls_con,fd);
3877 /* If we are doing raw TLS then start it now ... */
3878 if (tls_only_flag) {
3880 if (!tls_load_certs(tls_ctx,tls_con,0)) {
3881 debug(F110,"ck_ssl_outgoing","tls_load_certs() failed",0);
3884 #endif /* USE_CERT_CB */
3885 if (tn_deb || debses)
3886 tn_debug("[TLS - handshake starting]");
3888 printf("[TLS - handshake starting]\r\n");
3889 debug(F110,"ck_ssl_outgoing","[TLS - handshake starting]",0);
3890 if (SSL_connect(tls_con) <= 0) {
3893 sprintf(errbuf,"[TLS - SSL_connect error: %s",
3894 ERR_error_string(ERR_get_error(),NULL));
3896 if (tn_deb || debses)
3898 else if ( ssl_debug_flag )
3899 printf("%s\r\n",errbuf);
3901 if (tn_deb || debses)
3902 tn_debug("[TLS - FAILED]");
3903 else if ( verbosity )
3904 printf("[TLS - FAILED]\r\n");
3905 debug(F110,"ck_ssl_outgoing","[TLS - FAILED]",0);
3909 tls_active_flag = 1;
3910 if ( !ssl_certsok_flag && (ssl_verify_flag & SSL_VERIFY_PEER) &&
3912 char *subject = ssl_get_subject_name(tls_con);
3915 if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
3917 if (tn_deb || debses)
3918 tn_debug("[TLS - FAILED]");
3919 else if ( verbosity )
3920 printf("[TLS - FAILED]\r\n");
3921 debug(F110,"ck_tn_tls_negotiate","[TLS - FAILED]",0);
3923 auth_finished(AUTH_REJECT);
3928 ok = uq_ok("Warning: Server didn't provide a certificate",
3929 "Continue? (Y/N)", 3, NULL, 0);
3931 if (tn_deb || debses)
3932 tn_debug("[TLS - FAILED]");
3933 else if ( verbosity )
3934 printf("[TLS - FAILED]\r\n");
3936 "ck_tn_tls_negotiate","[TLS - FAILED]",0);
3937 auth_finished(AUTH_REJECT);
3941 } else if (ssl_check_server_name(tls_con, szHostName)) {
3942 if (tn_deb || debses)
3943 tn_debug("[TLS - FAILED]");
3944 else if ( verbosity )
3945 printf("[TLS - FAILED]\r\n");
3947 "ck_tn_tls_negotiate","[TLS - FAILED]",0);
3948 auth_finished(AUTH_REJECT);
3952 if (tn_deb || debses)
3953 tn_debug("[TLS - OK]");
3955 printf("[TLS - OK]\r\n");
3956 debug(F110,"ck_ssl_outgoing","[TLS - OK]",0);
3957 ssl_display_connect_details(tls_con,0,verbosity);
3960 /* if we are doing raw SSL then start it now ... */
3961 else if (ssl_only_flag) {
3963 if (!tls_load_certs(ssl_ctx,ssl_con,0))
3965 #endif /* USE_CERT_CB */
3966 if (tn_deb || debses)
3967 tn_debug("[SSL - handshake starting]");
3968 else if ( verbosity )
3969 printf("[SSL - handshake starting]\r\n");
3970 debug(F110,"ck_ssl_outgoing","[SSL - handshake starting]",0);
3971 if (SSL_connect(ssl_con) <= 0) {
3972 if ( ssl_debug_flag ) {
3975 sprintf(errbuf,"[SSL - SSL_connect error: %s",
3976 ERR_error_string(ERR_get_error(),NULL));
3977 printf("%s\r\n",errbuf);
3979 if (tn_deb || debses)
3980 tn_debug("[SSL - FAILED]");
3981 else if ( verbosity )
3982 printf("[SSL - FAILED]\r\n");
3983 debug(F110,"ck_ssl_outgoing","[SSL - FAILED]",0);
3986 ssl_active_flag = 1;
3988 if ( !ssl_certsok_flag && (ssl_verify_flag & SSL_VERIFY_PEER) &&
3990 char *subject = ssl_get_subject_name(ssl_con);
3993 if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
3995 if (tn_deb || debses)
3996 tn_debug("[SSL - FAILED]");
3997 else if ( verbosity )
3998 printf("[SSL - FAILED]\r\n");
3999 debug(F110,"ck_tn_tls_negotiate","[SSL - FAILED]",0);
4001 auth_finished(AUTH_REJECT);
4006 ok = uq_ok("Warning: Server didn't provide a certificate",
4007 "Continue? (Y/N)", 3, NULL, 0);
4009 if (tn_deb || debses)
4010 tn_debug("[SSL - FAILED]");
4011 else if ( verbosity )
4012 printf("[SSL - FAILED]\r\n");
4014 "ck_tn_tls_negotiate","[SSL - FAILED]",0);
4015 auth_finished(AUTH_REJECT);
4019 } else if (ssl_check_server_name(ssl_con, szHostName)) {
4020 if (tn_deb || debses)
4021 tn_debug("[SSL - FAILED]");
4022 else if ( verbosity )
4023 printf("[SSL - FAILED]\r\n");
4024 debug(F110, "ck_tn_tls_negotiate","[SSL - FAILED]",0);
4025 auth_finished(AUTH_REJECT);
4029 if (tn_deb || debses)
4030 tn_debug("[SSL - OK]");
4032 printf("[SSL - OK]\r\n");
4033 debug(F110,"ck_ssl_outgoing","[SSL - OK]",0);
4034 ssl_display_connect_details(ssl_con,0,verbosity);
4037 return(0); /* success */
4042 ck_ssl_http_client(fd, hostname) int fd; char * hostname;
4046 if ( !ck_ssleay_is_installed() )
4051 /* bind in the network descriptor */
4052 SSL_set_fd(tls_http_con,fd);
4054 /* If we are doing raw TLS then start it now ... */
4057 if (!tls_load_certs(tls_http_ctx,tls_http_con,0)) {
4058 debug(F110,"ck_ssl_http_client","tls_load_certs() failed",0);
4061 #endif /* USE_CERT_CB */
4062 if (tn_deb || debses)
4063 tn_debug("[TLS - handshake starting]");
4065 printf("[TLS - handshake starting]\r\n");
4066 debug(F110,"ck_ssl_outgoing","[TLS - handshake starting]",0);
4067 if (SSL_connect(tls_http_con) <= 0) {
4070 sprintf(errbuf,"[TLS - SSL_connect error: %s",
4071 ERR_error_string(ERR_get_error(),NULL));
4073 if (tn_deb || debses)
4075 else if ( ssl_debug_flag )
4076 printf("%s\r\n",errbuf);
4078 if (tn_deb || debses)
4079 tn_debug("[TLS - FAILED]");
4080 else if ( verbosity )
4081 printf("[TLS - FAILED]\r\n");
4082 debug(F110,"ck_ssl_http_client","[TLS - FAILED]",0);
4086 tls_http_active_flag = 1;
4087 if ( !ssl_certsok_flag && (ssl_verify_flag & SSL_VERIFY_PEER) &&
4089 char *subject = ssl_get_subject_name(tls_http_con);
4092 if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
4094 if (tn_deb || debses)
4095 tn_debug("[TLS - FAILED]");
4096 else if ( verbosity )
4097 printf("[TLS - FAILED]\r\n");
4098 debug(F110,"ck_tn_tls_negotiate","[TLS - FAILED]",0);
4103 ok = uq_ok("Warning: Server didn't provide a certificate",
4104 "Continue? (Y/N)", 3, NULL, 0);
4106 if (tn_deb || debses)
4107 tn_debug("[TLS - FAILED]");
4108 else if ( verbosity )
4109 printf("[TLS - FAILED]\r\n");
4111 "ck_tn_tls_negotiate","[TLS - FAILED]",0);
4115 } else if (ssl_check_server_name(tls_http_con, hostname)) {
4116 if (tn_deb || debses)
4117 tn_debug("[TLS - FAILED]");
4118 else if ( verbosity )
4119 printf("[TLS - FAILED]\r\n");
4121 "ck_tn_tls_negotiate","[TLS - FAILED]",0);
4126 printf("[TLS - OK]\r\n");
4127 if (tn_deb || debses)
4128 tn_debug("[TLS - OK]");
4129 debug(F110,"ck_ssl_outgoing","[TLS - OK]",0);
4130 ssl_display_connect_details(tls_http_con,0,verbosity);
4133 return(0); /* success */
4137 ck_ssl_renegotiate_ciphers()
4140 if ( !ck_ssleay_is_installed() )
4146 if ( ssl_active_flag )
4147 return SSL_renegotiate(ssl_con);
4148 else if ( tls_active_flag )
4149 return SSL_renegotiate(tls_con);
4155 ck_X509_save_cert_to_user_store(X509 *cert)
4157 #ifdef X509V3_EXT_DUMP_UNKNOWN
4158 char path[CKMAXPATH];
4160 char * GetAppData(int);
4166 sprintf(hash,"%08lx",X509_subject_name_hash(cert));
4167 ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/certs/",
4171 out=BIO_new(BIO_s_file());
4174 ERR_print_errors(bio_err);
4177 if (BIO_write_filename(out,path) <= 0) {
4182 X509_print_ex(out, cert, XN_FLAG_SEP_MULTILINE, X509V3_EXT_DUMP_UNKNOWN);
4183 if (!PEM_write_bio_X509(out,cert)) {
4184 BIO_printf(bio_err,"unable to write certificate\n");
4185 ERR_print_errors(bio_err);
4191 #else /* X509V3_EXT_DUMP_UNKNOWN */
4193 #endif /* X509V3_EXT_DUMP_UNKNOWN */
4198 /* The following function should be replaced by institution specific */
4199 /* code that will convert an X509 cert structure to a userid for the */
4200 /* purposes of client to host login. The example code included */
4201 /* simply returns the UID field of the Subject if it exists. */
4203 /* X509_to_user() returns 0 if valid userid in 'userid', else -1 */
4205 X509_to_user(X509 *peer_cert, char *userid, int len)
4207 #ifdef X509_UID_TO_USER
4211 if (!(peer_cert && userid) || len <= 0)
4215 debug(F110,"X509_to_user() subject",
4216 X509_NAME_oneline(X509_get_subject_name(peer_cert),NULL,0),0);
4218 /* userid is in cert subject /UID */
4219 err = X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert),
4220 #ifndef NID_x500UniqueIdentifier
4221 NID_uniqueIdentifier,
4223 NID_x500UniqueIdentifier,
4227 debug(F111,"X509_to_user() userid",userid,err);
4232 #else /* X509_UID_TO_USER */
4233 #ifdef X509_SUBJECT_ALT_NAME_TO_USER
4236 X509_EXTENSION *ext = NULL;
4237 STACK_OF(GENERAL_NAME) *ialt = NULL;
4238 GENERAL_NAME *gen = NULL;
4241 if (!(peer_cert && userid) || len <= 0)
4246 debug(F110,"X509_to_user() subject",
4247 X509_NAME_oneline(X509_get_subject_name(peer_cert),NULL,0),0);
4249 if ((i = X509_get_ext_by_NID(peer_cert, NID_subject_alt_name, -1))<0)
4251 if (!(ext = X509_get_ext(peer_cert, i)))
4253 X509V3_add_standard_extensions();
4254 if (!(ialt = X509V3_EXT_d2i(ext)))
4256 for (i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
4257 gen = sk_GENERAL_NAME_value(ialt, i);
4258 if (gen->type == GEN_DNS) {
4259 if (!gen->d.ia5 || !gen->d.ia5->length)
4261 if (strlen(gen->d.ia5->data) != gen->d.ia5->length) {
4262 /* Ignoring IA5String containing null character */
4265 if ( gen->d.ia5->length + 1 > sizeof(email) ) {
4268 memcpy(email, gen->d.ia5->data, gen->d.ia5->length);
4269 email[gen->d.ia5->length] = 0;
4274 X509V3_EXT_cleanup();
4276 sk_GENERAL_NAME_free(ialt);
4278 debug(F110,"X509_to_user() email",email,0);
4281 char * domain = NULL;
4284 for ( i=0 ; email[i] ; i++ ) {
4285 if ( email[i] == '@' ) {
4287 domain = &email[i+1];
4293 /* XXX - Put code to Verify domain here */
4295 if ( /* domain is okay */ 1 )
4296 ckstrncpy(userid,email,len);
4300 return(userid[0] ? 0 : -1);
4302 #endif /* X509_SUBJECT_ALT_NAME_TO_USER */
4303 #endif /* X509_UID_TO_USER */
4307 /* The following function should be replaced by institution specific */
4308 /* code that will determine whether or not the combination of the */
4309 /* provided X509 certificate and username is valid for automatic */
4310 /* login. Whereas X509_to_user() is used to provide authentication */
4311 /* of the user, the X509_userok() function is used to provide */
4312 /* authorization. The certificate passed into X509_userok() does */
4313 /* need to map to a userid; nor would the userid it would map to */
4314 /* need to match the userid provided to the function. There are */
4315 /* numerous circumstances in which it is beneficial to have the ability */
4316 /* for multiple users to gain access to a common account such as */
4317 /* 'root' on Unix; or a class account on a web server. In Unix we */
4318 /* implement this capability with the ~userid/.tlslogin file which */
4319 /* a list of X509 certificates which may be used to access the */
4320 /* account 'userid'. */
4322 /* X509_to_user() returns 0 if access is denied; 1 is access is permitted */
4324 X509_userok(X509 * peer_cert, const char * userid)
4327 /* check if clients cert is in "user"'s ~/.tlslogin file */
4334 if ( peer_cert == NULL )
4337 if (!(pwd = getpwnam(userid)))
4339 if (strlen(pwd->pw_dir) > 500)
4341 sprintf(buf, "%s/.tlslogin", pwd->pw_dir);
4343 if (!(fp = fopen(buf, "r")))
4345 while (!r && (file_cert = PEM_read_X509(fp, NULL, NULL, NULL))) {
4346 if (!ASN1_STRING_cmp(peer_cert->signature, file_cert->signature))
4348 X509_free(file_cert);
4353 /* Need to implement an appropriate function for VMS */