ck_ssl.c

KERMIT工具 这在办公室下载不了,很多人都没有载不到.

char *cksslv = "SSL/TLS support, 8.0.221, 26 Feb 2004";
/*
  C K _ S S L . C --  OpenSSL Interface for C-Kermit

  Copyright (C) 1985, 2004,
    Trustees of Columbia University in the City of New York.
    All rights reserved.  See the C-Kermit COPYING.TXT file or the
    copyright text in the ckcmai.c module for disclaimer and permissions.

    Author:  Jeffrey E Altman (jaltman@secure-endpoints.com)
               Secure Endpoints Inc., New York City

  Provides:

  . Telnet Auth SSL option compatible with Tim Hudson's hack.
  . Telnet START_TLS option
  . Configuration of certificate and key files
  . Certificate verification and revocation list checks
  . Client certificate to user id routine

  Note: This code is written to be compatible with OpenSSL 0.9.6[abcdefgh]
  and 0.9.7 beta 5.
  It will also compile with version 0.9.5 although that is discouraged
  due to security weaknesses in that release.
*/

#include "ckcsym.h"
#include "ckcdeb.h"

#ifdef CK_SSL
#include "ckcnet.h"
#include "ckuath.h"

#include <stdlib.h>
#include <string.h>
#ifdef UNIX
#include <netinet/in.h>
#ifndef FREEBSD4
#include <arpa/inet.h>
#endif /* FREEBSD4 */
#endif /* UNIX */

#ifdef DEC_TCPIP
#include <time.h>
#include <inet.h>
#endif /* DEC_TCPIP */

#ifdef OS2
extern char exedir[];
#ifdef NT
char * GetAppData(int);
#endif
#endif /* OS2 */

static int ssl_installed = 1;
#endif /* CK_SSL */
int
ck_ssh_is_installed()
{
#ifdef SSHBUILTIN
#ifdef SSLDLL
#ifdef NT
    extern HINSTANCE hCRYPTO;
#else /* NT */
    extern HMODULE hCRYPTO;
#endif /* NT */
    debug(F111,"ck_ssh_is_installed","hCRYPTO",hCRYPTO);
    return(ssl_installed && (hCRYPTO != NULL));
#else /* SSLDLL */
    return(ssl_installed);
#endif /* SSLDLL */
#else
    return 0;
#endif
}

int
#ifdef CK_ANSIC
ck_ssleay_is_installed(void)
#else
ck_ssleay_is_installed()
#endif
{
#ifdef CK_SSL
#ifdef SSLDLL
#ifdef NT
    extern HINSTANCE hSSL, hCRYPTO;
#else /* NT */
    extern HMODULE hSSL, hCRYPTO;
#endif /* NT */
    debug(F111,"ck_ssleay_is_installed","hSSL",hSSL);
    debug(F111,"ck_ssleay_is_installed","hCRYPTO",hCRYPTO);
    return(ssl_installed && (hSSL != NULL) && (hCRYPTO != NULL));
#else /* SSLDLL */
    return(ssl_installed);
#endif /* SSLDLL */
#else /* CK_SSL */
    return(0);
#endif /* CK_SSL */
}

#ifdef CK_SSL
#include "ckcker.h"
#include "ckucmd.h"                             /* For struct keytab */
#include "ckctel.h"
#include "ck_ssl.h"
#ifdef UNIX
#include <pwd.h>                    /* Password file for home directory */
#endif /* UNIX */
#ifdef OS2
#include <process.h>
#endif /* OS2 */
#ifdef OS2ONLY
#include "ckotcp.h"
#endif /* OS2ONLY */

#ifdef SSLDLL
int ssl_finished_messages = 0;
#else /* SSLDLL */
#ifdef OPENSSL_VERSION_NUMBER
int ssl_finished_messages = (OPENSSL_VERSION_NUMBER >= 0x0090581fL);
#else
!ERROR This module requires OpenSSL 0.9.5a or higher
#endif /* OPENSSL_VERSION_NUMBER */
#endif /* SSLDLL */

static int auth_ssl_valid = 0;
static char *auth_ssl_name = 0;    /* this holds the oneline name */
char ssl_err[SSL_ERR_BFSZ]="";

BIO *bio_err=NULL;
X509_STORE *crl_store = NULL;

#ifndef NOFTP
#ifndef SYSFTP
SSL *ssl_ftp_con             = NULL;
SSL_CTX *ssl_ftp_ctx         = NULL;
SSL *ssl_ftp_data_con        = NULL;
int ssl_ftp_active_flag      = 0;
int ssl_ftp_data_active_flag = 0;
#endif /* SYSFTP */
#endif /* NOFTP */

#ifndef NOHTTP
SSL *tls_http_con            = NULL;
SSL_CTX *tls_http_ctx        = NULL;
int tls_http_active_flag     = 0;
int ssl_http_initialized = 0;
#endif /* NOHTTP */

SSL_CTX *ssl_ctx = NULL;
SSL *ssl_con = NULL;
int ssl_debug_flag = 0;
int ssl_verbose_flag = 0;
int ssl_only_flag = 0;
int ssl_active_flag = 0;
int ssl_verify_flag = SSL_VERIFY_PEER;
int ssl_certsok_flag = 0;
char *ssl_rsa_cert_file = NULL;
char *ssl_rsa_cert_chain_file = NULL;
char *ssl_rsa_key_file = NULL;
char *ssl_dsa_cert_file = NULL;
char *ssl_dsa_cert_chain_file = NULL;
char *ssl_dh_key_file = NULL;
char *ssl_crl_file = NULL;
char *ssl_crl_dir = NULL;
char *ssl_verify_file = NULL;
char *ssl_verify_dir = NULL;
char *ssl_dh_param_file = NULL;
char *ssl_cipher_list = NULL;
char *ssl_rnd_file = NULL;

SSL_CTX *tls_ctx = NULL;
SSL *tls_con = NULL;
int tls_only_flag = 0;
int tls_active_flag = 0;

int ssl_initialized = 0;
int ssl_verify_depth = -1; /* used to track depth in verify routines */

/* compile this set to 1 to negotiate SSL/TLS but not actually start it */
int ssl_dummy_flag=0;

extern int inserver;
extern int debses;
extern int accept_complete;
extern char szHostName[], szUserNameRequested[], szUserNameAuthenticated[];

_PROTOTYP(int X509_to_user,(X509 *, char *, int));

int
#ifdef CK_ANSIC
ssl_server_verify_callback(int ok, X509_STORE_CTX * ctx)
#else /* CK_ANSIC */
ssl_server_verify_callback(ok, ctx)
int ok;
X509_STORE_CTX *ctx;
#endif /* CK_ANSIC */
{
    static char *saved_subject=NULL;
    char *subject=NULL, *issuer=NULL;
    int depth,error;
    X509 *xs = NULL;

    if ( ssl_certsok_flag )
        return(1);

    error=X509_STORE_CTX_get_error(ctx);
    depth=X509_STORE_CTX_get_error_depth(ctx);
    xs=X509_STORE_CTX_get_current_cert(ctx);

    if (depth==0) {
        /* clear things */
        if (saved_subject!=NULL) {
            free(saved_subject);
            saved_subject=NULL;
        }
        if (auth_ssl_name!=NULL) {
            free(auth_ssl_name);
            auth_ssl_name=NULL;
        }
    }


    if (ssl_debug_flag && !inserver) {
        printf("ssl:server_verify_callback:depth=%d ok=%d err=%d-%s\r\n",
            depth,ok,error,X509_verify_cert_error_string(error));
    }

    /* first thing is to have a meaningful name for the current
     * certificate that is being verified ... and if we cannot
     * determine that then something is seriously wrong!
     */
    makestr(&subject,
            (char *)X509_NAME_oneline(X509_get_subject_name(xs),NULL,0));
    makestr(&issuer,
            (char *)X509_NAME_oneline(X509_get_issuer_name(xs),NULL,0));
    if (!subject || !subject[0] || !issuer || !issuer[0]) {
        ok = 0;
        goto return_time;
    }

    if (ssl_verbose_flag && !inserver && depth != ssl_verify_depth) {
        printf("[%d] Certificate Subject:\r\n%s\r\n",depth,subject);
        printf("[%d] Certificate Issuer:\r\n%s\r\n",depth,issuer);
        ssl_verify_depth = depth;
    }

    /* make sure that the certificate that has been presented */
    /* has not been revoked (if we have been given a CRL.     */
    ok =  ssl_verify_crl(ok, ctx);

    /* if we have any form of error in secure mode we reject the connection */
    if (error!=X509_V_OK) {
        if (inserver) {
#ifdef CKSYSLOG
            if (ckxsyslog >= SYSLG_LI && ckxlogging) {
                cksyslog(SYSLG_LI, 0,
                          "X.509 Certificate verify failure",
                          (char *) subject,
                          (char *)X509_verify_cert_error_string(error)
                          );
            }
#endif /* CKSYSLOG */

        } else {
            if ( ssl_verify_flag &
                 (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
                printf("Error: ");
            else
                printf("Warning: ");
            switch (error) {
            case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
                printf("Certificate is self signed.\r\n");
                break;
            case X509_V_ERR_CERT_HAS_EXPIRED:
                printf("Certificate has expired.\r\n");
                break;
            case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
                printf(
  "Certificate issuer's certificate isn't available locally.\r\n");
                break;
            case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
                printf("Unable to verify leaf signature.\r\n");
                break;
            case X509_V_ERR_CERT_REVOKED:
                printf("Certificate revoked.\r\n");
                break;
            default:
                printf("Error %d while verifying certificate.\r\n",
                       ctx->error);
                break;
            }
        }
        ok = !(ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
    } else {
        /* if we got all the way to the top of the tree then
         * we *can* use this certificate for a username to
         * match ... in all other cases we must not!
         */
        auth_ssl_name = saved_subject;
        saved_subject = NULL;
    }

  return_time:

    /* save the name if at least the first level is okay */
    if (depth == 0 && ok)
        makestr(&saved_subject,subject);

    /* clean up things */
    if (subject!=NULL)
        free(subject);
    if (issuer!=NULL)
        free(issuer);

    return ok;
}

int
#ifdef CK_ANSIC
ssl_client_verify_callback(int ok, X509_STORE_CTX * ctx)
#else
ssl_client_verify_callback(ok, ctx)
int ok;
X509_STORE_CTX *ctx;
#endif
{
    char subject[256]="", issuer[256]="";
    int depth, error, len;
    X509 *xs;

    xs=X509_STORE_CTX_get_current_cert(ctx);
    error=X509_STORE_CTX_get_error(ctx);
    depth=X509_STORE_CTX_get_error_depth(ctx);

    if ( ssl_debug_flag )
        printf("ssl:client_verify_callback:depth=%d ok=%d err=%d-%s\r\n",
                depth,ok,error,X509_verify_cert_error_string(error));

    if ( ssl_certsok_flag ) {
        ok = 1;
    }

    /* first thing is to have a meaningful name for the current
     * certificate that is being verified ... and if we cannot
     * determine that then something is seriously wrong!
     */
#ifdef XN_FLAG_SEP_MULTILINE
    X509_NAME_print_ex(bio_err,X509_get_subject_name(xs),4,
                        XN_FLAG_SEP_MULTILINE);
    len = BIO_read(bio_err,subject,256);
    subject[len < 256 ? len : 255] = '\0';
    if (!subject[0]) {
        ERR_print_errors(bio_err);
        len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
        ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
        uq_ok("X.509 Subject Name unavailable", ssl_err, 1, NULL, 0);
        ok=0;
        goto return_time;
    }

    X509_NAME_print_ex(bio_err,X509_get_issuer_name(xs),4,
                        XN_FLAG_SEP_MULTILINE);
    len = BIO_read(bio_err,issuer,256);
    issuer[len < 256 ? len : 255] = '\0';
    if (!issuer[0]) {
        ERR_print_errors(bio_err);
        len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
        ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
        uq_ok("X.509 Issuer Name unavailable", ssl_err, 1, NULL, 0);
        ok=0;