ck_ssl.c

KERMIT工具 这在办公室下载不了,很多人都没有载不到.

        goto return_time;
    }
#else /* XN_FLAG_SEP_MULTILINE */
    X509_NAME_oneline(X509_get_subject_name(xs),subject,256);
    if (!subject[0]) {
        int len;
        ERR_print_errors(bio_err);
        len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
        ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
        uq_ok("X.509 Subject Name unavailable", ssl_err, 1, NULL, 0);
        ok=0;
        goto return_time;
    }

    X509_NAME_oneline(X509_get_issuer_name(xs),issuer,256);
    if (!issuer[0]) {
        int len;
        ERR_print_errors(bio_err);
        len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
        ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
        uq_ok("X.509 Issuer Name unavailable", ssl_err, 1, NULL, 0);
        ok=0;
        goto return_time;
    }
#endif /* XN_FLAG_SEP_MULTILINE */

    if (ssl_verbose_flag && depth != ssl_verify_depth) {
        printf("[%d] Certificate Subject:\r\n%s\r\n",depth,subject);
        printf("[%d] Certificate Issuer:\r\n%s\r\n",depth,issuer);
        ssl_verify_depth = depth;
    }

    ok = ssl_verify_crl(ok, ctx);

    if ( !ok ) {
        char prefix[1024];
        /* if the server is using a self signed certificate then
         * we need to decide if that is good enough for us to
         * accept ...
         */

        switch ( error ) {
        case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: {
            if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
                /* make 100% sure that in secure more we drop the
                 * connection if the server does not have a
                 * real certificate!
                 */
                ckmakxmsg(prefix,1024,
                           "Error: Server has a self-signed certificate\n",
                           "[",ckitoa(depth),"] Certificate Subject=\n",subject,
                           "\n[",ckitoa(depth),"] Certificate Issuer=\n",issuer,
                           NULL,NULL,NULL);

                uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);

                /* sometimes it is really handy to be able to debug things
                * and still get a connection!
                */
                if (ssl_debug_flag) {
                    printf("SSL: debug -> ignoring cert required!\r\n");
                    ok=1;
                } else {
                    ok=0;
                }
                goto return_time;
            } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
                ckmakxmsg(prefix,1024,
                           "Warning: Server has a self-signed certificate\n",
                           "[",ckitoa(depth),"] Certificate Subject=\n",subject,
                           "\n[",ckitoa(depth),"] Certificate Issuer=\n",issuer,
                           NULL,NULL,NULL);

                ok = uq_ok(prefix,
                           "Continue? (Y/N) ",
                           3, NULL, 0);
                if ( ok < 0 )
                    ok = 0;
                goto return_time;
            }
        }
        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
            if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
                /* make 100% sure that in secure more we drop the
                 * connection if the server does not have a
                 * real certificate!
                 */
                ckmakxmsg(prefix,1024,
                           "Error: ",
                           (char *)X509_verify_cert_error_string(error),
                           "\nCertificate Issuer=\n",issuer,
                           NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
                uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);

                /* sometimes it is really handy to be able to debug things
                * and still get a connection!
                */
                if (ssl_debug_flag) {
                    printf("SSL: debug -> ignoring cert required!\r\n");
                    ok=1;
                } else {
                    ok=0;
                }
                goto return_time;
            } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
                ckmakxmsg(prefix,1024,
                           "Warning: ",
                           (char *)X509_verify_cert_error_string(error),
                           "\nCertificate Issuer=\n",issuer,
                           NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
                ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
                goto return_time;
            }
            break;
        case X509_V_ERR_CERT_NOT_YET_VALID:
        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
            if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
                int len;
                /* make 100% sure that in secure more we drop the
                 * connection if the server does not have a
                 * real certificate!
                 */
                ASN1_TIME_print(bio_err,X509_get_notBefore(xs));
                len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
                ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
                ckmakxmsg(prefix,1024,
                           "Error: ",
                           (char *)X509_verify_cert_error_string(error),
                           "\nCertificate Subject=\n",subject,
                           "\nnotBefore=",ssl_err,
                           NULL,NULL,NULL,NULL,NULL,NULL);
                uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
                /* sometimes it is really handy to be able to debug things
                * and still get a connection!
                */
                if (ssl_debug_flag) {
                    printf("SSL: debug -> ignoring cert required!\r\n");
                    ok=1;
                } else {
                    ok=0;
                }
                goto return_time;
            } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
                int len;
                ASN1_TIME_print(bio_err,X509_get_notBefore(xs));
                len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
                ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
                ckmakxmsg(prefix,1024,
                           "Warning: ",
                           (char *)X509_verify_cert_error_string(error),
                           "\nCertificate Subject=\n",subject,
                           "\n    notBefore=",ssl_err,
                           NULL,NULL,NULL,NULL,NULL,NULL);
                ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
            }
            break;
        case X509_V_ERR_CERT_HAS_EXPIRED:
        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
            if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
                int len;
                /* make 100% sure that in secure more we drop the
                 * connection if the server does not have a
                 * real certificate!
                 */
                ASN1_TIME_print(bio_err,X509_get_notAfter(xs));
                len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
                ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';

                ckmakxmsg(prefix,1024,
                           "Error: ",
                           (char *)X509_verify_cert_error_string(error),
                           "\nCertificate Subject=\n",subject,
                           "\n    notAfter=",ssl_err,
                           NULL,NULL,NULL,NULL,NULL,NULL);
                uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
   
                /* sometimes it is really handy to be able to debug things
                * and still get a connection!
                */
                if (ssl_debug_flag) {
                    printf("SSL: debug -> ignoring cert required!\r\n");
                    ok=1;
                } else {
                    ok=0;
                }
                goto return_time;
            } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
                int len;
                ASN1_TIME_print(bio_err,X509_get_notAfter(xs));
                len = BIO_read(bio_err,ssl_err,SSL_ERR_BFSZ);
                ssl_err[len < SSL_ERR_BFSZ ? len : SSL_ERR_BFSZ] = '\0';
                ckmakxmsg(prefix,1024,
                           "Warning: ",
                           (char *)X509_verify_cert_error_string(error),
                           "\nCertificate Subject=\n",subject,
                           "\n    notAfter=",ssl_err,
                           NULL,NULL,NULL,NULL,NULL,NULL);
                ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
            }
            break;
        case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
            /*
             * When an SSL server sends its certificates to the client there
             * are two" conventions": one is to send the complete certificate
             * chain and the other is to send the whole chain apart from the
             * root.
             *
             * You don't usually need the root because the root is normally
             * stored and trusted locally.
             *
             * So if you get the whole chain it will complain about the self
             * signed certificate whereas if the root is missing it says it
             * can't find the issuer certificate.
             */
            if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
                /* make 100% sure that in secure more we drop the
                 * connection if the server does not have a
                 * real certificate!
                 */
                ckmakxmsg(prefix,1024,
                           "Error: ",
                           (char *)X509_verify_cert_error_string(error),
                           "\nCertificate Issuer=\n",issuer,
                           NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
                uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);
                /* sometimes it is really handy to be able to debug things
                * and still get a connection!
                */
                if (ssl_debug_flag) {
                    printf("SSL: debug -> ignoring cert required!\r\n");
                    ok=1;
                } else {
                    ok=0;
                }
                goto return_time;
            } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
                ckmakxmsg(prefix,1024,
                           "Warning: ",
                           (char *)X509_verify_cert_error_string(error),
                           "\nCertificate Issuer=\n",issuer,
                           NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
                ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
#ifdef NT
                if (ok) {
                    /* if the user decides to accept the certificate
                     * offer to store it for future connections in 
                     * the user's private store
                     */
                    ok = uq_ok(
  "Do you wish to store the certificate to verify future connections?",
                               "Continue (Y/N)", 3, NULL, 0);
                    if (ok)
                        ck_X509_save_cert_to_user_store(xs);
                }
#endif /* NT */
            }
            break;
        case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
        case X509_V_ERR_UNABLE_TO_GET_CRL:
        case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
        case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
        case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
        case X509_V_ERR_CERT_SIGNATURE_FAILURE:
        case X509_V_ERR_CRL_SIGNATURE_FAILURE:
        case X509_V_ERR_CRL_NOT_YET_VALID:
        case X509_V_ERR_CRL_HAS_EXPIRED:
        case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
        case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
        case X509_V_ERR_OUT_OF_MEM:
        case X509_V_ERR_CERT_CHAIN_TOO_LONG:
        case X509_V_ERR_CERT_REVOKED:
        case X509_V_ERR_APPLICATION_VERIFICATION:
        default:
            if (ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
                /* make 100% sure that in secure mode we drop the
                 * connection if the server does not have a
                 * real certificate!
                 */
                ckmakxmsg(prefix,1024,
                           "Error: ",
                           (char *)X509_verify_cert_error_string(error),
                           "\nCertificate Subject=\n",subject,
                           NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
                uq_ok(prefix, "Rejecting Connection", 1, NULL, 0);

                /* sometimes it is really handy to be able to debug things
                * and still get a connection!
                */
                if (ssl_debug_flag) {
                    printf("SSL: debug -> ignoring cert required!\r\n");
                    ok=1;
                } else {
                    ok=0;
                }
                goto return_time;
            } else if (ssl_verify_flag != SSL_VERIFY_NONE) {
                ckmakxmsg(prefix,1024,
                           "Warning: ",
                           (char *)X509_verify_cert_error_string(error),
                           "\nCertificate Subject=\n",subject,
                           NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
                ok = uq_ok(prefix, "Continue (Y/N)", 3, NULL, 0);
            }
            break;
        }
    }

  return_time:
    if ( ssl_debug_flag )
        printf("ssl:client_verify_callback => ok: %d\r\n",ok);
    return ok;
}

VOID
#ifdef CK_ANSIC
ssl_client_info_callback(const SSL *s, int where, int ret)
#else
ssl_client_info_callback(s,where,ret)
const SSL *s;
int where;
int ret;
#endif /* CK_ANSIC */
{
    if (inserver || !ssl_debug_flag)
        return;

    switch ( where ) {
    case SSL_CB_CONNECT_LOOP:
        printf("SSL_connect:%s %s\r\n",
                SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
        break;
    case SSL_CB_CONNECT_EXIT:
        if (ret == 0) {
            printf("SSL_connect:failed in %s %s\r\n",
                    SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
        } else if (ret < 0) {
            printf("SSL_connect:error in %s %s\r\n",
                    SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
        }
        break;
    case SSL_CB_ACCEPT_LOOP:
        printf("SSL_accept:%s %s\r\n",
                SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
        break;
    case SSL_CB_ACCEPT_EXIT:
        if (ret == 0) {
            printf("SSL_accept:failed in %s %s\r\n",
                    SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
        } else if (ret < 0) {
            printf("SSL_accept:error in %s %s\r\n",
                    SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
        }
        break;
    case SSL_CB_READ_ALERT:
        printf("SSL_read_alert\r\n");
        break;
    case SSL_CB_WRITE_ALERT:
        printf("SSL_write_alert\r\n");
        break;
    case SSL_CB_HANDSHAKE_START:
        printf("SSL_handshake:%s %s\r\n",
                SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
        break;
    case SSL_CB_HANDSHAKE_DONE:
        printf("SSL_handshake:%s %s\r\n",
                SSL_state_string((SSL *)s),SSL_state_string_long((SSL *)s));
        break;
    }
}

#ifdef USE_CERT_CB