📄 ck_ssl.c
字号:
if (ssl_debug_flag) printf("SSL_DEBUG_FLAG on\r\n"); if (last_ssl_mode != mode) { if (ssl_ctx) { SSL_CTX_free(ssl_ctx); ssl_ctx = NULL; } if (tls_ctx) { SSL_CTX_free(tls_ctx); tls_ctx = NULL; } } if ( (last_ssl_mode != mode) || !ssl_ctx || !tls_ctx ) { if ( mode == SSL_CLIENT ) { ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method()); /* This can fail because we do not have RSA available */ if ( !ssl_ctx ) { debug(F110,"ssl_tn_init","SSLv23_client_method failed",0); ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method()); } if ( !ssl_ctx ) { debug(F110,"ssl_tn_init","SSLv3_client_method failed",0); last_ssl_mode = -1; return(0); }#ifndef COMMENT tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_client_method());#else /* COMMENT */ tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method()); /* This can fail because we do not have RSA available */ if ( !tls_ctx ) { debug(F110,"ssl_tn_init","SSLv23_client_method failed",0); tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method()); }#endif /* COMMENT */ if ( !tls_ctx ) { debug(F110,"ssl_tn_init","TLSv1_client_method failed",0); last_ssl_mode = -1; return(0); }#ifdef USE_CERT_CB SSL_CTX_set_client_cert_cb(ssl_ctx,ssl_client_cert_callback); SSL_CTX_set_client_cert_cb(tls_ctx,ssl_client_cert_callback);#endif /* USE_CERT_CB */ } else if (mode == SSL_SERVER) { /* We are a server */ ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_server_method()); /* This can fail because we do not have RSA available */ if ( !ssl_ctx ) { debug(F110,"ssl_tn_init","SSLv23_server_method failed",0); ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method()); } if ( !ssl_ctx ) { debug(F110,"ssl_tn_init","SSLv3_server_method failed",0); last_ssl_mode = -1; return(0); }#ifdef COMMENT tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_server_method());#else /* COMMENT */ tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_server_method()); /* This can fail because we do not have RSA available */ if ( !tls_ctx ) { debug(F110,"ssl_tn_init","SSLv23_server_method failed",0); tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_server_method()); }#endif /* COMMENT */ if ( !tls_ctx ) { debug(F110,"ssl_tn_init","TLSv1_server_method failed",0); last_ssl_mode = -1; return(0); } } else /* Unknown mode */ return(0); if ( !inserver ) { SSL_CTX_set_default_passwd_cb(ssl_ctx, (pem_password_cb *)ssl_passwd_callback); SSL_CTX_set_default_passwd_cb(tls_ctx, (pem_password_cb *)ssl_passwd_callback); } /* for SSL switch on all the interoperability and bug * workarounds so that we will communicate with people * that cannot read poorly written specs :-) * for TLS be sure to prevent use of SSLv2 */ SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2); SSL_CTX_set_options(tls_ctx, SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA); SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback); SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback);#ifndef COMMENT /* Set the proper caching mode */ if ( mode == SSL_SERVER ) { SSL_CTX_set_session_cache_mode(ssl_ctx,SSL_SESS_CACHE_SERVER); SSL_CTX_set_session_cache_mode(tls_ctx,SSL_SESS_CACHE_SERVER); } else { SSL_CTX_set_session_cache_mode(ssl_ctx,SSL_SESS_CACHE_CLIENT); SSL_CTX_set_session_cache_mode(tls_ctx,SSL_SESS_CACHE_CLIENT); } SSL_CTX_set_session_id_context(ssl_ctx,(CHAR *)"1",1); SSL_CTX_set_session_id_context(tls_ctx,(CHAR *)"2",1);#else /* COMMENT */ SSL_CTX_set_session_cache_mode(ssl_ctx,SSL_SESS_CACHE_OFF); SSL_CTX_set_session_cache_mode(tls_ctx,SSL_SESS_CACHE_OFF);#endif /* COMMENT */ } /* The server uses defaults for the certificate files. */ /* The client does not. */ if (mode == SSL_SERVER) { char cert_filepath[1024]; const char * defdir = NULL; DH * dh = NULL; defdir = getenv("SSL_CERT_DIR"); if ( !defdir ) {#ifdef OS2 defdir = exedir;#else /* OS2 */ defdir = X509_get_default_cert_dir();#endif /* OS2 */ debug(F110,"ssl_tn_init - setting default directory to",defdir,0); } if ( !defdir ) defdir = ""; if (!ssl_rsa_cert_file) { /* we need to know the fullpath to the location of the * certificate that we will be running with as we cannot * be sure of the cwd when we are launched */ sprintf(cert_filepath,"%s/%s",defdir,"telnetd-rsa.pem"); if (zchki(cert_filepath) > 0) makestr(&ssl_rsa_cert_file,cert_filepath); } if (ssl_rsa_cert_file && !ssl_rsa_key_file) { /* we need to know the fullpath to the location of the * certificate that we will be running with as we cannot * be sure of the cwd when we are launched */ sprintf(cert_filepath,"%s/%s",defdir,"telnetd-rsa-key.pem"); if (zchki(cert_filepath) > 0) makestr(&ssl_rsa_key_file,cert_filepath); } if (!ssl_dsa_cert_file) { /* we need to know the fullpath to the location of the * certificate that we will be running with as we cannot * be sure of the cwd when we are launched */ sprintf(cert_filepath,"%s/%s",defdir,"telnetd-dsa.pem"); if (zchki(cert_filepath) > 0) makestr(&ssl_dsa_cert_file,cert_filepath); } if (ssl_dsa_cert_file && !ssl_dh_key_file) { /* we need to know the fullpath to the location of the * certificate that we will be running with as we cannot * be sure of the cwd when we are launched */ sprintf(cert_filepath,"%s/%s",defdir,"telnetd-dsa-key.pem"); if (zchki(cert_filepath) > 0) makestr(&ssl_dh_key_file,cert_filepath); } if (!ssl_crl_dir) { /* we need to know the fullpath to the location of the * certificate that we will be running with as we cannot * be sure of the cwd when we are launched */ sprintf(cert_filepath,"%s/crl",defdir); if (zchki(cert_filepath) > 0) makestr(&ssl_crl_dir,cert_filepath); } if (ssl_only_flag && !tls_load_certs(ssl_ctx,ssl_con,1)) { debug(F110,"ssl_tn_init","Unable to load SSL certs",0); last_ssl_mode = -1; return(0); } if (tls_only_flag && !tls_load_certs(tls_ctx,tls_con,1)) { debug(F110,"ssl_tn_init","Unable to load TLS certs",0); last_ssl_mode = -1; return(0); } if ( (last_ssl_mode != mode) || !ssl_ctx || !tls_ctx ) { /* we may require a temp 512 bit RSA key because of the * wonderful way export things work ... if so we generate * one now! */ SSL_CTX_set_tmp_rsa_callback(ssl_ctx, tmp_rsa_cb); SSL_CTX_set_tmp_dh_callback( ssl_ctx, tmp_dh_cb); SSL_CTX_set_tmp_rsa_callback(tls_ctx, tmp_rsa_cb); SSL_CTX_set_tmp_dh_callback( tls_ctx, tmp_dh_cb); dh = tmp_dh_cb(NULL,0,512); SSL_CTX_set_tmp_dh(ssl_ctx,dh); SSL_CTX_set_tmp_dh(tls_ctx,dh); /* The following code is only called if we are using a * certificate with an RSA public key and where the * certificate has a key length less than 512 bits or is * marked for signing only. This is so we can support * the greatest legal privacy level with exportable clients. */ if (SSL_CTX_need_tmp_RSA(ssl_ctx) || SSL_CTX_need_tmp_RSA(tls_ctx)) { RSA *rsa; if ( ssl_debug_flag ) printf("Generating temp (512 bit) RSA key ...\r\n"); rsa=RSA_generate_key(512,RSA_F4,NULL,NULL); if ( ssl_debug_flag ) printf("Generation of temp (512 bit) RSA key done\r\n"); if (SSL_CTX_need_tmp_RSA(ssl_ctx)) { if (!SSL_CTX_set_tmp_rsa(ssl_ctx,rsa)) { if ( ssl_debug_flag ) printf( "Failed to assign generated temp RSA key to SSL!\r\n"); } } if (SSL_CTX_need_tmp_RSA(tls_ctx)) { if (!SSL_CTX_set_tmp_rsa(tls_ctx,rsa)) { if ( ssl_debug_flag ) printf( "Failed to assign generated temp RSA key to TLS!\r\n"); } } RSA_free(rsa); if ( ssl_debug_flag ) printf("Assigned temp (512 bit) RSA key\r\n"); } } } /* make sure we will find certificates in the standard * location ... otherwise we don't look anywhere for * these things which is going to make client certificate * exchange rather useless :-) * In OS2, default values for ssl_verify_file and ssl_verify_path. */#ifdef OS2#ifdef NT { /* The defaults in the SSL crypto library are not appropriate for OS/2 */ char path[CKMAXPATH]; ckmakmsg(path,CKMAXPATH,exedir,"certs",NULL,NULL); if (isdir(path) && SSL_CTX_load_verify_locations(tls_ctx,NULL,path) == 1) { debug(F110,"ssl_tn_init certificate verify dir",path,0); if (ssl_debug_flag) printf(" Certificate Verification Directory: %s\r\n",path); SSL_CTX_load_verify_locations(ssl_ctx,NULL,path); } ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/certs",NULL,NULL); if (isdir(path) && SSL_CTX_load_verify_locations(tls_ctx,NULL,path) == 1) { debug(F110,"ssl_tn_init certificate verify dir",path,0); if (ssl_debug_flag) printf(" Certificate Verification Directory: %s\r\n",path); SSL_CTX_load_verify_locations(ssl_ctx,NULL,path); } ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/certs",NULL,NULL); if (isdir(path) && SSL_CTX_load_verify_locations(tls_ctx,NULL,path) == 1) { debug(F110,"ssl_tn_init certificate verify dir",path,0); if (ssl_debug_flag) printf(" Certificate Verification Directory: %s\r\n",path); SSL_CTX_load_verify_locations(ssl_ctx,NULL,path); } ckmakmsg(path,CKMAXPATH,exedir,"ca_certs.pem",NULL,NULL); if (zchki(path) > 0 && SSL_CTX_load_verify_locations(tls_ctx,path,NULL) == 1) { debug(F110,"ssl_tn_init certificate verify file",path,0); if (ssl_debug_flag) printf(" Certificate Verification File: %s\r\n",path); SSL_CTX_load_verify_locations(ssl_ctx,path,NULL); } ckmakmsg(path,CKMAXPATH,GetAppData(1),"kermit 95/ca_certs.pem",NULL,NULL); if (zchki(path) > 0 && SSL_CTX_load_verify_locations(tls_ctx,path,NULL) == 1) { debug(F110,"ssl_tn_init certificate verify file",path,0); if (ssl_debug_flag) printf(" Certificate Verification File: %s\r\n",path); SSL_CTX_load_verify_locations(ssl_ctx,path,NULL); } ckmakmsg(path,CKMAXPATH,GetAppData(0),"kermit 95/ca_certs.pem",NULL,NULL); if (zchki(path) > 0 && SSL_CTX_load_verify_locations(tls_ctx,path,NULL) == 1) { debug(F110,"ssl_tn_init certificate verify file",path,0); if (ssl_debug_flag) printf(" Certificate Verification File: %s\r\n",path); SSL_CTX_load_verify_locations(ssl_ctx,path,NULL); } }#else /* NT */ { /* The defaults in the SSL crypto library are not appropriate for OS/2 */ char path[CKMAXPATH]; ckmakmsg(path,CKMAXPATH,exedir,"certs",NULL,NULL); if (isdir(path) && SSL_CTX_load_verify_locations(tls_ctx,NULL,path) == 1) { debug(F110,"ssl_tn_init certificate verify dir",path,0); if (ssl_debug_flag) printf(" Certificate Verification Directory: %s\r\n",path); SSL_CTX_load_verify_locations(ssl_ctx,NULL,path); } ckmakmsg(path,CKMAXPATH,exedir,"ca_certs.pem",NULL,NULL); if (zchki(path) > 0 && SSL_CTX_load_verify_locations(tls_ctx,path,NULL) == 1) { debug(F110,"ssl_tn_init certificate verify file",path,0); if (ssl_debug_flag) printf(" Certificate Verification File: %s\r\n",path); SSL_CTX_load_verify_locations(ssl_ctx,path,NULL); } }#endif /* NT */#else /* OS2 */ SSL_CTX_set_default_verify_paths(ssl_ctx); SSL_CTX_set_default_verify_paths(tls_ctx);#endif /* OS2 */ if (ssl_verify_file) { if (zchki(ssl_verify_file) > 0 && SSL_CTX_load_verify_locations(tls_ctx,ssl_verify_file,NULL) == 1) { debug(F110,"ssl_tn_init certificate verify file",ssl_verify_file,0); if (ssl_debug_flag) printf(" Certificate Verification File: %s\r\n",ssl_verify_file); SSL_CTX_load_verify_locations(ssl_ctx,ssl_verify_file,NULL); } } if (ssl_verify_dir && isdir(ssl_verify_dir)) { if (SSL_CTX_load_verify_locations(tls_ctx,NULL,ssl_verify_dir) == 1) { debug(F110,"ssl_tn_init certificate verify dir",ssl_verify_dir,0); if (ssl_debug_flag) printf(" Certificate Verification Directory: %s\r\n",ssl_verify_dir); SSL_CTX_load_verify_locations(ssl_ctx,NULL,ssl_verify_dir); } } if (mode == SSL_SERVER) { SSL_CTX_set_verify(ssl_ctx, ssl_verify_flag?ssl_verify_flag|SSL_VERIFY_CLIENT_ONCE:0, ssl_server_verify_callback); SSL_CTX_set_verify(tls_ctx, ssl_verify_flag?ssl_verify_flag|SSL_VERIFY_CLIENT_ONCE:0, ssl_server_verify_callback); } else { SSL_CTX_set_verify(ssl_ctx,ssl_verify_flag, ssl_client_verify_callback); SSL_CTX_set_verify(tls_ctx,ssl_verify_flag, ssl_client_verify_callback); } /* Free the existing CRL Store */ if (crl_store) { X509_STORE_free(crl_store); crl_store ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -