ssl.c

The major functionality added in this release includes: - Rootless mode in X11 - Widget Templt

		RAND_seed ((unsigned char *)&r, sizeof (r));
	}
#endif

	return(ctx);
}


#if 0
static void
_SSL_add_random_keypair(SSL_CTX *ctx, int bits)
{
	RSA *rsa;


	rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL);
	if (!SSL_CTX_set_tmp_rsa(ctx, rsa))
		__SSL_critical_error("SSL_CTX_set_tmp_rsa");
	RSA_free(rsa);

	/* force use of this key for key exchange */
	SSL_CTX_set_options(ctx, SSL_OP_EPHEMERAL_RSA);
}
#endif


#if 0
static char *
_SSL_add_keypair (SSL_CTX *ctx, char *privkey, char *cert)
{
	if (SSL_CTX_use_PrivateKey_file (ctx, privkey, SSL_FILETYPE_PEM) <= 0)
	{
		__SSL_fill_err_buf ("SSL_CTX_use_PrivateKey_file");
		return (err_buf);
	}
	if (SSL_CTX_use_certificate_file (ctx, cert, SSL_FILETYPE_PEM) <= 0)
	{
		__SSL_fill_err_buf ("SSL_CTX_use_certificate_file");
		return (err_buf);
	}

	if (!SSL_CTX_check_private_key (ctx))
	{
		__SSL_fill_err_buf
			("Private key does not match the certificate public key\n");
		return (err_buf);
	}

	return (NULL);
}
#endif


static struct tm tmtm;
static struct tm *
ASN1_GENERALIZEDTIME_snprintf (ASN1_GENERALIZEDTIME * tm)
{
	char *v;
	int gmt = 0;
	int i;
	int y = 0, M = 0, d = 0, h = 0, m = 0, s = 0;


	i = tm->length;
	v = (char *) tm->data;

	if (i < 12)
		return (NULL);
	if (v[i - 1] == 'Z')
		gmt = 1;
	for (i = 0; i < 12; i++)
		if ((v[i] > '9') || (v[i] < '0'))
			return (NULL);
	y =
		(v[0] - '0') * 1000 + (v[1] - '0') * 100 + (v[2] - '0') * 10 + (v[3] -
																							 '0');
	M = (v[4] - '0') * 10 + (v[5] - '0');
	if ((M > 12) || (M < 1))
		return (NULL);
	d = (v[6] - '0') * 10 + (v[7] - '0');
	h = (v[8] - '0') * 10 + (v[9] - '0');
	m = (v[10] - '0') * 10 + (v[11] - '0');
	if ((v[12] >= '0') && (v[12] <= '9') && (v[13] >= '0') && (v[13] <= '9'))
		s = (v[12] - '0') * 10 + (v[13] - '0');

	tmtm.tm_sec = s;
	tmtm.tm_min = m;
	tmtm.tm_hour = h;
	tmtm.tm_mday = d;
	tmtm.tm_mon = M - 1;
	tmtm.tm_year = y;

	/* snprintf (buf, buf_len, "%s %2d %02d:%02d:%02d %d%s", mon[M - 1], d, h, m, s, y, (gmt) ? " GMT" : ""); */
	return (&tmtm);
}


static struct tm *
ASN1_UTCTIME_snprintf (ASN1_UTCTIME * tm)
{
	char *v;
	int gmt = 0;
	int i;
	int y = 0, M = 0, d = 0, h = 0, m = 0, s = 0;


	i = tm->length;
	v = (char *) tm->data;

	if (i < 10)
		return (NULL);
	if (v[i - 1] == 'Z')
		gmt = 1;
	for (i = 0; i < 10; i++)
		if ((v[i] > '9') || (v[i] < '0'))
			return (NULL);
	y = (v[0] - '0') * 10 + (v[1] - '0');
	if (y < 50)
		y += 100;
	M = (v[2] - '0') * 10 + (v[3] - '0');
	if ((M > 12) || (M < 1))
		return (NULL);
	d = (v[4] - '0') * 10 + (v[5] - '0');
	h = (v[6] - '0') * 10 + (v[7] - '0');
	m = (v[8] - '0') * 10 + (v[9] - '0');
	if ((v[10] >= '0') && (v[10] <= '9') && (v[11] >= '0') && (v[11] <= '9'))
		s = (v[10] - '0') * 10 + (v[11] - '0');

	tmtm.tm_sec = s;
	tmtm.tm_min = m;
	tmtm.tm_hour = h;
	tmtm.tm_mday = d;
	tmtm.tm_mon = M - 1;
	tmtm.tm_year = y;

	/* snprintf (buf, buf_len, "%s %2d %02d:%02d:%02d %d%s", mon[M - 1], d, h, m, s, y + 1900, (gmt) ? " GMT" : ""); */
	return (&tmtm);
}


static void
ASN1_TIME_snprintf (char *buf, int buf_len, ASN1_TIME * tm)
{
	struct tm *tmtm;


	switch (tm->type)
	{
	    case V_ASN1_UTCTIME:
		tmtm = ASN1_UTCTIME_snprintf (tm);
		break;
	    case V_ASN1_GENERALIZEDTIME:
		tmtm = ASN1_GENERALIZEDTIME_snprintf (tm);
		break;
	    default:
		tmtm = NULL;
	}

	if (!tmtm)
	{
		snprintf (buf, buf_len, "ASN1_TIME_snprintf :: Invalid date");
		return;
	}

	snprintf (buf, buf_len, "%s", asctime (tmtm));
	*(strchr (buf, '\n')) = 0;
}


static void
broke_oneline (char *oneline, char *parray[])
{
	char *pt, *ppt;
	int i;


	i = 0;
	ppt = pt = oneline + 1;
	while ((pt = strchr (pt, '/')))
	{
		*pt = 0;
		parray[i++] = ppt;
		ppt = ++pt;
	}
	parray[i++] = ppt;
	parray[i] = NULL;
}


/*
    FIXME: Master-Key, Extensions, CA bits
	    (openssl x509 -text -in servcert.pem)
*/
int
_SSL_get_cert_info (struct cert_info *cert_info, SSL * ssl)
{
	X509 *peer_cert;
	EVP_PKEY *peer_pkey;
	/* EVP_PKEY *ca_pkey; */
	/* EVP_PKEY *tmp_pkey; */
	char notBefore[64];
	char notAfter[64];
	int alg;
	int sign_alg;


	if (!(peer_cert = SSL_get_peer_certificate (ssl)))
		return (1);				  /* FATAL? */

	X509_NAME_oneline (X509_get_subject_name (peer_cert), cert_info->subject,
							 sizeof (cert_info->subject));
	X509_NAME_oneline (X509_get_issuer_name (peer_cert), cert_info->issuer,
							 sizeof (cert_info->issuer));
	broke_oneline (cert_info->subject, cert_info->subject_word);
	broke_oneline (cert_info->issuer, cert_info->issuer_word);

	alg = OBJ_obj2nid (peer_cert->cert_info->key->algor->algorithm);
	sign_alg = OBJ_obj2nid (peer_cert->sig_alg->algorithm);
	ASN1_TIME_snprintf (notBefore, sizeof (notBefore),
							  X509_get_notBefore (peer_cert));
	ASN1_TIME_snprintf (notAfter, sizeof (notAfter),
							  X509_get_notAfter (peer_cert));

	peer_pkey = X509_get_pubkey (peer_cert);

	strncpy (cert_info->algorithm,
				(alg == NID_undef) ? "UNKNOWN" : OBJ_nid2ln (alg),
				sizeof (cert_info->algorithm));
	cert_info->algorithm_bits = EVP_PKEY_bits (peer_pkey);
	strncpy (cert_info->sign_algorithm,
				(sign_alg == NID_undef) ? "UNKNOWN" : OBJ_nid2ln (sign_alg),
				sizeof (cert_info->sign_algorithm));
	/* EVP_PKEY_bits(ca_pkey)); */
	cert_info->sign_algorithm_bits = 0;
	strncpy (cert_info->notbefore, notBefore, sizeof (cert_info->notbefore));
	strncpy (cert_info->notafter, notAfter, sizeof (cert_info->notafter));

	EVP_PKEY_free (peer_pkey);

	/* SSL_SESSION_print_fp(stdout, SSL_get_session(ssl)); */
/*
	if (ssl->session->sess_cert->peer_rsa_tmp) {
		tmp_pkey = EVP_PKEY_new();
		EVP_PKEY_assign_RSA(tmp_pkey, ssl->session->sess_cert->peer_rsa_tmp);
		cert_info->rsa_tmp_bits = EVP_PKEY_bits (tmp_pkey);
		EVP_PKEY_free(tmp_pkey);
	} else
		fprintf(stderr, "REMOTE SIDE DOESN'T PROVIDES ->peer_rsa_tmp\n");
*/

	X509_free (peer_cert);

	return (0);
}


struct chiper_info *
_SSL_get_cipher_info (SSL * ssl)
{
	SSL_CIPHER *c;


	c = SSL_get_current_cipher (ssl);
	strncpy (chiper_info.version, SSL_CIPHER_get_version (c),
				sizeof (chiper_info.version));
	strncpy (chiper_info.chiper, SSL_CIPHER_get_name (c),
				sizeof (chiper_info.chiper));
	SSL_CIPHER_get_bits (c, &chiper_info.chiper_bits);

	return (&chiper_info);
}


int
_SSL_send (SSL * ssl, char *buf, int len)
{
	int num;


	num = SSL_write (ssl, buf, len);

	switch (SSL_get_error (ssl, num))
	{
	case SSL_ERROR_SSL:			  /* setup errno! */
		/* ??? */
		__SSL_fill_err_buf ("SSL_write");
		fprintf (stderr, "%s\n", err_buf);
		break;
	case SSL_ERROR_SYSCALL:
		/* ??? */
		perror ("SSL_write/write");
		break;
	case SSL_ERROR_ZERO_RETURN:
		/* fprintf(stderr, "SSL closed on write\n"); */
		break;
	}

	return (num);
}


int
_SSL_recv (SSL * ssl, char *buf, int len)
{
	int num;


	num = SSL_read (ssl, buf, len);

	switch (SSL_get_error (ssl, num))
	{
	case SSL_ERROR_SSL:
		/* ??? */
		__SSL_fill_err_buf ("SSL_read");
		fprintf (stderr, "%s\n", err_buf);
		break;
	case SSL_ERROR_SYSCALL:
		/* ??? */
		perror ("SSL_read/read");
		break;
	case SSL_ERROR_ZERO_RETURN:
		/* fprintf(stdeerr, "SSL closed on read\n"); */
		break;
	}

	return (num);
}


SSL *
_SSL_socket (SSL_CTX *ctx, int sd)
{
	SSL *ssl;


	if (!(ssl = SSL_new (ctx)))
		/* FATAL */
		__SSL_critical_error ("SSL_new");

	SSL_set_fd (ssl, sd);
	if (ctx->method == SSLv3_client_method())
		SSL_set_connect_state (ssl);
	else
	        SSL_set_accept_state(ssl);

	return (ssl);
}


char *
_SSL_set_verify (SSL_CTX *ctx, void *verify_callback, char *cacert)
{
	if (!SSL_CTX_set_default_verify_paths (ctx))
	{
		__SSL_fill_err_buf ("SSL_CTX_set_default_verify_paths");
		return (err_buf);
	}

	if (cacert)
	{
		if (!SSL_CTX_load_verify_locations (ctx, cacert, NULL))
		{
			__SSL_fill_err_buf ("SSL_CTX_load_verify_locations");
			return (err_buf);
		}
	}

	SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, verify_callback);

	return (NULL);
}


void
_SSL_close (SSL * ssl)
{
	SSL_set_shutdown (ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
	SSL_free (ssl);
	ERR_remove_state (0);		  /* free state buffer */
}