27#define X509_cert_digest X509_digest
33 if (SSL_CTX_use_certificate_chain_file(
ctx,cert) != 1)
38 if (ppwd) SSL_CTX_set_default_passwd_cb_userdata(
ctx,ppwd);
40 if (SSL_CTX_use_PrivateKey_file(
ctx,
key,SSL_FILETYPE_PEM) != 1)
43 if (SSL_CTX_check_private_key(
ctx) != 1)
51 SSL_set_options(
ssl,SSL_OP_NO_SSLv2);
52 SSL_set_options(
ssl,SSL_OP_NO_SSLv3);
58 STACK_OF(GENERAL_NAME) *extensions;
59 const GENERAL_NAME *
ext;
70 if (flag > 20) fflag = flag - 20;
71 if (flag > 10) fflag = flag - 10;
75 if (
host.len && fflag > 4) {
76 extensions = (GENERAL_NAME *)X509_get_ext_d2i(cert,NID_subject_alt_name,0,0);
77 num = sk_GENERAL_NAME_num(extensions);
79 for (i = 0; i <
num; ++i) {
80 ext = sk_GENERAL_NAME_value(extensions,i);
81 if (
ext->type == GEN_DNS) {
82 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
83 if (ASN1_STRING_type(
ext->d.ia5) != V_ASN1_IA5STRING)
continue;
84 dnsname = (
char *)ASN1_STRING_data(
ext->d.ia5);
86 if (OBJ_sn2nid((
const char*)
ext->d.ia5) != V_ASN1_IA5STRING)
continue;
87 dnsname = (
char *)ASN1_STRING_get0_data(
ext->d.ia5);
89 len = ASN1_STRING_length(
ext->d.ia5);
95 X509_NAME_get_text_by_NID(X509_get_subject_name(cert),NID_commonName,
buf,
sizeof(
buf));
113 if (fflag > 3 && verify > -2) {
114 if (SSL_get_verify_result(
ssl) != X509_V_OK)
return -2;
127int dig_ascii(
char *digascii,
const char *digest,
const int len)
129 static const char hextab[] =
"0123456789abcdef";
132 for (
j = 0;
j < len;
j++) {
133 digascii[2 *
j] = hextab[(
unsigned char)digest[
j] >> 4];
134 digascii[2 *
j + 1] = hextab[(
unsigned char)digest[
j] & 0x0f];
136 digascii[2 * len] =
'\0';
148 unsigned int len = 0;
149 unsigned int size = 2048;
152 unsigned char buffer[
size];
156 if (!X509_get0_pubkey_bitstr(cert))
return 0;
158 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert),0);
159 if (len >
size)
return 0;
161 i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert),(
unsigned char **)&
buf2);
162 if (
buf2 -
buf != len)
return 0;
164 if (!EVP_Digest(
buf,len,md,
dlen,type,0))
return 0;
174 const EVP_MD *methodsha256 = EVP_sha256();
175 const EVP_MD *methodsha512 = EVP_sha512();
179 unsigned char digest[EVP_MAX_MD_SIZE];
180 unsigned int dlen = 0;
184 char port[FMT_ULONG];
191 if (
host.len < 2)
return 0;
198 if (dns_cname(&cn,&
sa) > 0)
202 if (
out.len < 5)
return -1;
212 type = (
unsigned char)
out.s[i + 2];
214 unsigned len = sk_X509_num(certs);
215 for (n = 0; n < len; n++) {
216 X509 *cert = sk_X509_value(certs,n);
220 }
else if (type == 2) {
226 if (!byte_diff(digest,
dlen,
out.s + i + 3))
return ++
usage;
230 }
while (i <
out.len - 4);
237 const EVP_MD *methodsha1 = EVP_sha1();
238 const EVP_MD *methodsha224 = EVP_sha224();
239 const EVP_MD *methodsha256 = EVP_sha256();
240 const EVP_MD *methodsha512 = EVP_sha512();
241 unsigned char digest[EVP_MAX_MD_SIZE];
242 unsigned char digascii[257];
246 case 40:
if (!X509_digest(cert,methodsha1,digest,&len))
return -2;
247 case 56:
if (!X509_digest(cert,methodsha224,digest,&len))
return -2;
248 case 64:
if (!X509_digest(cert,methodsha256,digest,&len))
return -2;
249 case 128:
if (!X509_digest(cert,methodsha512,digest,&len))
return -2;
254 if (!str_diffn(digascii,fingerprint,len))
return 1;
261 if (SSL_shutdown(
ssl) == 0)
283 stralloc tlshost = {0};
317 for (i = 0; i < tlshost.len; ++i)
318 if ((i == 0) || (tlshost.s[i] ==
'.')) {
324 for (i = 0; i < tlshost.len; ++i)
325 if ((i == 0) || (tlshost.s[i] ==
'.')) {
331 for (i = 0; i < tlshost.len; ++i)
332 if ((i == 0) || (tlshost.s[i] ==
'.')) {
338 for (i = 0; i < tlshost.len; ++i)
339 if ((i == 0) || (tlshost.s[i] ==
'.')) {
345 for (i = 0; i < tlshost.len; ++i)
346 if ((i == 0) || (tlshost.s[i] ==
'.')) {
378 for (i = 0; i < domainname.len; ++i)
379 if ((i == 0) || (domainname.s[i] ==
'.'))
int stralloc_copys(stralloc *, char const *)
int dns_tlsa(stralloc *out, const stralloc *fqdn)
void p(char *, char *, int, int, int)
int tls_domaincerts(const stralloc domainname)
int tls_fingerprint(X509 *cert, const char *fingerprint, int dlen)
int tls_checkcrl(SSL *ssl)
int X509_pkey_digest(const X509 *cert, const EVP_MD *type, unsigned char *md, unsigned int *dlen)
int tls_conn(SSL *ssl, int smtpfd)
int tls_destination(const stralloc hostname)
tls_destination
int tlsa_check(const STACK_OF(X509) *certs, const stralloc host, const unsigned long p)
int dig_ascii(char *digascii, const char *digest, const int len)
int tls_certkey(SSL_CTX *ctx, const char *cert, const char *key, char *ppwd)
int tls_checkpeer(SSL *ssl, X509 *cert, const stralloc host, const int flag, const int verify)
struct constmap maptlsdestinations
struct constmap mapdomaincerts