1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
/* Copyright (c) 2012, Jacob Appelbaum
* Copyright (c) 2012, The Tor Project, Inc. */
/* See LICENSE for licensing information */
/**
* \file tlsdate-helper.h
* \brief The secondary header for our clock helper.
**/
#ifndef TLSDATEHELPER_H
#define TLSDATEHELPER_H
#include <stdarg.h>
#include <inttypes.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <pwd.h>
#include <grp.h>
#include <arpa/inet.h>
#include <ctype.h>
#ifndef USE_POLARSSL
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
#endif
int verbose;
#include "src/util.h"
/** Name of user that we feel safe to run SSL handshake with. */
#ifndef UNPRIV_USER
#define UNPRIV_USER "nobody"
#endif
#ifndef UNPRIV_GROUP
#define UNPRIV_GROUP "nogroup"
#endif
// We should never accept a time before we were compiled
// We measure in seconds since the epoch - eg: echo `date '+%s'`
// We set this manually to ensure others can reproduce a build;
// automation of this will make every build different!
#ifndef RECENT_COMPILE_DATE
#define RECENT_COMPILE_DATE (uint32_t) 1342323666
#endif
#ifndef MAX_REASONABLE_TIME
#define MAX_REASONABLE_TIME (uint32_t) 1999991337
#endif
#ifndef MIN_PUB_KEY_LEN
#define MIN_PUB_KEY_LEN (uint32_t) 1023
#endif
#ifndef MIN_ECC_PUB_KEY_LEN
#define MIN_ECC_PUB_KEY_LEN (uint32_t) 160
#endif
#ifndef MAX_ECC_PUB_KEY_LEN
#define MAX_ECC_PUB_KEY_LEN (uint32_t) 521
#endif
// After the duration of the TLS handshake exceeds this threshold
// (in msec), a warning is printed.
#define TLS_RTT_THRESHOLD 2000
// RFC 5280 says...
// ub-common-name-length INTEGER ::= 64
#define MAX_CN_NAME_LENGTH 64
// RFC 1034 and posix say...
#define TLSDATE_HOST_NAME_MAX 255
// To support our RFC 2595 wildcard verification
#define RFC2595_MIN_LABEL_COUNT 3
static int ca_racket;
static const char *host;
static const char *hostname_to_verify;
static const char *port;
static const char *protocol;
static char *proxy;
static const char *ca_cert_container;
#ifndef USE_POLARSSL
void openssl_time_callback (const SSL* ssl, int where, int ret);
uint32_t get_certificate_keybits (EVP_PKEY *public_key);
uint32_t check_cn (SSL *ssl, const char *hostname);
uint32_t check_san (SSL *ssl, const char *hostname);
long openssl_check_against_host_and_verify (SSL *ssl);
uint32_t check_name (SSL *ssl, const char *hostname);
uint32_t verify_signature (SSL *ssl, const char *hostname);
void check_key_length (SSL *ssl);
void inspect_key (SSL *ssl, const char *hostname);
void check_key_length (SSL *ssl);
void inspect_key (SSL *ssl, const char *hostname);
#endif
uint32_t dns_label_count (char *label, char *delim);
uint32_t check_wildcard_match_rfc2595 (const char *orig_hostname,
const char *orig_cert_wild_card);
static void run_ssl (uint32_t *time_map, int time_is_an_illusion);
#endif
|