1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
/* Copyright (c) 2012, Jacob Appelbaum
* Copyright (c) 2012, The Tor Project, Inc. */
/* See LICENSE for licensing information */
/**
* \file tlsdate-helper.h
* \brief The secondary header for our clock helper.
**/
#ifndef TLSDATEHELPER_H
#define TLSDATEHELPER_H
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#ifdef TARGET_OS_HAIKU
#include <posix/string.h>
#include <bsd/string.h>
#endif
#include <unistd.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <time.h>
#include <pwd.h>
#include <grp.h>
#include <arpa/inet.h>
#include <ctype.h>
#ifdef HAVE_PRCTL
#include <sys/prctl.h>
#endif
#ifndef USE_POLARSSL
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
#endif
int verbose;
int verbose_debug;
#include "src/util.h"
/** Name of user that we feel safe to run SSL handshake with. */
#ifndef UNPRIV_USER
#define UNPRIV_USER "nobody"
#endif
#ifndef UNPRIV_GROUP
#define UNPRIV_GROUP "nogroup"
#endif
// We should never accept a time before we were compiled
// We measure in seconds since the epoch - eg: echo `date '+%s'`
// We set this manually to ensure others can reproduce a build;
// automation of this will make every build different!
#ifndef RECENT_COMPILE_DATE
#define RECENT_COMPILE_DATE 1342323666L
#endif
#ifndef MAX_REASONABLE_TIME
#define MAX_REASONABLE_TIME 1999991337L
#endif
#ifndef MIN_PUB_KEY_LEN
#define MIN_PUB_KEY_LEN (uint32_t) 1023
#endif
#ifndef MIN_ECC_PUB_KEY_LEN
#define MIN_ECC_PUB_KEY_LEN (uint32_t) 160
#endif
#ifndef MAX_ECC_PUB_KEY_LEN
#define MAX_ECC_PUB_KEY_LEN (uint32_t) 521
#endif
// After the duration of the TLS handshake exceeds this threshold
// (in msec), a warning is printed.
#define TLS_RTT_THRESHOLD 2000
// After the duration of the TLS handshake exceeds this threshold
// (in msec), we consider the operation to have failed.
#define TLS_RTT_UNREASONABLE 30000
// RFC 5280 says...
// ub-common-name-length INTEGER ::= 64
#define MAX_CN_NAME_LENGTH 64
// RFC 1034 and posix say...
#define TLSDATE_HOST_NAME_MAX 255
// To support our RFC 2595 wildcard verification
#define RFC2595_MIN_LABEL_COUNT 3
// Define a max length for the HTTP Date: header
#define MAX_DATE_LINE_LEN 32
// Define a max length for HTTP headers
#define MAX_HTTP_HEADERS_SIZE 8192
// Define our basic HTTP request
#define HTTP_REQUEST \
"HEAD / HTTP/1.1\r\n" \
"User-Agent: %s\r\n" \
"Host: %s\r\n" \
"\r\n"
static int ca_racket;
static const char *host;
static const char *hostname_to_verify;
static const char *port;
static const char *protocol;
static char *proxy;
static const char *ca_cert_container;
#ifndef USE_POLARSSL
uint32_t get_certificate_keybits (EVP_PKEY *public_key);
uint32_t check_cn (SSL *ssl, const char *hostname);
uint32_t check_san (SSL *ssl, const char *hostname);
long openssl_check_against_host_and_verify (SSL *ssl);
uint32_t check_name (SSL *ssl, const char *hostname);
uint32_t verify_signature (SSL *ssl, const char *hostname);
void check_key_length (SSL *ssl);
void inspect_key (SSL *ssl, const char *hostname);
void check_key_length (SSL *ssl);
void inspect_key (SSL *ssl, const char *hostname);
#endif
uint32_t dns_label_count (char *label, char *delim);
uint32_t check_wildcard_match_rfc2595 (const char *orig_hostname,
const char *orig_cert_wild_card);
static void run_ssl (uint32_t *time_map, int time_is_an_illusion, int http);
#endif
|
