21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

if (!fgets(answer, sizeof(answer), stdin)) continue;<br />

if (answer[0] = = 'r' || answer[0] = = 'R') return 0;<br />

if (answer[0] = = 'o' || answer[0] = = 'O') return 1;<br />

if (answer[0] = = 'a' || answer[0] = = 'A') break;<br />

}<br />

ssl_ptr = (SSL *)X509_STORE_CTX_get_app_data(store);<br />

ctx = SSL_get_SSL_CTX(ssl_ptr);<br />

spc_store = (spc_x509store_t *)SSL_CTX_get_app_data(ctx);<br />

if (!spc_store->capath || !spc_remember_cert(spc_store->capath, cert))<br />

printf("Error remembering certificate! It will be accepted this one time "<br />

"only.\n");<br />

return 1;<br />

}<br />

For keys, we will store the base64-encoded key in a flat file, much as OpenSSH does.<br />

We will also associate the IP address of the server that presented the key so that we<br />

can determine when the server’s key has changed and warn the user. When we<br />

receive a key that we’d like to check to see whether we already know about it, we can<br />

call spc_lookup_key( ) with the filename of the key store, the IP number we received<br />

the key from, and the key we’ve just received. If we do not know anything about the<br />

key or if some kind of error occurs, 0 is returned. If we know about the key, and<br />

everything matches—that is, the IP numbers and the keys are the same—1 is<br />

returned. If we have a key stored for the IP number and it does not match the key we<br />

have just received, –1 is returned.<br />

If you have multiple servers running on the same system, you need to<br />

make sure that they each keep separate caches so that the keys and IP<br />

numbers do not collide.<br />

#include <br />

#include <br />

#include <br />

#include <br />

#include <br />

#include <br />

#include <br />

static int get_keydata(EVP_PKEY *key, char **keydata) {<br />

BIO *b64 = 0, *bio = 0;<br />

int keytype, length;<br />

char *dummy;<br />

*keydata = 0;<br />

keytype = EVP_PKEY_type(key->type);<br />

if (!(length = i2d_PublicKey(key, 0))) goto error_exit;<br />

if (!(dummy = *keydata = (char *)malloc(length))) goto error_exit;<br />

i2d_PublicKey(key, (unsigned char **)&dummy);<br />

Minimizing the Window of Vulnerability When Authenticating Without a PKI | 441<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!