21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

if (!fgets(answer, sizeof(answer), stdin)) continue;<br />

if (answer[0] = = 'r' || answer[0] = = 'R') return 0;<br />

if (answer[0] = = 'o' || answer[0] = = 'O') return 1;<br />

if (answer[0] = = 'a' || answer[0] = = 'A') break;<br />

}<br />

ssl_ptr = (SSL *)X509_STORE_CTX_get_app_data(store);<br />

ctx = SSL_get_SSL_CTX(ssl_ptr);<br />

spc_store = (spc_x509store_t *)SSL_CTX_get_app_data(ctx);<br />

if (!spc_store->capath || !spc_remember_cert(spc_store->capath, cert))<br />

printf("Error remembering certificate! It will be accepted this one time "<br />

"only.\n");<br />

return 1;<br />

}<br />

For keys, we will store the base64-encoded key in a flat file, much as OpenSSH does.<br />

We will also associate the IP address of the server that presented the key so that we<br />

can determine when the server’s key has changed and warn the user. When we<br />

receive a key that we’d like to check to see whether we already know about it, we can<br />

call spc_lookup_key( ) with the filename of the key store, the IP number we received<br />

the key from, and the key we’ve just received. If we do not know anything about the<br />

key or if some kind of error occurs, 0 is returned. If we know about the key, and<br />

everything matches—that is, the IP numbers and the keys are the same—1 is<br />

returned. If we have a key stored for the IP number and it does not match the key we<br />

have just received, –1 is returned.<br />

If you have multiple servers running on the same system, you need to<br />

make sure that they each keep separate caches so that the keys and IP<br />

numbers do not collide.<br />

#include <br />

#include <br />

#include <br />

#include <br />

#include <br />

#include <br />

#include <br />

static int get_keydata(EVP_PKEY *key, char **keydata) {<br />

BIO *b64 = 0, *bio = 0;<br />

int keytype, length;<br />

char *dummy;<br />

*keydata = 0;<br />

keytype = EVP_PKEY_type(key->type);<br />

if (!(length = i2d_PublicKey(key, 0))) goto error_exit;<br />

if (!(dummy = *keydata = (char *)malloc(length))) goto error_exit;<br />

i2d_PublicKey(key, (unsigned char **)&dummy);<br />

Minimizing the Window of Vulnerability When Authenticating Without a PKI | 441<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!