請問一個micro_httpd + openssl的問題 - 資安

Mason avatar
By Mason
at 2005-07-13T18:39

Table of Contents

我把openssl加進micro_httpd,
httpd run起來以後,
當我用https去連網頁的時候,
出現這個error message:

s3_pkt: 418 //error returned in file s3_pkt.c, line 418
error code = -1, 1, 336131157
SSL routines //error library
SSL3_GET_RECORD //error function
decryption failed or bad record mac //error reason

在呼叫SSL_accept(...)的時候就會return這個error,
請問這個問題該怎麼解決?
希望各位前輩高手能提供小弟一些意見,感激不盡.....
ps.我的openssl是0.9.6d

下面是我的httpd的code
//Jason...
.這是我加的部分
.
.
//________________
==================================webmain=============================
int webmain(void)
{
usockaddr usa;
int listen_fd;
int conn_fd;
socklen_t sz = sizeof(usa);
FILE *pid_fp;
/* modify from original (PT) */
int nready;
int done = 0;
int ret = 0;
int retFlag = WEB_STS_OK, rebootFlag = WEB_STS_OK;
extern void destroy(void);
fd_set rset;
struct timeval to;
struct timeval tv;
unsigned long timestamp;

//Jason added, 2005/06/29
BIO *sbio;
SSL_CTX *ctx = NULL;
int r;
BIO *ssl_bio;
int err;
unsigned long int e;
int timeout = 15;
//_______________________

// register SIGUSR1 handler
signal(SIGUSR1, sigUserHandler);
/* end modify */

/* Ignore broken pipes */
signal(SIGPIPE, SIG_IGN);
signal(SIGINT, SIG_IGN);

//Jason added, 2005/06/27
/* Build our SSL context */
fprintf(stderr, "HTTPS enable\n\n\n\n\n\n");
if(do_ssl){
bcmSystemMute("cp /etc/gencert.sh /var/gencert.sh");
chdir("/var");
fprintf(stderr, "./gencert.sh 1096531622\n\n");
bcmSystemMute("./gencert.sh 1096531622");
fprintf(stderr, "https initialize\n");
SSLeay_add_ssl_algorithms(); //call SSL_library_init(void)
SSL_load_error_strings(); //good reporting of errors
ctx = SSL_CTX_new( SSLv23_server_method() ); //Setting up a secure connection
if (ctx == NULL)
{
fprintf(stderr, "SSL_CTX_new() error\n");
exit(1);
}
//read file
if ( SSL_CTX_use_certificate_file( ctx, CERT_FILE, SSL_FILETYPE_PEM ) == 0 )
//if (SSL_CTX_use_certificate_chain_file(ctx, CERT_FILE) == 0)
{
//cprintf("Cann't read %s\n", CERT_FILE);
fprintf(stderr, "Cann't read %s\n", CERT_FILE);
ERR_print_errors_fp( stderr );
exit( 1 );

}
if(SSL_CTX_use_PrivateKey_file( ctx, KEY_FILE, SSL_FILETYPE_PEM ) == 0 )
{
//cprintf("Cann't read %s\n", KEY_FILE);
fprintf(stderr, "Cann't read %s\n", KEY_FILE);
ERR_print_errors_fp( stderr );
exit( 1 );

}
if(SSL_CTX_check_private_key( ctx ) == 0 )
{
//cprintf("Check private key fail\n");
fprintf(stderr, "Check private key fail\n");
ERR_print_errors_fp( stderr );
exit( 1 );
}
}
//_________________________

/* Initialize listen socket */
if ((listen_fd = initialize_listen_socket(&usa)) < 0) {
fprintf(stderr, "can't bind to any address\n" );
exit(errno);
}


/* Daemonize and log PID */
/* Comment out daemon() to remove zombie process */
/*if (daemon(1, 1) == -1) {
perror("daemon");
exit(errno);
}*/
if (!(pid_fp = fopen("/var/run/httpd_pid", "w"))) {
perror("/var/run/httpd_pid");
return errno;
}
fprintf(pid_fp, "%d\n", getpid());
fclose(pid_fp);

/* modify from original (PT) */
cgiGetAllInfo();
/* end modify */

/* Loop forever handling requests */
for (;;) {

FD_ZERO(&rset);
FD_SET(listen_fd,&rset);
to.tv_sec = MONLOOP_TIMEOUT;
to.tv_usec = 0;

nready = select(listen_fd+1,&rset,NULL,NULL,&to);
if ( nready == 0 ) { //timeout
BcmWan_monitorInterfaces(&done);
resettimeout(&timestamp);
}
else if ( nready == -1 ) {
//perror("select");
//printf("!!! HTTP server is received request with nready == -1 !!!\n");
usleep(100);
continue;
} else if ( nready != 1 ) {
perror("select");
#ifdef BRCM_DEBUG
printf("app: HTTP server received request with nready == %d\n", nready);
#endif
}

if (istimeout(&timestamp, MONLOOP_TIMEOUT)) {
BcmWan_monitorInterfaces(&done);
resettimeout(&timestamp);
}

#ifdef BRCM_DEBUG
if ( done == 0 )
printf("app: HTTP server received request but monitor service is NOT done\n");
#endif

if ( FD_ISSET(listen_fd,&rset))
{
if ((conn_fd = accept(listen_fd, &usa.sa, &sz)) < 0)
{
perror("accept");
shutdown(listen_fd, 2);
close(listen_fd);
return errno;
}
//#ifdef SUPPORT_TOD
char cmd[64]="";
sprintf(cmd, "echo %s > /var/fromip", inet_ntoa(usa.sa_in.sin_addr));
bcmSystemMute(cmd);
//#endif
tv.tv_sec=1;
tv.tv_usec=0;
setsockopt(conn_fd,SOL_SOCKET,SO_RCVTIMEO,&tv,sizeof(tv));
/* gavin comment
retFlag = early_auth(conn_fd, usa.sa_in.sin_addr);
if ( retFlag != 0) {
close(conn_fd); // go away
continue;
}
*/
//Jason added, 2006/06/27
if(do_ssl)
{
fprintf(stderr, "https request\n");
/*
if(check_action() == ACT_WEB_UPGRADE)
{ // We don't want user to use web (https) during web (http) upgrade.
fprintf(stderr, "httpsd: nothing to do...\n");
return -1;
}
*/
sbio=BIO_new_socket(conn_fd,BIO_NOCLOSE);
ssl=SSL_new(ctx);


SSL_set_bio(ssl,sbio,sbio);

r = SSL_accept(ssl);
if(r <= 0)
{
err = SSL_get_error(ssl, r);
e = ERR_get_error();
fprintf(stderr, "error code = %d, %d, %d\n", r, err, e);
fprintf(stderr, "%s\n", ERR_lib_error_string(e));
fprintf(stderr, "%s\n", ERR_func_error_string(e));
fprintf(stderr, "%s\n", ERR_reason_error_string(e));
//berr_exit("SSL accept error");
//ct_syslog(LOG_ERR, httpd_level, "SSL accept error");
fprintf(stderr, "httpd:878, something error here\n");
/*
s3_pkt: 418
error code = -1, 1, 336131157
SSL routines
SSL3_GET_RECORD
decryption failed or bad record mac
*/
close(conn_fd);
continue;
}

conn_fp=(webs_t)BIO_new(BIO_f_buffer());
ssl_bio=BIO_new(BIO_f_ssl());
BIO_set_ssl(ssl_bio,ssl,BIO_CLOSE);
BIO_push((BIO *)conn_fp,ssl_bio);
}
else if (!(conn_fp = fdopen(conn_fd, "r+")))
{
perror("fdopen");
shutdown(listen_fd, 2);
close(listen_fd);
return errno;
}

#ifdef SES
wlApplySetting = FALSE;
wlRestoreDefault = FALSE;
#endif

//gavin added for mac clone
memset(cmd,0,sizeof(cmd));
sprintf(cmd, "echo %s > /var/clonemac", get_mac_from_ip(inet_ntoa(usa.sa_in.sin_addr)) );
bcmSystemMute(cmd);

//gavin added for mac clone
retFlag = handle_request(usa.sa_in.sin_addr);

// keep the reboot or restore flag to be used
// when there is no activity in listen_fd
if ( retFlag == WEB_STS_RESTORE ||
retFlag == WEB_STS_REBOOT ||
retFlag == WEB_STS_UPLOAD )
rebootFlag = retFlag;

//Jason modified, 2005/06/27
/*
ret = fflush(conn_fp);
fclose(conn_fp);
close(conn_fd);
*/
ret = wfflush(conn_fp);
wfclose(conn_fp);
close(conn_fd);
//__________________________

#ifdef SES
if (wlApplySetting)
{
BcmWl_Setup(WL_SETUP_SECURITY);
}
if (wlRestoreDefault)
{
BcmWl_Retrieve(TRUE);
BcmWl_Store();
BcmPsi_flush();
BcmWl_stopService();
BcmWl_Setup(WL_SETUP_ALL);
BcmWl_startService();
}
#endif
}
else
{ // if no activity in listen_fd descriptor
if ( rebootFlag == WEB_STS_RESTORE )
{
cgiRestoreDefault();
shutdown(listen_fd, 2);
close(listen_fd);
destroy();
}
else if ( rebootFlag == WEB_STS_REBOOT )
{
cgiReboot();
shutdown(listen_fd, 2);
close(listen_fd);
destroy();
}
else if ( rebootFlag == WEB_STS_UPLOAD )
do_upload_post();
} // FD_ISSET

} // for

shutdown(listen_fd, 2);
close(listen_fd);

return WEB_STS_OK;
}

--
Tags: 資安

All Comments

晶片卡安全機制....??

Madame avatar
By Madame
at 2005-07-13T18:20
聽說晶片卡是未來上網購物、銀行網路交易的趨勢, 也是目前網路交易最安全的方式,先進國家都已經 用了好久。個人覺得上網購物交易是非常方便的事 ,但一直質疑網路交易的安全性,而晶片卡加上讀 卡機似乎是一個安全上的解決方式,但是一直找不到 晶片卡的原理,不知是否有人有相關的資料可以介紹 一下嗎?? THX.... ...

norton internet security2005一直警告

Madame avatar
By Madame
at 2005-07-09T15:51
今天把新買的筆記型電腦接上網路使用 結果norton 2005的防火牆不斷的出現警告訊息 幾天前也有連上過網路,可是並沒有向今天這樣一直出現警告訊息 掃毒跟使用adware掃描也都說沒問題 出現的警示訊息大多是 and#34;A remote system is attempting t ...

svhost.exe的問題

Kyle avatar
By Kyle
at 2005-07-08T14:11
每次開機都會說找不到svhost.exe 且剛開始都超慢 都跑到100% 請問如何解決 謝謝 - ...

Re: 開啟控制台時,找不到C:/WINDOWS/rundll32.ex …

Candice avatar
By Candice
at 2005-07-07T23:38
※ 引述《threesecondatkkcity.com.tw ()》之銘言: : ※ 引述《hanger.bbsatbbs.wretch.cc (奇蹟還是沒能出現~)》之銘言: : andgt; 我的系統是98的... : andgt; 麻煩高手解救一下~! : andgt; 謝謝~! : 應該是中 ...

重灌的問題

Mia avatar
By Mia
at 2005-07-07T06:18
我目前有兩個硬碟 是由一個實體硬碟分割的 C槽只有放系統 其他東西我都是安裝在D槽 不過因為不明原因導致我C槽突然爆滿...導致系統不穩..所以我打算重灌... 請問 如果我將C槽格式化後重新安裝XP 原本在D槽的軟體還能夠正常執行嗎? -- ~快樂逍遙是過一生~ ~憂愁悲傷 ...