自学教程：C++ ERR_peek_error函数代码示例

inttls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,#if ENABLE_INLINE_FILES    const char *pkcs12_file_inline,#endif /* ENABLE_INLINE_FILES */    bool load_ca_file    ){  FILE *fp;  EVP_PKEY *pkey;  X509 *cert;  STACK_OF(X509) *ca = NULL;  PKCS12 *p12;  int i;  char password[256];  ASSERT(NULL != ctx);#if ENABLE_INLINE_FILES  if (!strcmp (pkcs12_file, INLINE_FILE_TAG) && pkcs12_file_inline)    {      BIO *b64 = BIO_new(BIO_f_base64());      BIO *bio = BIO_new_mem_buf((void *) pkcs12_file_inline,	  (int) strlen(pkcs12_file_inline));      ASSERT(b64 && bio);      BIO_push(b64, bio);      p12 = d2i_PKCS12_bio(b64, NULL);      if (!p12)	msg(M_SSLERR, "Error reading inline PKCS#12 file");      BIO_free(b64);      BIO_free(bio);    }  else#endif    {      /* Load the PKCS #12 file */      if (!(fp = platform_fopen(pkcs12_file, "rb")))	msg(M_SSLERR, "Error opening file %s", pkcs12_file);      p12 = d2i_PKCS12_fp(fp, NULL);      fclose(fp);      if (!p12)	msg(M_SSLERR, "Error reading PKCS#12 file %s", pkcs12_file);    }  /* Parse the PKCS #12 file */  if (!PKCS12_parse(p12, "", &pkey, &cert, &ca))   {     pem_password_callback (password, sizeof(password) - 1, 0, NULL);     /* Reparse the PKCS #12 file with password */     ca = NULL;     if (!PKCS12_parse(p12, password, &pkey, &cert, &ca))      {#ifdef ENABLE_MANAGEMENT	      if (management && (ERR_GET_REASON (ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE))		management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);#endif	PKCS12_free(p12);	return 1;      }   }  PKCS12_free(p12);  /* Load Certificate */  if (!SSL_CTX_use_certificate (ctx->ctx, cert))   msg (M_SSLERR, "Cannot use certificate");  /* Load Private Key */  if (!SSL_CTX_use_PrivateKey (ctx->ctx, pkey))   msg (M_SSLERR, "Cannot use private key");  warn_if_group_others_accessible (pkcs12_file);  /* Check Private Key */  if (!SSL_CTX_check_private_key (ctx->ctx))   msg (M_SSLERR, "Private key does not match the certificate");  /* Set Certificate Verification chain */  if (load_ca_file)   {     if (ca && sk_X509_num(ca))      {	for (i = 0; i < sk_X509_num(ca); i++)	  {	      if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i)))	      msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");	    if (!SSL_CTX_add_client_CA(ctx->ctx, sk_X509_value(ca, i)))	      msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");	  }      }   }  return 0;}

voidSecureSocket::checkResult(int status, int& retry){	// ssl errors are a little quirky. the "want" errors are normal and	// should result in a retry.	int errorCode = SSL_get_error(m_ssl->m_ssl, status);	switch (errorCode) {	case SSL_ERROR_NONE:		retry = 0;		// operation completed		break;	case SSL_ERROR_ZERO_RETURN:		// connection closed		isFatal(true);		LOG((CLOG_DEBUG "ssl connection closed"));		break;	case SSL_ERROR_WANT_READ:		retry++;		LOG((CLOG_DEBUG2 "want to read, error=%d, attempt=%d", errorCode, retry));		break;	case SSL_ERROR_WANT_WRITE:		// Need to make sure the socket is known to be writable so the impending		// select action actually triggers on a write. This isn't necessary for 		// m_readable because the socket logic is always readable		m_writable = true;		retry++;		LOG((CLOG_DEBUG2 "want to write, error=%d, attempt=%d", errorCode, retry));		break;	case SSL_ERROR_WANT_CONNECT:		retry++;		LOG((CLOG_DEBUG2 "want to connect, error=%d, attempt=%d", errorCode, retry));		break;	case SSL_ERROR_WANT_ACCEPT:		retry++;		LOG((CLOG_DEBUG2 "want to accept, error=%d, attempt=%d", errorCode, retry));		break;	case SSL_ERROR_SYSCALL:		LOG((CLOG_ERR "ssl error occurred (system call failure)"));		if (ERR_peek_error() == 0) {			if (status == 0) {				LOG((CLOG_ERR "eof violates ssl protocol"));			}			else if (status == -1) {				// underlying socket I/O reproted an error				try {					ARCH->throwErrorOnSocket(getSocket());				}				catch (XArchNetwork& e) {					LOG((CLOG_ERR "%s", e.what()));				}			}		}		isFatal(true);		break;	case SSL_ERROR_SSL:		LOG((CLOG_ERR "ssl error occurred (generic failure)"));		isFatal(true);		break;	default:		LOG((CLOG_ERR "ssl error occurred (unknown failure)"));		isFatal(true);		break;	}	if (isFatal()) {		retry = 0;		showError();		disconnect();	}}

static void loadSSL(void) {  // SHELLINABOX_LIBSSL_SO can be used to select the specific  // soname of libssl for systems where it is not libssl.so.  // The feature is currently disabled.  const char* path_libssl = NULL; // = getenv ("SHELLINABOX_LIBSSL_SO");  if (path_libssl == NULL)    path_libssl = "libssl.so";  check(!SSL_library_init);  struct {    union {      void *avoid_gcc_warning_about_type_punning;      void **var;    };    const char *fn;  } symbols[] = {    { { &BIO_ctrl },                    "BIO_ctrl" },    { { &BIO_f_buffer },                "BIO_f_buffer" },    { { &BIO_free_all },                "BIO_free_all" },    { { &BIO_new },                     "BIO_new" },    { { &BIO_new_socket },              "BIO_new_socket" },    { { &BIO_pop },                     "BIO_pop" },    { { &BIO_push },                    "BIO_push" },    { { &ERR_clear_error },             "ERR_clear_error" },    { { &ERR_clear_error },             "ERR_clear_error" },    { { &ERR_peek_error },              "ERR_peek_error" },    { { &ERR_peek_error },              "ERR_peek_error" },    { { &SSL_CTX_callback_ctrl },       "SSL_CTX_callback_ctrl" },    { { &SSL_CTX_check_private_key },   "SSL_CTX_check_private_key" },    { { &SSL_CTX_ctrl },                "SSL_CTX_ctrl" },    { { &SSL_CTX_free },                "SSL_CTX_free" },    { { &SSL_CTX_new },                 "SSL_CTX_new" },    { { &SSL_CTX_use_PrivateKey_file }, "SSL_CTX_use_PrivateKey_file" },    { { &SSL_CTX_use_PrivateKey_ASN1 }, "SSL_CTX_use_PrivateKey_ASN1" },    { { &SSL_CTX_use_certificate_file },"SSL_CTX_use_certificate_file"},    { { &SSL_CTX_use_certificate_ASN1 },"SSL_CTX_use_certificate_ASN1"},    { { &SSL_ctrl },                    "SSL_ctrl" },    { { &SSL_free },                    "SSL_free" },    { { &SSL_get_error },               "SSL_get_error" },    { { &SSL_get_ex_data },             "SSL_get_ex_data" },    { { &SSL_get_rbio },                "SSL_get_rbio" },#ifdef HAVE_TLSEXT    { { &SSL_get_servername },          "SSL_get_servername" },#endif    { { &SSL_get_wbio },                "SSL_get_wbio" },    { { &SSL_library_init },            "SSL_library_init" },    { { &SSL_new },                     "SSL_new" },    { { &SSL_read },                    "SSL_read" },#ifdef HAVE_TLSEXT    { { &SSL_set_SSL_CTX },             "SSL_set_SSL_CTX" },#endif    { { &SSL_set_accept_state },        "SSL_set_accept_state" },    { { &SSL_set_bio },                 "SSL_set_bio" },    { { &SSL_set_ex_data },             "SSL_set_ex_data" },    { { &SSL_shutdown },                "SSL_shutdown" },    { { &SSL_write },                   "SSL_write" },    { { &SSLv23_server_method },        "SSLv23_server_method" },    { { &d2i_X509 },                    "d2i_X509" },    { { &X509_free },                   "X509_free" },    { { &x_SSL_CTX_set_cipher_list },   "SSL_CTX_set_cipher_list" },    { { &x_sk_zero },                   "sk_zero" }  };  for (unsigned i = 0; i < sizeof(symbols)/sizeof(symbols[0]); i++) {    if (!(*symbols[i].var = loadSymbol(path_libssl, symbols[i].fn))) {      debug("Failed to load SSL support. Could not find /"%s/"",            symbols[i].fn);      for (unsigned j = 0; j < sizeof(symbols)/sizeof(symbols[0]); j++) {        *symbols[j].var = NULL;      }      return;    }  }  // These are optional  x_SSL_COMP_get_compression_methods = loadSymbol(path_libssl, "SSL_COMP_get_compression_methods");  // ends  SSL_library_init();  dcheck(!ERR_peek_error());  debug("Loaded SSL suppport");}

/** * Read a file that contains our certificate in "PEM" format, * possibly followed by a sequence of CA certificates that should be * sent to the peer in the Certificate message. * * Taken from OpenSSL & Node.js - editted for style. */static intSSL_CTX_use_certificate_chain(SSL_CTX *ctx, BIO *in) {  int ret = 0;  X509 *x = NULL;  x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);  if (x == NULL) {    SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);    goto end;  }  ret = SSL_CTX_use_certificate(ctx, x);  if (ERR_peek_error() != 0) {    /* Key/certificate mismatch doesn't imply ret==0 ... */    ret = 0;  }  if (ret) {    /* If we could set up our certificate, now proceed to the CA certificates. */    X509 *ca;    int r;    unsigned long err;    if (ctx->extra_certs != NULL) {      sk_X509_pop_free(ctx->extra_certs, X509_free);      ctx->extra_certs = NULL;    }    while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) {      r = SSL_CTX_add_extra_chain_cert(ctx, ca);      if (!r) {        X509_free(ca);        ret = 0;        goto end;      }      /* Note that we must not free r if it was successfully       * added to the chain (while we must free the main       * certificate, since its reference count is increased       * by SSL_CTX_use_certificate). */    }    /* When the while loop ends, it's usually just EOF. */    err = ERR_peek_last_error();    if (ERR_GET_LIB(err) == ERR_LIB_PEM &&        ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {      ERR_clear_error();    } else  {      /* some real error */      ret = 0;    }  }end:  if (x != NULL) {    X509_free(x);  }  return ret;}

//.........这里部分代码省略.........	return (0);    }    /*     * Turn on non-blocking I/O so that we can enforce timeouts on network     * I/O.     */    non_blocking(vstream_fileno(props->stream), NON_BLOCKING);    /*     * If the debug level selected is high enough, all of the data is dumped:     * TLS_LOG_TLSPKTS will dump the SSL negotiation, TLS_LOG_ALLPKTS will     * dump everything.     *      * We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?     * Well there is a BIO below the SSL routines that is automatically     * created for us, so we can use it for debugging purposes.     */    if (log_mask & TLS_LOG_TLSPKTS)	BIO_set_callback(SSL_get_rbio(TLScontext->con), tls_bio_dump_cb);    tls_dane_set_callback(app_ctx->ssl_ctx, TLScontext);    /*     * Start TLS negotiations. This process is a black box that invokes our     * call-backs for certificate verification.     *      * Error handling: If the SSL handhake fails, we print out an error message     * and remove all TLS state concerning this session.     */    sts = tls_bio_connect(vstream_fileno(props->stream), props->timeout,			  TLScontext);    if (sts <= 0) {	if (ERR_peek_error() != 0) {	    msg_info("SSL_connect error to %s: %d", props->namaddr, sts);	    tls_print_errors();	} else if (errno != 0) {	    msg_info("SSL_connect error to %s: %m", props->namaddr);	} else {	    msg_info("SSL_connect error to %s: lost connection",		     props->namaddr);	}	uncache_session(app_ctx->ssl_ctx, TLScontext);	tls_free_context(TLScontext);	return (0);    }    /* Turn off packet dump if only dumping the handshake */    if ((log_mask & TLS_LOG_ALLPKTS) == 0)	BIO_set_callback(SSL_get_rbio(TLScontext->con), 0);    /*     * The caller may want to know if this session was reused or if a new     * session was negotiated.     */    TLScontext->session_reused = SSL_session_reused(TLScontext->con);    if ((log_mask & TLS_LOG_CACHE) && TLScontext->session_reused)	msg_info("%s: Reusing old session", TLScontext->namaddr);    /*     * Do peername verification if requested and extract useful information     * from the certificate for later use.     */    if ((peercert = SSL_get_peer_certificate(TLScontext->con)) != 0) {	TLScontext->peer_status |= TLS_CERT_FLAG_PRESENT;	/*

static VALUEossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock){    SSL *ssl;    int ilen, nread = 0;    VALUE len, str;    rb_io_t *fptr;    rb_scan_args(argc, argv, "11", &len, &str);    ilen = NUM2INT(len);    if(NIL_P(str)) {	str = rb_bstr_new();    }    else{        StringValue(str);	rb_str_modify(str);	str = rb_str_bstr(str);    }    rb_bstr_resize(str, ilen);    if(ilen == 0) return str;    Data_Get_Struct(self, SSL, ssl);    GetOpenFile(ossl_ssl_get_io(self), fptr);    if (ssl) {	if(!nonblock && SSL_pending(ssl) <= 0)	    rb_thread_wait_fd(FPTR_TO_FD(fptr));	for (;;){	    nread = SSL_read(ssl, rb_bstr_bytes(str),		    rb_bstr_length(str));	    switch(ssl_get_error(ssl, nread)){	    case SSL_ERROR_NONE:		goto end;	    case SSL_ERROR_ZERO_RETURN:		rb_eof_error();	    case SSL_ERROR_WANT_WRITE:                write_would_block(nonblock);                rb_io_wait_writable(FPTR_TO_FD(fptr));                continue;	    case SSL_ERROR_WANT_READ:                read_would_block(nonblock);                rb_io_wait_readable(FPTR_TO_FD(fptr));		continue;	    case SSL_ERROR_SYSCALL:		if(ERR_peek_error() == 0 && nread == 0) rb_eof_error();		rb_sys_fail(0);	    default:		ossl_raise(eSSLError, "SSL_read:");	    }        }    }    else {        ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");        rb_warning("SSL session is not started yet.");        return rb_funcall(ossl_ssl_get_io(self), meth, 2, len, str);    }  end:    rb_bstr_resize(str, nread);    OBJ_TAINT(str);    return str;}

//.........这里部分代码省略.........        EVP_PKEY_free(pkey);    }    if (rsa == NULL) {        ERR_print_errors(bio_err);        goto end;    }    out = bio_open_default(outfile, "w");    if (out == NULL)        goto end;    if (text)        if (!RSA_print(out, rsa, 0)) {            perror(outfile);            ERR_print_errors(bio_err);            goto end;        }    if (modulus) {        BIO_printf(out, "Modulus=");        BN_print(out, rsa->n);        BIO_printf(out, "/n");    }    if (check) {        int r = RSA_check_key(rsa);        if (r == 1)            BIO_printf(out, "RSA key ok/n");        else if (r == 0) {            unsigned long err;            while ((err = ERR_peek_error()) != 0 &&                   ERR_GET_LIB(err) == ERR_LIB_RSA &&                   ERR_GET_FUNC(err) == RSA_F_RSA_CHECK_KEY &&                   ERR_GET_REASON(err) != ERR_R_MALLOC_FAILURE) {                BIO_printf(out, "RSA key error: %s/n",                           ERR_reason_error_string(err));                ERR_get_error(); /* remove e from error stack */            }        }        /* should happen only if r == -1 */        if (r == -1 || ERR_peek_error() != 0) {            ERR_print_errors(bio_err);            goto end;        }    }    if (noout) {        ret = 0;        goto end;    }    BIO_printf(bio_err, "writing RSA key/n");    if (outformat == FORMAT_ASN1) {        if (pubout || pubin) {            if (pubout == 2)                i = i2d_RSAPublicKey_bio(out, rsa);            else                i = i2d_RSA_PUBKEY_bio(out, rsa);        } else            i = i2d_RSAPrivateKey_bio(out, rsa);    }# ifndef OPENSSL_NO_RC4    else if (outformat == FORMAT_NETSCAPE) {

static VALUE ORPV__verify_pss_sha1(VALUE self, VALUE vPubKey, VALUE vSig, VALUE vHashData, VALUE vSaltLen) {  enum ORPV_errors err = OK;  BIO * pkey_bio = NULL;  RSA * rsa_pub_key = NULL;  EVP_PKEY * pkey = NULL;  EVP_PKEY_CTX * pkey_ctx = NULL;  char * pub_key = NULL;    int verify_rval = -1, salt_len;  char ossl_err_strs[(OSSL_ERR_STR_LEN + 2) * ORPV_MAX_ERRS] = "";  if (ERR_peek_error()) {    err = EXTERNAL;    goto Cleanup;  }  vPubKey = StringValue(vPubKey);  vSig = StringValue(vSig);  vHashData = StringValue(vHashData);  salt_len = NUM2INT(vSaltLen);  if (RSTRING_LEN(vPubKey) > (long)INT_MAX) {    err = KEY_OVERFLOW;    goto Cleanup;  }  pub_key = malloc(RSTRING_LEN(vPubKey));  if (! pub_key) {    err = NOMEM;    goto Cleanup;  }  memcpy(pub_key, StringValuePtr(vPubKey), RSTRING_LEN(vPubKey));  pkey_bio = BIO_new_mem_buf(pub_key, (int)RSTRING_LEN(vPubKey));  rsa_pub_key = PEM_read_bio_RSA_PUBKEY(pkey_bio, NULL, NULL, NULL);  if (! rsa_pub_key) {    err = PUBKEY_PARSE;    goto Cleanup;  }  pkey = EVP_PKEY_new();  if (! pkey) {    err = PKEY_INIT;    goto Cleanup;  }  if (! EVP_PKEY_set1_RSA(pkey, rsa_pub_key)) {    err = RSA_ASSIGN;    goto Cleanup;  }  pkey_ctx = EVP_PKEY_CTX_new(pkey, ENGINE_get_default_RSA());  if (! pkey_ctx) {    err = PKEY_CTX_INIT;    goto Cleanup;  }  if (EVP_PKEY_verify_init(pkey_ctx) <= 0) {    err = VERIFY_INIT;    goto Cleanup;  }  if (EVP_PKEY_CTX_set_signature_md(pkey_ctx, EVP_sha1()) <= 0) {    err = SET_SIG_MD;    goto Cleanup;  }  if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) <= 0) {    err = SET_PADDING;    goto Cleanup;  }  if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, salt_len) <= 0) {    err = SET_SALTLEN;    goto Cleanup;  }  verify_rval = EVP_PKEY_verify(pkey_ctx,                                 (unsigned char*)StringValuePtr(vSig), (size_t)RSTRING_LEN(vSig),                                 (unsigned char*)StringValuePtr(vHashData), (size_t)RSTRING_LEN(vHashData));Cleanup:  /*   * BIO * pkey_bio = NULL;   * RSA * rsa_pub_key = NULL;   * EVP_PKEY * pkey = NULL;   * EVP_PKEY_CTX * pkey_ctx = NULL;   * char * pub_key = NULL;   */  if (pkey_ctx) EVP_PKEY_CTX_free(pkey_ctx);  if (pkey) EVP_PKEY_free(pkey);  if (rsa_pub_key) RSA_free(rsa_pub_key);  if (pkey_bio) BIO_free(pkey_bio);  if (pub_key) free(pub_key);  switch (err) {    case OK:      switch (verify_rval) {        case 1://.........这里部分代码省略.........

char *SDMMD_ssl_strerror(SSL *ssl, uint32_t ret){	static char buffer[200] = {0};	int result = SSL_get_error(ssl, ret);	char *err = NULL;	switch (result) {		case SSL_ERROR_NONE: {			break;		}		case SSL_ERROR_SSL: {			if (ERR_peek_error()) {				snprintf(buffer, 200, "SSL_ERROR_SSL (%s)", ERR_error_string(ERR_peek_error(), NULL));				err = buffer;			}			else {				err = "SSL_ERROR_SSL unknown error";			}			break;		}		case SSL_ERROR_WANT_READ: {			err = "SSL_ERROR_WANT_READ";			break;		}		case SSL_ERROR_WANT_WRITE: {			err = "SSL_ERROR_WANT_WRITE";			break;		}		case SSL_ERROR_WANT_X509_LOOKUP: {			err = "SSL_ERROR_WANT_X509_LOOKUP";			break;		}		case SSL_ERROR_SYSCALL: {			if (ERR_peek_error() == 0 && ret == 0) {				err = "SSL_ERROR_SYSCALL (Early EOF reached)";			}			else if (ERR_peek_error() == 0 && ret == -1) {				snprintf(buffer, 200, "SSL_ERROR_SYSCALL errno (%s)", strerror(errno));				err = buffer;			}			else if (ERR_peek_error() == 0) {				err = "SSL_ERROR_SYSCALL (WTFERROR)";			}			else {				snprintf(buffer, 200, "SSL_ERROR_SYSCALL internal (%s)", ERR_error_string(ERR_peek_error(), NULL));				err = buffer;			}			break;		}		case SSL_ERROR_ZERO_RETURN: {			err = "SSL_ERROR_ZERO_RETURN";			break;		}		case SSL_ERROR_WANT_CONNECT: {			err = "SSL_ERROR_WANT_CONNECT";			break;		}		case SSL_ERROR_WANT_ACCEPT: {			err = "SSL_ERROR_WANT_ACCEPT";			break;		}		default: {			ERR_print_errors_fp(stderr);			fputc('/n', stderr);			err = "Unknown SSL error type";			break;		}	}	ERR_clear_error();	return err;}

/** Print errors in the TLS thread local error stack * * Drains the thread local OpenSSL error queue, and prints out errors. * * @param[in] request	The current request (may be NULL). * @param[in] msg	Error message describing the operation being attempted. * @param[in] ap	Arguments for msg. * @return the number of errors drained from the stack. */static int tls_log_error_va(REQUEST *request, char const *msg, va_list ap){	unsigned long	error;	char		*p;	int		in_stack = 0;	char		buffer[256];	int		line;	char const	*file;	char const	*data;	int		flags = 0;	/*	 *	Pop the first error, so ERR_peek_error()	 *	can be used to determine if there are	 *	multiple errors.	 */	error = ERR_get_error_line_data(&file, &line, &data, &flags);	if (!(flags & ERR_TXT_STRING)) data = NULL;	if (msg) {		p = talloc_vasprintf(request, msg, ap);		/*		 *	Single line mode (there's only one error)		 */		if (error && !ERR_peek_error()) {			ERR_error_string_n(error, buffer, sizeof(buffer));			/* Extra verbose */			if ((request && RDEBUG_ENABLED3) || DEBUG_ENABLED3) {				ROPTIONAL(REDEBUG, ERROR, "%s: %s[%i]:%s%c%s", p, file, line, buffer,					  data ? ':' : '/0', data ? data : "");			} else {				ROPTIONAL(REDEBUG, ERROR, "%s: %s%c%s", p, buffer,					  data ? ':' : '/0', data ? data : "");			}			talloc_free(p);			return 1;		}		/*		 *	Print the error we were given, irrespective		 *	of whether there were any OpenSSL errors.		 */		ROPTIONAL(RERROR, ERROR, "%s", p);		talloc_free(p);	}	/*	 *	Stack mode (there are multiple errors)	 */	if (!error) return 0;	do {		if (!(flags & ERR_TXT_STRING)) data = NULL;		ERR_error_string_n(error, buffer, sizeof(buffer));		/* Extra verbose */		if ((request && RDEBUG_ENABLED3) || DEBUG_ENABLED3) {			ROPTIONAL(REDEBUG, ERROR, "%s[%i]:%s%c%s", file, line, buffer,				  data ? ':' : '/0', data ? data : "");		} else {			ROPTIONAL(REDEBUG, ERROR, "%s%c%s", buffer,				  data ? ':' : '/0', data ? data : "");		}		in_stack++;	} while ((error = ERR_get_error_line_data(&file, &line, &data, &flags)));	return in_stack;}

/** * Accept the GSI Authentication. * @param sock the socket for communication. * @param ctx the authorization context. * @return the context identifier.  */boolGSISocketServer::AcceptGSIAuthentication(){  char *name = NULL;  long  errorcode = 0;  int   flags;  time_t curtime, starttime;  int ret, accept_status;  bool accept_timed_out = false;  int expected = 0;  BIO *bio = NULL;  char *cert_file, *user_cert, *user_key, *user_proxy;  char *serial=NULL;  cert_file = user_cert = user_key = user_proxy = NULL;  if (proxy_get_filenames(0, &cert_file, &cacertdir, &user_proxy, &user_cert, &user_key) == 0) {    (void)load_credentials(user_cert, user_key, &ucert, &own_stack, &upkey, NULL);  }  free(cert_file);  free(user_cert);  free(user_key);  free(user_proxy);  own_cert = ucert;  own_key = upkey;  ctx = SSL_CTX_new(SSLv23_method());  SSL_CTX_load_verify_locations(ctx, NULL, cacertdir);  SSL_CTX_use_certificate(ctx, ucert);  SSL_CTX_use_PrivateKey(ctx,upkey);  SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:!MD2");      SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY);  SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);  SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, proxy_verify_callback);  SSL_CTX_set_verify_depth(ctx, 100);  SSL_CTX_set_cert_verify_callback(ctx, proxy_app_verify_callback, 0);  if (own_stack) {    /*     * Certificate was a proxy with a cert. chain.     * Add the certificates one by one to the chain.     */    X509_STORE_add_cert(ctx->cert_store, ucert);    for (int i = 0; i <sk_X509_num(own_stack); ++i) {      X509 *cert = (sk_X509_value(own_stack,i));      if (!X509_STORE_add_cert(ctx->cert_store, cert)) {        if (ERR_GET_REASON(ERR_peek_error()) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {          ERR_clear_error();          continue;        }        else {          SetErrorOpenSSL("Cannot add certificate to the SSL context's certificate store");          goto err;        }      }    }  }  flags = fcntl(newsock, F_GETFL, 0);  (void)fcntl(newsock, F_SETFL, flags | O_NONBLOCK);  bio = BIO_new_socket(newsock, BIO_NOCLOSE);  (void)BIO_set_nbio(bio, 1);  ssl = SSL_new(ctx);  setup_SSL_proxy_handler(ssl, cacertdir);  writeb = bio->method->bwrite;  readb  = bio->method->bread;  bio->method->bwrite = globusf_write;  bio->method->bread  = globusf_read;  SSL_set_bio(ssl, bio, bio);  curtime = starttime = time(NULL);  ret = accept_status = -1;  expected = 0;  do {    ret = do_select(newsock, starttime, timeout, expected);    LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Select status: %d",ret);    curtime = time(NULL);    if (ret == 0){      LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Select timed out.");//.........这里部分代码省略.........

/* Switch a socket to SSL communication * * Creates a SSL data structure for the connection; * Sets up callbacks and initiates a SSL handshake with the peer; * Reports error conditions and performs cleanup upon failure. * * flags: ssl flags, i.e connect or listen * verify: peer certificate verification flags * loglevel: is the level to output information about the connection * and certificates. * host: contains the dns name or ip address of the peer. Used for * verification. * cb: optional callback, this function will be called after the * handshake completes. * * Return value: 0 on success, !=0 on failure. */int ssl_handshake(int sock, int flags, int verify, int loglevel, char *host,                  IntFunc cb){  int i, err, ret;  ssl_appdata *data;  struct threaddata *td = threaddata();  debug0("TLS: attempting SSL negotiation...");  if (!ssl_ctx && ssl_init()) {    debug0("TLS: Failed. OpenSSL not initialized properly.");    return -1;  }  /* find the socket in the list */  i = findsock(sock);  if (i == -1) {    debug0("TLS: socket not in socklist");    return -2;  }  if (td->socklist[i].ssl) {    debug0("TLS: handshake not required - SSL session already established");    return 0;  }  td->socklist[i].ssl = SSL_new(ssl_ctx);  if (!td->socklist[i].ssl ||      !SSL_set_fd(td->socklist[i].ssl, td->socklist[i].sock)) {    debug1("TLS: cannot initiate SSL session - %s",           ERR_error_string(ERR_get_error(), 0));    return -3;  }  /* Prepare a ssl appdata struct for the verify callback */  data = nmalloc(sizeof(ssl_appdata));  egg_bzero(data, sizeof(ssl_appdata));  data->flags = flags & (TLS_LISTEN | TLS_CONNECT);  data->verify = flags & ~(TLS_LISTEN | TLS_CONNECT);  data->loglevel = loglevel;  data->cb = cb;  strncpyz(data->host, host ? host : "", sizeof(data->host));  SSL_set_app_data(td->socklist[i].ssl, data);  SSL_set_info_callback(td->socklist[i].ssl, (void *) ssl_info);  /* We set this +1 to be able to report extra long chains properly.   * Otherwise, OpenSSL will break the verification reporting about   * missing certificates instead. The rest of the fix is in   * ssl_verify()   */  SSL_set_verify_depth(td->socklist[i].ssl, tls_maxdepth + 1);  SSL_set_mode(td->socklist[i].ssl, SSL_MODE_ENABLE_PARTIAL_WRITE |               SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);  if (data->flags & TLS_CONNECT) {    SSL_set_verify(td->socklist[i].ssl, SSL_VERIFY_PEER, ssl_verify);    ret = SSL_connect(td->socklist[i].ssl);    if (!ret)      debug0("TLS: connect handshake failed.");  } else {    if (data->flags & TLS_VERIFYPEER)      SSL_set_verify(td->socklist[i].ssl, SSL_VERIFY_PEER |                     SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify);    else      SSL_set_verify(td->socklist[i].ssl, SSL_VERIFY_PEER, ssl_verify);    ret = SSL_accept(td->socklist[i].ssl);    if (!ret)      debug0("TLS: accept handshake failed");  }  err = SSL_get_error(td->socklist[i].ssl, ret);  /* Normal condition for async I/O, similar to EAGAIN */  if (ret > 0 || err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) {    debug0("TLS: handshake in progress");    return 0;  }  if (ERR_peek_error())    debug0("TLS: handshake failed due to the following errors: ");  while ((err = ERR_get_error()))    debug1("TLS: %s", ERR_error_string(err, NULL));  /* Attempt failed, cleanup and abort */  SSL_shutdown(td->socklist[i].ssl);  SSL_free(td->socklist[i].ssl);  td->socklist[i].ssl = NULL;  nfree(data);  return -4;}

NOEXPORT OCSP_RESPONSE *ocsp_get_response(CLI *c,        OCSP_REQUEST *req, char *url) {    BIO *bio=NULL;    OCSP_REQ_CTX *req_ctx=NULL;    OCSP_RESPONSE *resp=NULL;    int err;    char *host=NULL, *port=NULL, *path=NULL;    SOCKADDR_UNION addr;    int ssl;    /* parse the OCSP URL */    if(!OCSP_parse_url(url, &host, &port, &path, &ssl)) {        s_log(LOG_ERR, "OCSP: Failed to parse the OCSP URL");        goto cleanup;    }    if(ssl) {        s_log(LOG_ERR, "OCSP: SSL not supported for OCSP"            " - additional stunnel service needs to be defined");        goto cleanup;    }    memset(&addr, 0, sizeof addr);    addr.in.sin_family=AF_INET;    if(!hostport2addr(&addr, host, port)) {        s_log(LOG_ERR, "OCSP: Failed to resolve the OCSP server address");        goto cleanup;    }    /* connect specified OCSP server (responder) */    c->fd=s_socket(addr.sa.sa_family, SOCK_STREAM, 0, 1, "OCSP: socket");    if(c->fd<0)        goto cleanup;    if(s_connect(c, &addr, addr_len(&addr)))        goto cleanup;    bio=BIO_new_fd(c->fd, BIO_NOCLOSE);    if(!bio)        goto cleanup;    s_log(LOG_DEBUG, "OCSP: response retrieved");    /* OCSP protocol communication loop */    req_ctx=OCSP_sendreq_new(bio, path, req, -1);    if(!req_ctx) {        sslerror("OCSP: OCSP_sendreq_new");        goto cleanup;    }    while(OCSP_sendreq_nbio(&resp, req_ctx)==-1) {        s_poll_init(c->fds);        s_poll_add(c->fds, c->fd, BIO_should_read(bio), BIO_should_write(bio));        err=s_poll_wait(c->fds, c->opt->timeout_busy, 0);        if(err==-1)            sockerror("OCSP: s_poll_wait");        if(err==0)            s_log(LOG_INFO, "OCSP: s_poll_wait: TIMEOUTbusy exceeded");        if(err<=0)            goto cleanup;    }#if 0    s_log(LOG_DEBUG, "OCSP: context state: 0x%x", *(int *)req_ctx);#endif    /* http://www.mail-archive.com/[email
C++ ERR_peek_last_error函数代码示例
C++ ERR_load_BIO_strings函数代码示例