/[hydra]/hydra/src/ssl.c
ViewVC logotype

Annotation of /hydra/src/ssl.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.15 - (hide annotations)
Tue Oct 29 12:13:54 2002 UTC (21 years, 5 months ago) by nmav
Branch: MAIN
CVS Tags: hydra_0_0_10, hydra_0_1_0
Branch point for: hydra_0_1_0_patches
Changes since 1.14: +17 -15 lines
File MIME type: text/plain 
*** empty log message ***
1 nmav 1.1 /*
2     * Copyright (C) 2002 Nikos Mavroyanopoulos
3     *
4 nmav 1.5 * This file is part of Hydra webserver.
5 nmav 1.1 *
6 nmav 1.5 * Hydra is free software; you can redistribute it and/or modify
7 nmav 1.1 * it under the terms of the GNU General Public License as published by
8     * the Free Software Foundation; either version 2 of the License, or
9     * (at your option) any later version.
10     *
11 nmav 1.5 * Hydra is distributed in the hope that it will be useful,
12 nmav 1.1 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14     * GNU General Public License for more details.
15     *
16     * You should have received a copy of the GNU General Public License
17     * along with this program; if not, write to the Free Software
18     * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19     */
20 nmav 1.6
21 nmav 1.1 #include <stdio.h>
22     #include <stdlib.h>
23     #include <string.h>
24     #include "boa.h"
25    
26     #ifdef ENABLE_SSL
27    
28 nmav 1.7 #include "ssl.h"
29    
30 nmav 1.1 #include <gnutls/gnutls.h>
31     #include <gcrypt.h>
32    
33 nmav 1.3 #ifdef ENABLE_SMP
34     pthread_mutex_t ssl_session_cache_lock = PTHREAD_MUTEX_INITIALIZER;
35     #endif
36    
37 nmav 1.1 extern int ssl_session_cache;
38     extern int ssl_session_timeout;
39    
40     extern char* ssl_ciphers;
41     extern char* ssl_kx;
42     extern char* ssl_mac;
43     extern char* ssl_comp;
44     extern char* ssl_protocol;
45 nmav 1.7 extern int ssl_verify; /* 0 no verify, 1 request certificate, and validate
46     * if sent, 2 require certificate and validate.
47 nmav 1.8 * 3 is request one, and try to verify it. Does not fail in
48     * any case.
49 nmav 1.7 */
50 nmav 1.1
51     static void wrap_db_init(void);
52     static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data);
53     static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key);
54     static int wrap_db_delete(void *dbf, gnutls_datum key);
55    
56 nmav 1.2 static int cur = 0; /* points to the credentials structure used */
57 nmav 1.10 static gnutls_certificate_credentials credentials[2] = { NULL, NULL };
58 nmav 1.1
59     static int need_dh_params = 0; /* whether we need to generate DHE
60     * parameters. Depend on the chosen ciphersuites.
61     */
62     static int need_rsa_params = 0;
63    
64    
65     /* we use primes up to 1024 in this server.
66     * otherwise we should add them here.
67     */
68     extern int ssl_dh_bits;
69    
70 nmav 1.2 gnutls_dh_params _dh_params[2];
71     gnutls_rsa_params _rsa_params[2];
72 nmav 1.1
73 nmav 1.2 static int generate_dh_primes( gnutls_dh_params* dh_params)
74 nmav 1.1 {
75     gnutls_datum prime, generator;
76    
77 nmav 1.2 if (gnutls_dh_params_init( dh_params) < 0) {
78 nmav 1.1 log_error_time();
79 nmav 1.15 fprintf(stderr, "tls: Error in dh parameter initialization\n");
80 nmav 1.1 exit(1);
81     }
82    
83     /* Generate Diffie Hellman parameters - for use with DHE
84     * kx algorithms. These should be discarded and regenerated
85     * once a day, once a week or once a month. Depends on the
86     * security requirements.
87     */
88    
89     if (gnutls_dh_params_generate(&prime, &generator, ssl_dh_bits) <
90     0) {
91     log_error_time();
92 nmav 1.15 fprintf(stderr, "tls: Error in prime generation\n");
93 nmav 1.1 exit(1);
94     }
95    
96     if (gnutls_dh_params_set
97 nmav 1.2 (*dh_params, prime, generator, ssl_dh_bits) < 0) {
98 nmav 1.1 log_error_time();
99 nmav 1.15 fprintf(stderr, "tls: Error in prime replacement\n");
100 nmav 1.1 exit(1);
101     }
102    
103     log_error_time();
104     fprintf
105     (stderr,
106     "tls: Generated Diffie Hellman parameters [%d bits].\n",
107     ssl_dh_bits);
108    
109     free(prime.data);
110     free(generator.data);
111    
112     return 0;
113     }
114    
115 nmav 1.2 static int generate_rsa_params( gnutls_rsa_params* rsa_params)
116 nmav 1.1 {
117     gnutls_datum m, e, d, p, q, u;
118    
119 nmav 1.2 if (gnutls_rsa_params_init( rsa_params) < 0) {
120 nmav 1.1 log_error_time();
121 nmav 1.15 fprintf(stderr, "tls: Error in rsa parameter initialization\n");
122 nmav 1.1 exit(1);
123     }
124    
125     /* Generate RSA parameters - for use with RSA-export
126     * cipher suites. These should be discarded and regenerated
127     * once a day, once every 500 transactions etc. Depends on the
128     * security requirements.
129     */
130    
131     if (gnutls_rsa_params_generate(&m, &e, &d, &p, &q, &u, 512) < 0) {
132     log_error_time();
133 nmav 1.15 fprintf(stderr, "tls: Error in rsa parameter generation\n");
134 nmav 1.1 exit(1);
135     }
136    
137 nmav 1.2 if (gnutls_rsa_params_set( *rsa_params, m, e, d, p, q, u, 512) < 0) {
138 nmav 1.1 log_error_time();
139 nmav 1.15 fprintf(stderr, "tls: Error in rsa parameter setting\n");
140 nmav 1.1 exit(1);
141     }
142    
143     free(m.data);
144     free(e.data);
145     free(d.data);
146     free(p.data);
147     free(q.data);
148     free(u.data);
149    
150     log_error_time();
151     fprintf
152     (stderr, "tls: Generated temporary RSA parameters.\n");
153    
154     return 0;
155     }
156    
157     static int protocol_priority[16];
158     static int kx_priority[16];
159     static int cipher_priority[16];
160     static int mac_priority[16];
161     static int comp_priority[16];
162    
163     /* Parses a string in the form:
164 nmav 1.10 * CIPHER1, CIPHER2, ... and tries to find the given algorithm.
165     * This is inefficient. Returns true or false.
166 nmav 1.1 */
167     static int parse_cs_string( const char* string, const char* algo)
168     {
169 nmav 1.10 char *broken_list[MAX_COMMA_SEP_ELEMENTS];
170     int broken_list_size, i;
171     char list[64];
172    
173 nmav 1.1 if (string == NULL || algo == NULL) return 0;
174 nmav 1.10
175     if (strlen( string) > sizeof(list)-1) return 0;
176 nmav 1.1
177 nmav 1.10 strcpy( list, string);
178    
179     break_comma_list( list, broken_list, &broken_list_size);
180    
181     for (i=0;i<broken_list_size;i++) {
182     if (strcmp( broken_list[i], algo) == 0) {
183 nmav 1.1 return 1;
184 nmav 1.10 }
185     }
186 nmav 1.1
187     return 0;
188    
189     }
190    
191 nmav 1.10 /* Initializes a single SSL/TLS session. That is set the algorithm,
192     * the db backend, whether to request certificates etc.
193     */
194 nmav 1.1 gnutls_session initialize_ssl_session(void)
195     {
196     GNUTLS_STATE state;
197    
198     gnutls_init(&state, GNUTLS_SERVER);
199    
200     gnutls_cipher_set_priority(state, cipher_priority);
201     gnutls_compression_set_priority(state, comp_priority);
202     gnutls_kx_set_priority(state, kx_priority);
203     gnutls_protocol_set_priority(state, protocol_priority);
204     gnutls_mac_set_priority(state, mac_priority);
205    
206 nmav 1.2 gnutls_cred_set(state, GNUTLS_CRD_CERTIFICATE, credentials[ cur]);
207 nmav 1.1
208     gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
209    
210     if (ssl_session_cache != 0) {
211     gnutls_db_set_retrieve_function(state, wrap_db_fetch);
212     gnutls_db_set_remove_function(state, wrap_db_delete);
213     gnutls_db_set_store_function(state, wrap_db_store);
214     gnutls_db_set_ptr(state, NULL);
215     }
216     gnutls_db_set_cache_expiration( state, ssl_session_timeout);
217    
218 nmav 1.9 /* gnutls_handshake_set_private_extensions( state, 1); */
219 nmav 1.1
220 nmav 1.8 if (ssl_verify == 1 || ssl_verify == 3) {
221 nmav 1.7 gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUEST);
222     } else if (ssl_verify == 2) {
223     gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUIRE);
224 nmav 1.10 } else { /* default */
225     gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
226 nmav 1.7 }
227    
228 nmav 1.10
229 nmav 1.1 return state;
230     }
231    
232 nmav 1.7 extern char *ca_cert;
233 nmav 1.1 extern char *server_cert;
234     extern char *server_key;
235    
236     /* Initialization of gnutls' global state
237     */
238     int initialize_ssl(void)
239     {
240     int i;
241    
242 nmav 1.15 log_error_time();
243     fprintf(stderr, "tls: Initializing GnuTLS/%s.\n", gnutls_check_version(NULL));
244 nmav 1.1 gnutls_global_init();
245     /* gcry_control (GCRYCTL_DISABLE_INTERNAL_LOCKING, NULL, 0); */
246    
247 nmav 1.2 if (gnutls_certificate_allocate_credentials( &credentials[0]) < 0) {
248 nmav 1.1 log_error_time();
249 nmav 1.15 fprintf(stderr, "tls: certificate allocation error\n");
250 nmav 1.1 exit(1);
251     }
252    
253     if (gnutls_certificate_set_x509_key_file
254 nmav 1.2 ( credentials[0], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
255 nmav 1.1 log_error_time();
256 nmav 1.15 fprintf(stderr, "tls: could not find '%s' or '%s'.\n", server_cert,
257 nmav 1.1 server_key);
258     exit(1);
259     }
260    
261 nmav 1.7 if (ca_cert != NULL && gnutls_certificate_set_x509_trust_file
262     ( credentials[0], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
263     log_error_time();
264 nmav 1.15 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
265 nmav 1.7 exit(1);
266     }
267    
268 nmav 1.1 if (ssl_session_cache != 0)
269     wrap_db_init();
270    
271     /* Add ciphers
272     */
273     i = 0;
274     if ( parse_cs_string( ssl_ciphers, "AES") != 0)
275     cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
276     if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
277     cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
278     if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
279     cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
280     if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
281     cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
282     cipher_priority[i] = 0;
283    
284     /* Add key exchange methods
285     */
286     i = 0;
287     if ( parse_cs_string( ssl_kx, "RSA") != 0)
288     kx_priority[i++] = GNUTLS_KX_RSA;
289     if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
290     kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
291     need_rsa_params = 1;
292     }
293     if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
294     kx_priority[i++] = GNUTLS_KX_DHE_RSA;
295     need_dh_params = 1; /* generate DH parameters */
296     }
297     if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
298     kx_priority[i++] = GNUTLS_KX_DHE_DSS;
299     need_dh_params = 1;
300     }
301     kx_priority[i] = 0;
302    
303     /* Add MAC Algorithms
304     */
305     i = 0;
306     if ( parse_cs_string( ssl_mac, "MD5") != 0)
307     mac_priority[i++] = GNUTLS_MAC_MD5;
308 nmav 1.11 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
309 nmav 1.1 mac_priority[i++] = GNUTLS_MAC_SHA;
310     mac_priority[i] = 0;
311    
312     /* Add Compression algorithms
313     */
314     i = 0;
315     if ( parse_cs_string( ssl_comp, "NULL") != 0)
316     comp_priority[i++] = GNUTLS_COMP_NULL;
317     if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
318     comp_priority[i++] = GNUTLS_COMP_ZLIB;
319     if ( parse_cs_string( ssl_comp, "LZO") != 0)
320     comp_priority[i++] = GNUTLS_COMP_LZO;
321     comp_priority[i] = 0;
322    
323     /* Add protocols
324     */
325     i = 0;
326 nmav 1.10 if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
327 nmav 1.1 protocol_priority[i++] = GNUTLS_TLS1;
328 nmav 1.10 if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
329 nmav 1.1 protocol_priority[i++] = GNUTLS_SSL3;
330     protocol_priority[i] = 0;
331    
332     /* Generate temporary parameters -- if needed.
333     */
334     if (need_rsa_params) {
335 nmav 1.2 generate_rsa_params( &_rsa_params[0]);
336     gnutls_certificate_set_rsa_params(credentials[0], _rsa_params[0]);
337 nmav 1.1 }
338    
339     if (need_dh_params) {
340 nmav 1.2 generate_dh_primes( &_dh_params[0]);
341     gnutls_certificate_set_dh_params(credentials[0], _dh_params[0]);
342 nmav 1.1 }
343    
344     return 0;
345     }
346    
347     /* This function will regenerate the SSL parameters (RSA and DH) without
348     * any need for downtime.
349     */
350 nmav 1.10
351 nmav 1.1 void ssl_regenerate_params(void)
352     {
353 nmav 1.10 static int already_here; /* static so the default value == 0 */
354 nmav 1.2 int _cur = (cur + 1) % 2;
355    
356 nmav 1.10 /* There is a rare situation where we have been here, because of
357     * a SIGHUP signal, and the process receives a SIGALRM as well.
358     * We try to avoid messing everything up.
359     */
360     if (already_here != 0) return;
361     already_here = 1;
362    
363 nmav 1.2 /* The hint here, is that we keep a copy of 2 certificate credentials.
364     * When we come here, we free the unused copy and allocate new
365     * parameters to it. Then we make the current copy to be this copy.
366     *
367     * We don't free the previous copy because we don't know if anyone
368     * is using it. (this has to be fixed)
369     */
370 nmav 1.1
371     time(&current_time);
372    
373 nmav 1.2 if ( !credentials[_cur]) {
374     if (gnutls_certificate_allocate_credentials( &credentials[ _cur]) < 0) {
375     log_error_time();
376 nmav 1.15 fprintf(stderr, "tls: certificate allocation error\n");
377 nmav 1.2 exit(1);
378     }
379    
380     if (gnutls_certificate_set_x509_key_file
381     ( credentials[_cur], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
382     log_error_time();
383 nmav 1.15 fprintf(stderr, "tls: could not find '%s' or '%s'.", server_cert,
384 nmav 1.2 server_key);
385     exit(1);
386     }
387 nmav 1.7
388     if (ca_cert!=NULL && gnutls_certificate_set_x509_trust_file
389     ( credentials[_cur], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
390     log_error_time();
391 nmav 1.15 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
392 nmav 1.7 exit(1);
393     }
394 nmav 1.2 }
395    
396 nmav 1.1 if (need_rsa_params) {
397 nmav 1.2 gnutls_rsa_params_deinit( _rsa_params[ _cur]);
398     generate_rsa_params( &_rsa_params[ _cur]);
399     gnutls_certificate_set_rsa_params(credentials[_cur], _rsa_params[ _cur]);
400 nmav 1.1 }
401    
402     if (need_dh_params) {
403 nmav 1.2 gnutls_dh_params_deinit( _dh_params[ _cur]);
404     generate_dh_primes( &_dh_params[ _cur]);
405     gnutls_certificate_set_dh_params(credentials[_cur], _dh_params[ _cur]);
406 nmav 1.1 }
407 nmav 1.2
408     cur = _cur;
409 nmav 1.1
410 nmav 1.10 already_here = 0;
411 nmav 1.1 return;
412     }
413    
414    
415     /* Session resuming:
416     */
417    
418     #define SESSION_ID_SIZE 32
419 nmav 1.14 #define SESSION_DATA_SIZE 1024
420 nmav 1.1
421     typedef struct {
422     char session_id[SESSION_ID_SIZE];
423     int session_id_size;
424    
425     char session_data[SESSION_DATA_SIZE];
426     int session_data_size;
427     } CACHE;
428    
429     static CACHE *cache_db;
430 nmav 1.3 static int cache_db_ptr;
431 nmav 1.1
432     static void wrap_db_init(void)
433     {
434    
435     /* allocate cache_db */
436     cache_db = calloc(1, ssl_session_cache * sizeof(CACHE));
437     }
438    
439     static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data)
440     {
441    
442     if (cache_db == NULL)
443     return -1;
444    
445     if (key.size > SESSION_ID_SIZE)
446     return -1;
447     if (data.size > SESSION_DATA_SIZE)
448     return -1;
449    
450 nmav 1.3 #ifdef ENABLE_SMP
451     pthread_mutex_lock( &ssl_session_cache_lock);
452     #endif
453    
454 nmav 1.1 memcpy(cache_db[cache_db_ptr].session_id, key.data, key.size);
455     cache_db[cache_db_ptr].session_id_size = key.size;
456    
457     memcpy(cache_db[cache_db_ptr].session_data, data.data, data.size);
458     cache_db[cache_db_ptr].session_data_size = data.size;
459    
460 nmav 1.4 cache_db_ptr++;
461     cache_db_ptr %= ssl_session_cache;
462 nmav 1.3
463     #ifdef ENABLE_SMP
464     pthread_mutex_unlock( &ssl_session_cache_lock);
465     #endif
466 nmav 1.1
467     return 0;
468     }
469    
470     static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key)
471     {
472     gnutls_datum res = { NULL, 0 };
473     int i;
474    
475     if (cache_db == NULL)
476     return res;
477    
478 nmav 1.3 #ifdef ENABLE_SMP
479     pthread_mutex_lock( &ssl_session_cache_lock);
480     #endif
481    
482 nmav 1.1 for (i = 0; i < ssl_session_cache; i++) {
483     if (key.size == cache_db[i].session_id_size &&
484     memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
485    
486     res.size = cache_db[i].session_data_size;
487    
488     res.data = malloc(res.size);
489 nmav 1.3 if (res.data == NULL) {
490     #ifdef ENABLE_SMP
491     pthread_mutex_unlock( &ssl_session_cache_lock);
492     #endif
493 nmav 1.1 return res;
494 nmav 1.3 }
495 nmav 1.1
496     memcpy(res.data, cache_db[i].session_data, res.size);
497    
498 nmav 1.3 #ifdef ENABLE_SMP
499     pthread_mutex_unlock( &ssl_session_cache_lock);
500     #endif
501 nmav 1.1 return res;
502     }
503     }
504 nmav 1.3
505     #ifdef ENABLE_SMP
506     pthread_mutex_unlock( &ssl_session_cache_lock);
507     #endif
508    
509 nmav 1.1 return res;
510     }
511    
512     static int wrap_db_delete(void *dbf, gnutls_datum key)
513     {
514     int i;
515    
516     if (cache_db == NULL)
517     return -1;
518    
519 nmav 1.3 #ifdef ENABLE_SMP
520     pthread_mutex_lock( &ssl_session_cache_lock);
521     #endif
522    
523 nmav 1.1 for (i = 0; i < ssl_session_cache; i++) {
524     if (key.size == cache_db[i].session_id_size &&
525     memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
526    
527     cache_db[i].session_id_size = 0;
528     cache_db[i].session_data_size = 0;
529    
530 nmav 1.3 #ifdef ENABLE_SMP
531     pthread_mutex_unlock( &ssl_session_cache_lock);
532     #endif
533    
534 nmav 1.1 return 0;
535     }
536     }
537 nmav 1.3
538     #ifdef ENABLE_SMP
539     pthread_mutex_unlock( &ssl_session_cache_lock);
540     #endif
541 nmav 1.1 return -1;
542    
543     }
544    
545     void check_ssl_alert( request* req, int ret)
546     {
547     int last_alert;
548    
549     if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
550     {
551     last_alert = gnutls_alert_get(req->ssl_state);
552     log_error_doc(req);
553 nmav 1.15 fprintf(stderr, "tls: Received alert '%s'.\n", gnutls_alert_get_name(last_alert));
554 nmav 1.1 }
555     }
556    
557     int finish_handshake(request * current)
558     {
559     int retval;
560    
561     retval = gnutls_handshake(current->ssl_state);
562    
563     if (retval == GNUTLS_E_AGAIN)
564     retval = -1;
565     else if (retval == GNUTLS_E_INTERRUPTED)
566     retval = 1;
567     else if (retval < 0) {
568     if (gnutls_error_is_fatal(retval) != 0) {
569     log_error_doc(current);
570 nmav 1.15 fprintf(stderr, "tls: Handshake error '%s'.\n", gnutls_strerror(retval));
571 nmav 1.1 check_ssl_alert( current, retval);
572    
573     /* we ignore the level of the alert, since we always
574     * send fatal alerts.
575     */
576     current->alert_to_send = gnutls_error_to_alert( retval, NULL);
577 nmav 1.11 if (current->alert_to_send == GNUTLS_E_INVALID_REQUEST)
578     current->alert_to_send = GNUTLS_A_HANDSHAKE_FAILURE;
579    
580     current->status = SEND_ALERT;
581 nmav 1.1 retval = 1;
582     } else {
583     check_ssl_alert( current, retval);
584     retval = 1;
585     }
586     } else if (retval == 0) {
587 nmav 1.7
588 nmav 1.8 if (ssl_verify >= 1) {
589 nmav 1.7 int verify;
590     char name[128];
591     const gnutls_datum *cert_list;
592     int cert_list_size;
593    
594    
595     verify = gnutls_certificate_verify_peers( current->ssl_state);
596 nmav 1.8 current->certificate_verified = "NONE";
597    
598     if (verify != GNUTLS_E_NO_CERTIFICATE_FOUND || ssl_verify == 2) {
599 nmav 1.7 cert_list =
600     gnutls_certificate_get_peers(current->ssl_state, &cert_list_size);
601    
602     if (cert_list)
603 nmav 1.12 if (gnutls_x509_extract_certificate_dn_string(name, sizeof(name),
604     &cert_list[0], 0) < 0) strcpy(name, "Unknown");
605 nmav 1.7
606     log_error_time();
607     if (verify & GNUTLS_CERT_NOT_TRUSTED || verify & GNUTLS_CERT_INVALID ||
608     verify & GNUTLS_CERT_CORRUPTED || verify & GNUTLS_CERT_REVOKED)
609     {
610 nmav 1.8 current->certificate_verified = "FAILED";
611     fprintf( stderr, "tls: X.509 Certificate by '%s' is NOT trusted.\n", name);
612    
613     if (ssl_verify == 2 || ssl_verify == 1) {
614     current->alert_to_send = GNUTLS_A_BAD_CERTIFICATE;
615     current->status = SEND_ALERT;
616     return 1;
617     }
618     } else {
619     current->certificate_verified = "SUCCESS";
620     fprintf( stderr, "tls: X.509 Certificate by '%s' was verified.\n", name);
621 nmav 1.7 }
622     }
623    
624     }
625 nmav 1.1 retval = 1;
626     current->status = READ_HEADER;
627     }
628    
629     return retval;
630     }
631    
632     int send_alert(request * current)
633     {
634     int retval;
635    
636     retval = gnutls_alert_send( current->ssl_state,
637     GNUTLS_AL_FATAL, current->alert_to_send);
638    
639     if (retval == GNUTLS_E_AGAIN)
640     retval = -1;
641     else if (retval == GNUTLS_E_INTERRUPTED)
642     retval = 1;
643     else if (retval <= 0) {
644     retval = 0;
645     current->status = DEAD;
646     }
647    
648     return retval;
649     }
650    
651 nmav 1.10 /* This will parse the ciphers given and set the new ciphers.
652     * If required it will regenerate RSA and DHE parameters.
653     */
654     void ssl_reinit()
655     {
656     int i;
657    
658     need_dh_params = 0;
659     need_rsa_params = 0;
660    
661     /* Add ciphers
662     */
663     i = 0;
664     if ( parse_cs_string( ssl_ciphers, "AES") != 0)
665     cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
666     if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
667     cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
668     if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
669     cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
670     if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
671     cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
672     cipher_priority[i] = 0;
673    
674     /* Add key exchange methods
675     */
676     i = 0;
677     if ( parse_cs_string( ssl_kx, "RSA") != 0)
678     kx_priority[i++] = GNUTLS_KX_RSA;
679     if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
680     kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
681     need_rsa_params = 1;
682     }
683     if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
684     kx_priority[i++] = GNUTLS_KX_DHE_RSA;
685     need_dh_params = 1; /* generate DH parameters */
686     }
687     if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
688     kx_priority[i++] = GNUTLS_KX_DHE_DSS;
689     need_dh_params = 1;
690     }
691     kx_priority[i] = 0;
692    
693     /* Add MAC Algorithms
694     */
695     i = 0;
696     if ( parse_cs_string( ssl_mac, "MD5") != 0)
697     mac_priority[i++] = GNUTLS_MAC_MD5;
698 nmav 1.11 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
699 nmav 1.10 mac_priority[i++] = GNUTLS_MAC_SHA;
700     mac_priority[i] = 0;
701    
702     /* Add Compression algorithms
703     */
704     i = 0;
705     if ( parse_cs_string( ssl_comp, "NULL") != 0)
706     comp_priority[i++] = GNUTLS_COMP_NULL;
707     if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
708     comp_priority[i++] = GNUTLS_COMP_ZLIB;
709     if ( parse_cs_string( ssl_comp, "LZO") != 0)
710     comp_priority[i++] = GNUTLS_COMP_LZO;
711     comp_priority[i] = 0;
712    
713     /* Add protocols
714     */
715     i = 0;
716     if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
717     protocol_priority[i++] = GNUTLS_TLS1;
718     if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
719     protocol_priority[i++] = GNUTLS_SSL3;
720     protocol_priority[i] = 0;
721    
722    
723     /* Generate temporary parameters -- if needed.
724     */
725     ssl_regenerate_params();
726    
727     return;
728     }
729    
730 nmav 1.1 #else /* a stub for initialize_ssl */
731    
732     int initialize_ssl(void)
733     {
734     log_error_time();
735 nmav 1.15 fprintf(stderr, "tls: SSL is not available in this build. Disable SSL in Hydra's configuration file.\n");
736 nmav 1.1 exit(1);
737 nmav 1.10 }
738    
739     void ssl_reinit() {
740     return;
741 nmav 1.1 }
742    
743     #endif
webmaster@linux.gr
 ViewVC Help
Powered by ViewVC 1.1.26