/[hydra]/hydra/src/ssl.c
ViewVC logotype

Annotation of /hydra/src/ssl.c

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.17 - (hide annotations)
Mon Nov 3 10:59:45 2003 UTC (20 years, 4 months ago) by nmav
Branch: MAIN
CVS Tags: hydra_0_1_4
Changes since 1.16: +70 -48 lines
File MIME type: text/plain
ported to gnutls 0.9.x and some other minor fixes.

1 nmav 1.1 /*
2 nmav 1.17 * Copyright (C) 2002,2003 Nikos Mavroyanopoulos
3 nmav 1.1 *
4 nmav 1.5 * This file is part of Hydra webserver.
5 nmav 1.1 *
6 nmav 1.5 * Hydra is free software; you can redistribute it and/or modify
7 nmav 1.1 * it under the terms of the GNU General Public License as published by
8     * the Free Software Foundation; either version 2 of the License, or
9     * (at your option) any later version.
10     *
11 nmav 1.5 * Hydra is distributed in the hope that it will be useful,
12 nmav 1.1 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14     * GNU General Public License for more details.
15     *
16     * You should have received a copy of the GNU General Public License
17     * along with this program; if not, write to the Free Software
18     * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19     */
20 nmav 1.6
21 nmav 1.1 #include <stdio.h>
22     #include <stdlib.h>
23     #include <string.h>
24     #include "boa.h"
25    
26     #ifdef ENABLE_SSL
27    
28 nmav 1.7 #include "ssl.h"
29    
30 nmav 1.1 #include <gnutls/gnutls.h>
31 nmav 1.17 #include <gnutls/x509.h>
32 nmav 1.1
33 nmav 1.3 #ifdef ENABLE_SMP
34     pthread_mutex_t ssl_session_cache_lock = PTHREAD_MUTEX_INITIALIZER;
35     #endif
36    
37 nmav 1.1 extern int ssl_session_cache;
38     extern int ssl_session_timeout;
39    
40     extern char* ssl_ciphers;
41     extern char* ssl_kx;
42     extern char* ssl_mac;
43     extern char* ssl_comp;
44     extern char* ssl_protocol;
45 nmav 1.7 extern int ssl_verify; /* 0 no verify, 1 request certificate, and validate
46     * if sent, 2 require certificate and validate.
47 nmav 1.8 * 3 is request one, and try to verify it. Does not fail in
48     * any case.
49 nmav 1.7 */
50 nmav 1.1
51     static void wrap_db_init(void);
52     static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data);
53     static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key);
54     static int wrap_db_delete(void *dbf, gnutls_datum key);
55    
56 nmav 1.2 static int cur = 0; /* points to the credentials structure used */
57 nmav 1.10 static gnutls_certificate_credentials credentials[2] = { NULL, NULL };
58 nmav 1.1
59     static int need_dh_params = 0; /* whether we need to generate DHE
60     * parameters. Depend on the chosen ciphersuites.
61     */
62     static int need_rsa_params = 0;
63    
64    
65     /* we use primes up to 1024 in this server.
66     * otherwise we should add them here.
67     */
68     extern int ssl_dh_bits;
69    
70 nmav 1.2 gnutls_dh_params _dh_params[2];
71     gnutls_rsa_params _rsa_params[2];
72 nmav 1.1
73 nmav 1.2 static int generate_dh_primes( gnutls_dh_params* dh_params)
74 nmav 1.1 {
75 nmav 1.2 if (gnutls_dh_params_init( dh_params) < 0) {
76 nmav 1.1 log_error_time();
77 nmav 1.15 fprintf(stderr, "tls: Error in dh parameter initialization\n");
78 nmav 1.1 exit(1);
79     }
80    
81     /* Generate Diffie Hellman parameters - for use with DHE
82     * kx algorithms. These should be discarded and regenerated
83     * once a day, once a week or once a month. Depends on the
84     * security requirements.
85     */
86    
87 nmav 1.17 if (gnutls_dh_params_generate2( *dh_params, ssl_dh_bits) < 0) {
88 nmav 1.1 log_error_time();
89 nmav 1.15 fprintf(stderr, "tls: Error in prime generation\n");
90 nmav 1.1 exit(1);
91     }
92    
93     log_error_time();
94     fprintf
95     (stderr,
96     "tls: Generated Diffie Hellman parameters [%d bits].\n",
97     ssl_dh_bits);
98    
99 nmav 1.17 return 0;
100 nmav 1.1 }
101    
102 nmav 1.2 static int generate_rsa_params( gnutls_rsa_params* rsa_params)
103 nmav 1.1 {
104 nmav 1.2 if (gnutls_rsa_params_init( rsa_params) < 0) {
105 nmav 1.1 log_error_time();
106 nmav 1.15 fprintf(stderr, "tls: Error in rsa parameter initialization\n");
107 nmav 1.1 exit(1);
108     }
109    
110     /* Generate RSA parameters - for use with RSA-export
111     * cipher suites. These should be discarded and regenerated
112     * once a day, once every 500 transactions etc. Depends on the
113     * security requirements.
114     */
115    
116 nmav 1.17 if (gnutls_rsa_params_generate2( *rsa_params, 512) < 0) {
117 nmav 1.1 log_error_time();
118 nmav 1.15 fprintf(stderr, "tls: Error in rsa parameter generation\n");
119 nmav 1.1 exit(1);
120     }
121    
122     log_error_time();
123     fprintf
124     (stderr, "tls: Generated temporary RSA parameters.\n");
125    
126     return 0;
127     }
128    
129     static int protocol_priority[16];
130     static int kx_priority[16];
131     static int cipher_priority[16];
132     static int mac_priority[16];
133     static int comp_priority[16];
134    
135     /* Parses a string in the form:
136 nmav 1.10 * CIPHER1, CIPHER2, ... and tries to find the given algorithm.
137     * This is inefficient. Returns true or false.
138 nmav 1.1 */
139     static int parse_cs_string( const char* string, const char* algo)
140     {
141 nmav 1.10 char *broken_list[MAX_COMMA_SEP_ELEMENTS];
142     int broken_list_size, i;
143     char list[64];
144    
145 nmav 1.1 if (string == NULL || algo == NULL) return 0;
146 nmav 1.10
147     if (strlen( string) > sizeof(list)-1) return 0;
148 nmav 1.1
149 nmav 1.10 strcpy( list, string);
150    
151     break_comma_list( list, broken_list, &broken_list_size);
152    
153     for (i=0;i<broken_list_size;i++) {
154     if (strcmp( broken_list[i], algo) == 0) {
155 nmav 1.1 return 1;
156 nmav 1.10 }
157     }
158 nmav 1.1
159     return 0;
160    
161     }
162    
163 nmav 1.10 /* Initializes a single SSL/TLS session. That is set the algorithm,
164     * the db backend, whether to request certificates etc.
165     */
166 nmav 1.1 gnutls_session initialize_ssl_session(void)
167     {
168 nmav 1.16 gnutls_session state;
169 nmav 1.1
170     gnutls_init(&state, GNUTLS_SERVER);
171    
172     gnutls_cipher_set_priority(state, cipher_priority);
173     gnutls_compression_set_priority(state, comp_priority);
174     gnutls_kx_set_priority(state, kx_priority);
175     gnutls_protocol_set_priority(state, protocol_priority);
176     gnutls_mac_set_priority(state, mac_priority);
177    
178 nmav 1.16 gnutls_credentials_set(state, GNUTLS_CRD_CERTIFICATE, credentials[ cur]);
179 nmav 1.1
180     gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
181    
182     if (ssl_session_cache != 0) {
183     gnutls_db_set_retrieve_function(state, wrap_db_fetch);
184     gnutls_db_set_remove_function(state, wrap_db_delete);
185     gnutls_db_set_store_function(state, wrap_db_store);
186     gnutls_db_set_ptr(state, NULL);
187     }
188     gnutls_db_set_cache_expiration( state, ssl_session_timeout);
189    
190 nmav 1.9 /* gnutls_handshake_set_private_extensions( state, 1); */
191 nmav 1.1
192 nmav 1.8 if (ssl_verify == 1 || ssl_verify == 3) {
193 nmav 1.7 gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUEST);
194     } else if (ssl_verify == 2) {
195     gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUIRE);
196 nmav 1.10 } else { /* default */
197     gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
198 nmav 1.7 }
199    
200 nmav 1.10
201 nmav 1.1 return state;
202     }
203    
204 nmav 1.7 extern char *ca_cert;
205 nmav 1.1 extern char *server_cert;
206     extern char *server_key;
207    
208     /* Initialization of gnutls' global state
209     */
210     int initialize_ssl(void)
211     {
212     int i;
213    
214 nmav 1.15 log_error_time();
215     fprintf(stderr, "tls: Initializing GnuTLS/%s.\n", gnutls_check_version(NULL));
216 nmav 1.1 gnutls_global_init();
217    
218 nmav 1.2 if (gnutls_certificate_allocate_credentials( &credentials[0]) < 0) {
219 nmav 1.1 log_error_time();
220 nmav 1.15 fprintf(stderr, "tls: certificate allocation error\n");
221 nmav 1.1 exit(1);
222     }
223    
224     if (gnutls_certificate_set_x509_key_file
225 nmav 1.2 ( credentials[0], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
226 nmav 1.1 log_error_time();
227 nmav 1.15 fprintf(stderr, "tls: could not find '%s' or '%s'.\n", server_cert,
228 nmav 1.1 server_key);
229     exit(1);
230     }
231    
232 nmav 1.7 if (ca_cert != NULL && gnutls_certificate_set_x509_trust_file
233     ( credentials[0], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
234     log_error_time();
235 nmav 1.15 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
236 nmav 1.7 exit(1);
237     }
238    
239 nmav 1.1 if (ssl_session_cache != 0)
240     wrap_db_init();
241    
242     /* Add ciphers
243     */
244     i = 0;
245     if ( parse_cs_string( ssl_ciphers, "AES") != 0)
246     cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
247     if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
248     cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
249     if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
250     cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
251     if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
252     cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
253     cipher_priority[i] = 0;
254    
255     /* Add key exchange methods
256     */
257     i = 0;
258     if ( parse_cs_string( ssl_kx, "RSA") != 0)
259     kx_priority[i++] = GNUTLS_KX_RSA;
260     if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
261     kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
262     need_rsa_params = 1;
263     }
264     if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
265     kx_priority[i++] = GNUTLS_KX_DHE_RSA;
266     need_dh_params = 1; /* generate DH parameters */
267     }
268     if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
269     kx_priority[i++] = GNUTLS_KX_DHE_DSS;
270     need_dh_params = 1;
271     }
272     kx_priority[i] = 0;
273    
274     /* Add MAC Algorithms
275     */
276     i = 0;
277     if ( parse_cs_string( ssl_mac, "MD5") != 0)
278     mac_priority[i++] = GNUTLS_MAC_MD5;
279 nmav 1.11 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
280 nmav 1.1 mac_priority[i++] = GNUTLS_MAC_SHA;
281     mac_priority[i] = 0;
282    
283     /* Add Compression algorithms
284     */
285     i = 0;
286     if ( parse_cs_string( ssl_comp, "NULL") != 0)
287     comp_priority[i++] = GNUTLS_COMP_NULL;
288     if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
289     comp_priority[i++] = GNUTLS_COMP_ZLIB;
290     if ( parse_cs_string( ssl_comp, "LZO") != 0)
291     comp_priority[i++] = GNUTLS_COMP_LZO;
292     comp_priority[i] = 0;
293    
294     /* Add protocols
295     */
296     i = 0;
297 nmav 1.10 if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
298 nmav 1.1 protocol_priority[i++] = GNUTLS_TLS1;
299 nmav 1.10 if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
300 nmav 1.1 protocol_priority[i++] = GNUTLS_SSL3;
301     protocol_priority[i] = 0;
302    
303     /* Generate temporary parameters -- if needed.
304     */
305     if (need_rsa_params) {
306 nmav 1.2 generate_rsa_params( &_rsa_params[0]);
307     gnutls_certificate_set_rsa_params(credentials[0], _rsa_params[0]);
308 nmav 1.1 }
309    
310     if (need_dh_params) {
311 nmav 1.2 generate_dh_primes( &_dh_params[0]);
312     gnutls_certificate_set_dh_params(credentials[0], _dh_params[0]);
313 nmav 1.1 }
314    
315     return 0;
316     }
317    
318     /* This function will regenerate the SSL parameters (RSA and DH) without
319     * any need for downtime.
320     */
321 nmav 1.10
322 nmav 1.1 void ssl_regenerate_params(void)
323     {
324 nmav 1.10 static int already_here; /* static so the default value == 0 */
325 nmav 1.2 int _cur = (cur + 1) % 2;
326    
327 nmav 1.10 /* There is a rare situation where we have been here, because of
328     * a SIGHUP signal, and the process receives a SIGALRM as well.
329     * We try to avoid messing everything up.
330     */
331     if (already_here != 0) return;
332     already_here = 1;
333    
334 nmav 1.2 /* The hint here, is that we keep a copy of 2 certificate credentials.
335     * When we come here, we free the unused copy and allocate new
336     * parameters to it. Then we make the current copy to be this copy.
337     *
338     * We don't free the previous copy because we don't know if anyone
339     * is using it. (this has to be fixed)
340     */
341 nmav 1.1
342     time(&current_time);
343    
344 nmav 1.2 if ( !credentials[_cur]) {
345     if (gnutls_certificate_allocate_credentials( &credentials[ _cur]) < 0) {
346     log_error_time();
347 nmav 1.15 fprintf(stderr, "tls: certificate allocation error\n");
348 nmav 1.2 exit(1);
349     }
350    
351     if (gnutls_certificate_set_x509_key_file
352     ( credentials[_cur], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
353     log_error_time();
354 nmav 1.15 fprintf(stderr, "tls: could not find '%s' or '%s'.", server_cert,
355 nmav 1.2 server_key);
356     exit(1);
357     }
358 nmav 1.7
359     if (ca_cert!=NULL && gnutls_certificate_set_x509_trust_file
360     ( credentials[_cur], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
361     log_error_time();
362 nmav 1.15 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
363 nmav 1.7 exit(1);
364     }
365 nmav 1.2 }
366    
367 nmav 1.1 if (need_rsa_params) {
368 nmav 1.2 gnutls_rsa_params_deinit( _rsa_params[ _cur]);
369     generate_rsa_params( &_rsa_params[ _cur]);
370     gnutls_certificate_set_rsa_params(credentials[_cur], _rsa_params[ _cur]);
371 nmav 1.1 }
372    
373     if (need_dh_params) {
374 nmav 1.2 gnutls_dh_params_deinit( _dh_params[ _cur]);
375     generate_dh_primes( &_dh_params[ _cur]);
376     gnutls_certificate_set_dh_params(credentials[_cur], _dh_params[ _cur]);
377 nmav 1.1 }
378 nmav 1.2
379     cur = _cur;
380 nmav 1.1
381 nmav 1.10 already_here = 0;
382 nmav 1.1 return;
383     }
384    
385    
386     /* Session resuming:
387     */
388    
389     #define SESSION_ID_SIZE 32
390 nmav 1.14 #define SESSION_DATA_SIZE 1024
391 nmav 1.1
392     typedef struct {
393     char session_id[SESSION_ID_SIZE];
394     int session_id_size;
395    
396     char session_data[SESSION_DATA_SIZE];
397     int session_data_size;
398     } CACHE;
399    
400     static CACHE *cache_db;
401 nmav 1.3 static int cache_db_ptr;
402 nmav 1.1
403     static void wrap_db_init(void)
404     {
405    
406     /* allocate cache_db */
407     cache_db = calloc(1, ssl_session_cache * sizeof(CACHE));
408     }
409    
410     static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data)
411     {
412    
413     if (cache_db == NULL)
414     return -1;
415    
416     if (key.size > SESSION_ID_SIZE)
417     return -1;
418     if (data.size > SESSION_DATA_SIZE)
419     return -1;
420    
421 nmav 1.3 #ifdef ENABLE_SMP
422     pthread_mutex_lock( &ssl_session_cache_lock);
423     #endif
424    
425 nmav 1.1 memcpy(cache_db[cache_db_ptr].session_id, key.data, key.size);
426     cache_db[cache_db_ptr].session_id_size = key.size;
427    
428     memcpy(cache_db[cache_db_ptr].session_data, data.data, data.size);
429     cache_db[cache_db_ptr].session_data_size = data.size;
430    
431 nmav 1.4 cache_db_ptr++;
432     cache_db_ptr %= ssl_session_cache;
433 nmav 1.3
434     #ifdef ENABLE_SMP
435     pthread_mutex_unlock( &ssl_session_cache_lock);
436     #endif
437 nmav 1.1
438     return 0;
439     }
440    
441     static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key)
442     {
443     gnutls_datum res = { NULL, 0 };
444     int i;
445    
446     if (cache_db == NULL)
447     return res;
448    
449 nmav 1.3 #ifdef ENABLE_SMP
450     pthread_mutex_lock( &ssl_session_cache_lock);
451     #endif
452    
453 nmav 1.1 for (i = 0; i < ssl_session_cache; i++) {
454     if (key.size == cache_db[i].session_id_size &&
455     memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
456    
457     res.size = cache_db[i].session_data_size;
458    
459     res.data = malloc(res.size);
460 nmav 1.3 if (res.data == NULL) {
461     #ifdef ENABLE_SMP
462     pthread_mutex_unlock( &ssl_session_cache_lock);
463     #endif
464 nmav 1.1 return res;
465 nmav 1.3 }
466 nmav 1.1
467     memcpy(res.data, cache_db[i].session_data, res.size);
468    
469 nmav 1.3 #ifdef ENABLE_SMP
470     pthread_mutex_unlock( &ssl_session_cache_lock);
471     #endif
472 nmav 1.1 return res;
473     }
474     }
475 nmav 1.3
476     #ifdef ENABLE_SMP
477     pthread_mutex_unlock( &ssl_session_cache_lock);
478     #endif
479    
480 nmav 1.1 return res;
481     }
482    
483     static int wrap_db_delete(void *dbf, gnutls_datum key)
484     {
485     int i;
486    
487     if (cache_db == NULL)
488     return -1;
489    
490 nmav 1.3 #ifdef ENABLE_SMP
491     pthread_mutex_lock( &ssl_session_cache_lock);
492     #endif
493    
494 nmav 1.1 for (i = 0; i < ssl_session_cache; i++) {
495     if (key.size == cache_db[i].session_id_size &&
496     memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
497    
498     cache_db[i].session_id_size = 0;
499     cache_db[i].session_data_size = 0;
500    
501 nmav 1.3 #ifdef ENABLE_SMP
502     pthread_mutex_unlock( &ssl_session_cache_lock);
503     #endif
504    
505 nmav 1.1 return 0;
506     }
507     }
508 nmav 1.3
509     #ifdef ENABLE_SMP
510     pthread_mutex_unlock( &ssl_session_cache_lock);
511     #endif
512 nmav 1.1 return -1;
513    
514     }
515    
516     void check_ssl_alert( request* req, int ret)
517     {
518     int last_alert;
519    
520     if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
521     {
522     last_alert = gnutls_alert_get(req->ssl_state);
523     log_error_doc(req);
524 nmav 1.16 fprintf(stderr, "tls: Received alert %d '%s'.\n", last_alert, gnutls_alert_get_name(last_alert));
525 nmav 1.1 }
526     }
527    
528     int finish_handshake(request * current)
529     {
530     int retval;
531    
532     retval = gnutls_handshake(current->ssl_state);
533    
534     if (retval == GNUTLS_E_AGAIN)
535     retval = -1;
536     else if (retval == GNUTLS_E_INTERRUPTED)
537     retval = 1;
538     else if (retval < 0) {
539     if (gnutls_error_is_fatal(retval) != 0) {
540     log_error_doc(current);
541 nmav 1.15 fprintf(stderr, "tls: Handshake error '%s'.\n", gnutls_strerror(retval));
542 nmav 1.1 check_ssl_alert( current, retval);
543    
544     /* we ignore the level of the alert, since we always
545     * send fatal alerts.
546     */
547     current->alert_to_send = gnutls_error_to_alert( retval, NULL);
548 nmav 1.11 if (current->alert_to_send == GNUTLS_E_INVALID_REQUEST)
549     current->alert_to_send = GNUTLS_A_HANDSHAKE_FAILURE;
550    
551     current->status = SEND_ALERT;
552 nmav 1.1 retval = 1;
553     } else {
554     check_ssl_alert( current, retval);
555     retval = 1;
556     }
557     } else if (retval == 0) {
558 nmav 1.7
559 nmav 1.8 if (ssl_verify >= 1) {
560 nmav 1.17 size_t size;
561     int verify, ret, valid;
562 nmav 1.7 char name[128];
563     const gnutls_datum *cert_list;
564     int cert_list_size;
565 nmav 1.17 gnutls_x509_crt crt = NULL;
566    
567     ret = gnutls_x509_crt_init( &crt);
568     if (ret < 0) {
569     log_error_time();
570     fprintf( stderr, "tls: Error in crt_init(): %s\n", gnutls_strerror(ret));
571     current->alert_to_send = GNUTLS_A_INTERNAL_ERROR;
572     current->status = SEND_ALERT;
573     return 1;
574     }
575    
576     cert_list =
577     gnutls_certificate_get_peers(current->ssl_state, &cert_list_size);
578    
579     if (cert_list) {
580     ret = gnutls_x509_crt_import( crt, &cert_list[0], GNUTLS_X509_FMT_DER);
581     if (ret < 0) {
582     log_error_time();
583     fprintf( stderr, "tls: Could not import X.509 certificate: %s\n", gnutls_strerror(ret));
584     current->alert_to_send = GNUTLS_A_INTERNAL_ERROR;
585     current->status = SEND_ALERT;
586     return 1;
587     }
588    
589     size = sizeof(name);
590     if (gnutls_x509_crt_get_dn(crt, name, &size) < 0)
591     strcpy(name, "Unknown");
592     }
593    
594 nmav 1.7
595     verify = gnutls_certificate_verify_peers( current->ssl_state);
596 nmav 1.8 current->certificate_verified = "NONE";
597    
598 nmav 1.17 if (cert_list == NULL) {
599     log_error_time();
600     fprintf( stderr, "tls: Peer did not send a certificate.\n");
601     if (ssl_verify == 2) {
602     current->alert_to_send = GNUTLS_A_ACCESS_DENIED;
603     current->status = SEND_ALERT;
604     return 1;
605     }
606     } else { /* cert_list */
607     log_error_time();
608     valid = 0;
609     fprintf( stderr, "tls: X.509 Certificate by '%s' is ", name);
610    
611     if (gnutls_x509_crt_get_expiration_time( crt) < current_time) {
612     fprintf(stderr, "Expired");
613     valid = 1;
614     }
615    
616     if (gnutls_x509_crt_get_activation_time( crt) > current_time) {
617     if (!valid) fprintf(stderr, "Not yet activated");
618     valid = 1;
619     }
620 nmav 1.7
621 nmav 1.17 if (valid || verify & GNUTLS_CERT_INVALID || verify & GNUTLS_CERT_REVOKED)
622 nmav 1.7 {
623 nmav 1.8 current->certificate_verified = "FAILED";
624 nmav 1.17 fprintf( stderr, ", NOT trusted");
625     if (verify & GNUTLS_CERT_REVOKED)
626     fprintf( stderr, ", Revoked");
627     if (verify & GNUTLS_CERT_SIGNER_NOT_FOUND)
628     fprintf( stderr, ", Issuer not known");
629     if (verify & GNUTLS_CERT_SIGNER_NOT_CA)
630     fprintf( stderr, ", Issuer is not a CA");
631     fprintf( stderr, ".\n");
632 nmav 1.8
633     if (ssl_verify == 2 || ssl_verify == 1) {
634     current->alert_to_send = GNUTLS_A_BAD_CERTIFICATE;
635     current->status = SEND_ALERT;
636 nmav 1.17 gnutls_x509_crt_deinit(crt);
637 nmav 1.8 return 1;
638     }
639     } else {
640     current->certificate_verified = "SUCCESS";
641 nmav 1.17 fprintf( stderr, "trusted.\n");
642 nmav 1.7 }
643     }
644    
645 nmav 1.17 gnutls_x509_crt_deinit(crt);
646 nmav 1.7 }
647 nmav 1.1 retval = 1;
648     current->status = READ_HEADER;
649     }
650    
651     return retval;
652     }
653    
654     int send_alert(request * current)
655     {
656     int retval;
657    
658     retval = gnutls_alert_send( current->ssl_state,
659     GNUTLS_AL_FATAL, current->alert_to_send);
660    
661     if (retval == GNUTLS_E_AGAIN)
662     retval = -1;
663     else if (retval == GNUTLS_E_INTERRUPTED)
664     retval = 1;
665     else if (retval <= 0) {
666     retval = 0;
667     current->status = DEAD;
668     }
669    
670     return retval;
671     }
672    
673 nmav 1.10 /* This will parse the ciphers given and set the new ciphers.
674     * If required it will regenerate RSA and DHE parameters.
675     */
676     void ssl_reinit()
677     {
678     int i;
679    
680     need_dh_params = 0;
681     need_rsa_params = 0;
682    
683     /* Add ciphers
684     */
685     i = 0;
686     if ( parse_cs_string( ssl_ciphers, "AES") != 0)
687     cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
688     if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
689     cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
690     if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
691     cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
692     if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
693     cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
694     cipher_priority[i] = 0;
695    
696     /* Add key exchange methods
697     */
698     i = 0;
699     if ( parse_cs_string( ssl_kx, "RSA") != 0)
700     kx_priority[i++] = GNUTLS_KX_RSA;
701     if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
702     kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
703     need_rsa_params = 1;
704     }
705     if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
706     kx_priority[i++] = GNUTLS_KX_DHE_RSA;
707     need_dh_params = 1; /* generate DH parameters */
708     }
709     if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
710     kx_priority[i++] = GNUTLS_KX_DHE_DSS;
711     need_dh_params = 1;
712     }
713     kx_priority[i] = 0;
714    
715     /* Add MAC Algorithms
716     */
717     i = 0;
718     if ( parse_cs_string( ssl_mac, "MD5") != 0)
719     mac_priority[i++] = GNUTLS_MAC_MD5;
720 nmav 1.11 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
721 nmav 1.10 mac_priority[i++] = GNUTLS_MAC_SHA;
722     mac_priority[i] = 0;
723    
724     /* Add Compression algorithms
725     */
726     i = 0;
727     if ( parse_cs_string( ssl_comp, "NULL") != 0)
728     comp_priority[i++] = GNUTLS_COMP_NULL;
729     if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
730     comp_priority[i++] = GNUTLS_COMP_ZLIB;
731     if ( parse_cs_string( ssl_comp, "LZO") != 0)
732     comp_priority[i++] = GNUTLS_COMP_LZO;
733     comp_priority[i] = 0;
734    
735     /* Add protocols
736     */
737     i = 0;
738     if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
739     protocol_priority[i++] = GNUTLS_TLS1;
740     if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
741     protocol_priority[i++] = GNUTLS_SSL3;
742     protocol_priority[i] = 0;
743    
744    
745     /* Generate temporary parameters -- if needed.
746     */
747     ssl_regenerate_params();
748    
749     return;
750     }
751    
752 nmav 1.1 #else /* a stub for initialize_ssl */
753    
754     int initialize_ssl(void)
755     {
756     log_error_time();
757 nmav 1.15 fprintf(stderr, "tls: SSL is not available in this build. Disable SSL in Hydra's configuration file.\n");
758 nmav 1.1 exit(1);
759 nmav 1.10 }
760    
761     void ssl_reinit() {
762     return;
763 nmav 1.1 }
764    
765     #endif

webmaster@linux.gr
ViewVC Help
Powered by ViewVC 1.1.26