/[hydra]/hydra/src/ssl.c
ViewVC logotype

Annotation of /hydra/src/ssl.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.18 - (hide annotations)
Sat Apr 3 10:27:46 2004 UTC (20 years ago) by nmav
Branch: MAIN
Changes since 1.17: +3 -0 lines
File MIME type: text/plain 
ported to the new gnutls 1.0.9
1 nmav 1.1 /*
2 nmav 1.17 * Copyright (C) 2002,2003 Nikos Mavroyanopoulos
3 nmav 1.1 *
4 nmav 1.5 * This file is part of Hydra webserver.
5 nmav 1.1 *
6 nmav 1.5 * Hydra is free software; you can redistribute it and/or modify
7 nmav 1.1 * it under the terms of the GNU General Public License as published by
8     * the Free Software Foundation; either version 2 of the License, or
9     * (at your option) any later version.
10     *
11 nmav 1.5 * Hydra is distributed in the hope that it will be useful,
12 nmav 1.1 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14     * GNU General Public License for more details.
15     *
16     * You should have received a copy of the GNU General Public License
17     * along with this program; if not, write to the Free Software
18     * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19     */
20 nmav 1.6
21 nmav 1.1 #include <stdio.h>
22     #include <stdlib.h>
23     #include <string.h>
24     #include "boa.h"
25    
26     #ifdef ENABLE_SSL
27    
28 nmav 1.7 #include "ssl.h"
29    
30 nmav 1.1 #include <gnutls/gnutls.h>
31 nmav 1.17 #include <gnutls/x509.h>
32 nmav 1.18 #include <gcrypt.h>
33     GCRY_THREAD_OPTION_PTHREAD_IMPL;
34 nmav 1.1
35 nmav 1.3 #ifdef ENABLE_SMP
36     pthread_mutex_t ssl_session_cache_lock = PTHREAD_MUTEX_INITIALIZER;
37     #endif
38    
39 nmav 1.1 extern int ssl_session_cache;
40     extern int ssl_session_timeout;
41    
42     extern char* ssl_ciphers;
43     extern char* ssl_kx;
44     extern char* ssl_mac;
45     extern char* ssl_comp;
46     extern char* ssl_protocol;
47 nmav 1.7 extern int ssl_verify; /* 0 no verify, 1 request certificate, and validate
48     * if sent, 2 require certificate and validate.
49 nmav 1.8 * 3 is request one, and try to verify it. Does not fail in
50     * any case.
51 nmav 1.7 */
52 nmav 1.1
53     static void wrap_db_init(void);
54     static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data);
55     static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key);
56     static int wrap_db_delete(void *dbf, gnutls_datum key);
57    
58 nmav 1.2 static int cur = 0; /* points to the credentials structure used */
59 nmav 1.10 static gnutls_certificate_credentials credentials[2] = { NULL, NULL };
60 nmav 1.1
61     static int need_dh_params = 0; /* whether we need to generate DHE
62     * parameters. Depend on the chosen ciphersuites.
63     */
64     static int need_rsa_params = 0;
65    
66    
67     /* we use primes up to 1024 in this server.
68     * otherwise we should add them here.
69     */
70     extern int ssl_dh_bits;
71    
72 nmav 1.2 gnutls_dh_params _dh_params[2];
73     gnutls_rsa_params _rsa_params[2];
74 nmav 1.1
75 nmav 1.2 static int generate_dh_primes( gnutls_dh_params* dh_params)
76 nmav 1.1 {
77 nmav 1.2 if (gnutls_dh_params_init( dh_params) < 0) {
78 nmav 1.1 log_error_time();
79 nmav 1.15 fprintf(stderr, "tls: Error in dh parameter initialization\n");
80 nmav 1.1 exit(1);
81     }
82    
83     /* Generate Diffie Hellman parameters - for use with DHE
84     * kx algorithms. These should be discarded and regenerated
85     * once a day, once a week or once a month. Depends on the
86     * security requirements.
87     */
88    
89 nmav 1.17 if (gnutls_dh_params_generate2( *dh_params, ssl_dh_bits) < 0) {
90 nmav 1.1 log_error_time();
91 nmav 1.15 fprintf(stderr, "tls: Error in prime generation\n");
92 nmav 1.1 exit(1);
93     }
94    
95     log_error_time();
96     fprintf
97     (stderr,
98     "tls: Generated Diffie Hellman parameters [%d bits].\n",
99     ssl_dh_bits);
100    
101 nmav 1.17 return 0;
102 nmav 1.1 }
103    
104 nmav 1.2 static int generate_rsa_params( gnutls_rsa_params* rsa_params)
105 nmav 1.1 {
106 nmav 1.2 if (gnutls_rsa_params_init( rsa_params) < 0) {
107 nmav 1.1 log_error_time();
108 nmav 1.15 fprintf(stderr, "tls: Error in rsa parameter initialization\n");
109 nmav 1.1 exit(1);
110     }
111    
112     /* Generate RSA parameters - for use with RSA-export
113     * cipher suites. These should be discarded and regenerated
114     * once a day, once every 500 transactions etc. Depends on the
115     * security requirements.
116     */
117    
118 nmav 1.17 if (gnutls_rsa_params_generate2( *rsa_params, 512) < 0) {
119 nmav 1.1 log_error_time();
120 nmav 1.15 fprintf(stderr, "tls: Error in rsa parameter generation\n");
121 nmav 1.1 exit(1);
122     }
123    
124     log_error_time();
125     fprintf
126     (stderr, "tls: Generated temporary RSA parameters.\n");
127    
128     return 0;
129     }
130    
131     static int protocol_priority[16];
132     static int kx_priority[16];
133     static int cipher_priority[16];
134     static int mac_priority[16];
135     static int comp_priority[16];
136    
137     /* Parses a string in the form:
138 nmav 1.10 * CIPHER1, CIPHER2, ... and tries to find the given algorithm.
139     * This is inefficient. Returns true or false.
140 nmav 1.1 */
141     static int parse_cs_string( const char* string, const char* algo)
142     {
143 nmav 1.10 char *broken_list[MAX_COMMA_SEP_ELEMENTS];
144     int broken_list_size, i;
145     char list[64];
146    
147 nmav 1.1 if (string == NULL || algo == NULL) return 0;
148 nmav 1.10
149     if (strlen( string) > sizeof(list)-1) return 0;
150 nmav 1.1
151 nmav 1.10 strcpy( list, string);
152    
153     break_comma_list( list, broken_list, &broken_list_size);
154    
155     for (i=0;i<broken_list_size;i++) {
156     if (strcmp( broken_list[i], algo) == 0) {
157 nmav 1.1 return 1;
158 nmav 1.10 }
159     }
160 nmav 1.1
161     return 0;
162    
163     }
164    
165 nmav 1.10 /* Initializes a single SSL/TLS session. That is set the algorithm,
166     * the db backend, whether to request certificates etc.
167     */
168 nmav 1.1 gnutls_session initialize_ssl_session(void)
169     {
170 nmav 1.16 gnutls_session state;
171 nmav 1.1
172     gnutls_init(&state, GNUTLS_SERVER);
173    
174     gnutls_cipher_set_priority(state, cipher_priority);
175     gnutls_compression_set_priority(state, comp_priority);
176     gnutls_kx_set_priority(state, kx_priority);
177     gnutls_protocol_set_priority(state, protocol_priority);
178     gnutls_mac_set_priority(state, mac_priority);
179    
180 nmav 1.16 gnutls_credentials_set(state, GNUTLS_CRD_CERTIFICATE, credentials[ cur]);
181 nmav 1.1
182     gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
183    
184     if (ssl_session_cache != 0) {
185     gnutls_db_set_retrieve_function(state, wrap_db_fetch);
186     gnutls_db_set_remove_function(state, wrap_db_delete);
187     gnutls_db_set_store_function(state, wrap_db_store);
188     gnutls_db_set_ptr(state, NULL);
189     }
190     gnutls_db_set_cache_expiration( state, ssl_session_timeout);
191    
192 nmav 1.9 /* gnutls_handshake_set_private_extensions( state, 1); */
193 nmav 1.1
194 nmav 1.8 if (ssl_verify == 1 || ssl_verify == 3) {
195 nmav 1.7 gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUEST);
196     } else if (ssl_verify == 2) {
197     gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUIRE);
198 nmav 1.10 } else { /* default */
199     gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
200 nmav 1.7 }
201    
202 nmav 1.10
203 nmav 1.1 return state;
204     }
205    
206 nmav 1.7 extern char *ca_cert;
207 nmav 1.1 extern char *server_cert;
208     extern char *server_key;
209    
210     /* Initialization of gnutls' global state
211     */
212     int initialize_ssl(void)
213     {
214     int i;
215    
216 nmav 1.15 log_error_time();
217     fprintf(stderr, "tls: Initializing GnuTLS/%s.\n", gnutls_check_version(NULL));
218 nmav 1.18 gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
219 nmav 1.1 gnutls_global_init();
220    
221 nmav 1.2 if (gnutls_certificate_allocate_credentials( &credentials[0]) < 0) {
222 nmav 1.1 log_error_time();
223 nmav 1.15 fprintf(stderr, "tls: certificate allocation error\n");
224 nmav 1.1 exit(1);
225     }
226    
227     if (gnutls_certificate_set_x509_key_file
228 nmav 1.2 ( credentials[0], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
229 nmav 1.1 log_error_time();
230 nmav 1.15 fprintf(stderr, "tls: could not find '%s' or '%s'.\n", server_cert,
231 nmav 1.1 server_key);
232     exit(1);
233     }
234    
235 nmav 1.7 if (ca_cert != NULL && gnutls_certificate_set_x509_trust_file
236     ( credentials[0], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
237     log_error_time();
238 nmav 1.15 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
239 nmav 1.7 exit(1);
240     }
241    
242 nmav 1.1 if (ssl_session_cache != 0)
243     wrap_db_init();
244    
245     /* Add ciphers
246     */
247     i = 0;
248     if ( parse_cs_string( ssl_ciphers, "AES") != 0)
249     cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
250     if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
251     cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
252     if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
253     cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
254     if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
255     cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
256     cipher_priority[i] = 0;
257    
258     /* Add key exchange methods
259     */
260     i = 0;
261     if ( parse_cs_string( ssl_kx, "RSA") != 0)
262     kx_priority[i++] = GNUTLS_KX_RSA;
263     if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
264     kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
265     need_rsa_params = 1;
266     }
267     if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
268     kx_priority[i++] = GNUTLS_KX_DHE_RSA;
269     need_dh_params = 1; /* generate DH parameters */
270     }
271     if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
272     kx_priority[i++] = GNUTLS_KX_DHE_DSS;
273     need_dh_params = 1;
274     }
275     kx_priority[i] = 0;
276    
277     /* Add MAC Algorithms
278     */
279     i = 0;
280     if ( parse_cs_string( ssl_mac, "MD5") != 0)
281     mac_priority[i++] = GNUTLS_MAC_MD5;
282 nmav 1.11 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
283 nmav 1.1 mac_priority[i++] = GNUTLS_MAC_SHA;
284     mac_priority[i] = 0;
285    
286     /* Add Compression algorithms
287     */
288     i = 0;
289     if ( parse_cs_string( ssl_comp, "NULL") != 0)
290     comp_priority[i++] = GNUTLS_COMP_NULL;
291     if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
292     comp_priority[i++] = GNUTLS_COMP_ZLIB;
293     if ( parse_cs_string( ssl_comp, "LZO") != 0)
294     comp_priority[i++] = GNUTLS_COMP_LZO;
295     comp_priority[i] = 0;
296    
297     /* Add protocols
298     */
299     i = 0;
300 nmav 1.10 if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
301 nmav 1.1 protocol_priority[i++] = GNUTLS_TLS1;
302 nmav 1.10 if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
303 nmav 1.1 protocol_priority[i++] = GNUTLS_SSL3;
304     protocol_priority[i] = 0;
305    
306     /* Generate temporary parameters -- if needed.
307     */
308     if (need_rsa_params) {
309 nmav 1.2 generate_rsa_params( &_rsa_params[0]);
310     gnutls_certificate_set_rsa_params(credentials[0], _rsa_params[0]);
311 nmav 1.1 }
312    
313     if (need_dh_params) {
314 nmav 1.2 generate_dh_primes( &_dh_params[0]);
315     gnutls_certificate_set_dh_params(credentials[0], _dh_params[0]);
316 nmav 1.1 }
317    
318     return 0;
319     }
320    
321     /* This function will regenerate the SSL parameters (RSA and DH) without
322     * any need for downtime.
323     */
324 nmav 1.10
325 nmav 1.1 void ssl_regenerate_params(void)
326     {
327 nmav 1.10 static int already_here; /* static so the default value == 0 */
328 nmav 1.2 int _cur = (cur + 1) % 2;
329    
330 nmav 1.10 /* There is a rare situation where we have been here, because of
331     * a SIGHUP signal, and the process receives a SIGALRM as well.
332     * We try to avoid messing everything up.
333     */
334     if (already_here != 0) return;
335     already_here = 1;
336    
337 nmav 1.2 /* The hint here, is that we keep a copy of 2 certificate credentials.
338     * When we come here, we free the unused copy and allocate new
339     * parameters to it. Then we make the current copy to be this copy.
340     *
341     * We don't free the previous copy because we don't know if anyone
342     * is using it. (this has to be fixed)
343     */
344 nmav 1.1
345     time(&current_time);
346    
347 nmav 1.2 if ( !credentials[_cur]) {
348     if (gnutls_certificate_allocate_credentials( &credentials[ _cur]) < 0) {
349     log_error_time();
350 nmav 1.15 fprintf(stderr, "tls: certificate allocation error\n");
351 nmav 1.2 exit(1);
352     }
353    
354     if (gnutls_certificate_set_x509_key_file
355     ( credentials[_cur], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
356     log_error_time();
357 nmav 1.15 fprintf(stderr, "tls: could not find '%s' or '%s'.", server_cert,
358 nmav 1.2 server_key);
359     exit(1);
360     }
361 nmav 1.7
362     if (ca_cert!=NULL && gnutls_certificate_set_x509_trust_file
363     ( credentials[_cur], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
364     log_error_time();
365 nmav 1.15 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
366 nmav 1.7 exit(1);
367     }
368 nmav 1.2 }
369    
370 nmav 1.1 if (need_rsa_params) {
371 nmav 1.2 gnutls_rsa_params_deinit( _rsa_params[ _cur]);
372     generate_rsa_params( &_rsa_params[ _cur]);
373     gnutls_certificate_set_rsa_params(credentials[_cur], _rsa_params[ _cur]);
374 nmav 1.1 }
375    
376     if (need_dh_params) {
377 nmav 1.2 gnutls_dh_params_deinit( _dh_params[ _cur]);
378     generate_dh_primes( &_dh_params[ _cur]);
379     gnutls_certificate_set_dh_params(credentials[_cur], _dh_params[ _cur]);
380 nmav 1.1 }
381 nmav 1.2
382     cur = _cur;
383 nmav 1.1
384 nmav 1.10 already_here = 0;
385 nmav 1.1 return;
386     }
387    
388    
389     /* Session resuming:
390     */
391    
392     #define SESSION_ID_SIZE 32
393 nmav 1.14 #define SESSION_DATA_SIZE 1024
394 nmav 1.1
395     typedef struct {
396     char session_id[SESSION_ID_SIZE];
397     int session_id_size;
398    
399     char session_data[SESSION_DATA_SIZE];
400     int session_data_size;
401     } CACHE;
402    
403     static CACHE *cache_db;
404 nmav 1.3 static int cache_db_ptr;
405 nmav 1.1
406     static void wrap_db_init(void)
407     {
408    
409     /* allocate cache_db */
410     cache_db = calloc(1, ssl_session_cache * sizeof(CACHE));
411     }
412    
413     static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data)
414     {
415    
416     if (cache_db == NULL)
417     return -1;
418    
419     if (key.size > SESSION_ID_SIZE)
420     return -1;
421     if (data.size > SESSION_DATA_SIZE)
422     return -1;
423    
424 nmav 1.3 #ifdef ENABLE_SMP
425     pthread_mutex_lock( &ssl_session_cache_lock);
426     #endif
427    
428 nmav 1.1 memcpy(cache_db[cache_db_ptr].session_id, key.data, key.size);
429     cache_db[cache_db_ptr].session_id_size = key.size;
430    
431     memcpy(cache_db[cache_db_ptr].session_data, data.data, data.size);
432     cache_db[cache_db_ptr].session_data_size = data.size;
433    
434 nmav 1.4 cache_db_ptr++;
435     cache_db_ptr %= ssl_session_cache;
436 nmav 1.3
437     #ifdef ENABLE_SMP
438     pthread_mutex_unlock( &ssl_session_cache_lock);
439     #endif
440 nmav 1.1
441     return 0;
442     }
443    
444     static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key)
445     {
446     gnutls_datum res = { NULL, 0 };
447     int i;
448    
449     if (cache_db == NULL)
450     return res;
451    
452 nmav 1.3 #ifdef ENABLE_SMP
453     pthread_mutex_lock( &ssl_session_cache_lock);
454     #endif
455    
456 nmav 1.1 for (i = 0; i < ssl_session_cache; i++) {
457     if (key.size == cache_db[i].session_id_size &&
458     memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
459    
460     res.size = cache_db[i].session_data_size;
461    
462     res.data = malloc(res.size);
463 nmav 1.3 if (res.data == NULL) {
464     #ifdef ENABLE_SMP
465     pthread_mutex_unlock( &ssl_session_cache_lock);
466     #endif
467 nmav 1.1 return res;
468 nmav 1.3 }
469 nmav 1.1
470     memcpy(res.data, cache_db[i].session_data, res.size);
471    
472 nmav 1.3 #ifdef ENABLE_SMP
473     pthread_mutex_unlock( &ssl_session_cache_lock);
474     #endif
475 nmav 1.1 return res;
476     }
477     }
478 nmav 1.3
479     #ifdef ENABLE_SMP
480     pthread_mutex_unlock( &ssl_session_cache_lock);
481     #endif
482    
483 nmav 1.1 return res;
484     }
485    
486     static int wrap_db_delete(void *dbf, gnutls_datum key)
487     {
488     int i;
489    
490     if (cache_db == NULL)
491     return -1;
492    
493 nmav 1.3 #ifdef ENABLE_SMP
494     pthread_mutex_lock( &ssl_session_cache_lock);
495     #endif
496    
497 nmav 1.1 for (i = 0; i < ssl_session_cache; i++) {
498     if (key.size == cache_db[i].session_id_size &&
499     memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
500    
501     cache_db[i].session_id_size = 0;
502     cache_db[i].session_data_size = 0;
503    
504 nmav 1.3 #ifdef ENABLE_SMP
505     pthread_mutex_unlock( &ssl_session_cache_lock);
506     #endif
507    
508 nmav 1.1 return 0;
509     }
510     }
511 nmav 1.3
512     #ifdef ENABLE_SMP
513     pthread_mutex_unlock( &ssl_session_cache_lock);
514     #endif
515 nmav 1.1 return -1;
516    
517     }
518    
519     void check_ssl_alert( request* req, int ret)
520     {
521     int last_alert;
522    
523     if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
524     {
525     last_alert = gnutls_alert_get(req->ssl_state);
526     log_error_doc(req);
527 nmav 1.16 fprintf(stderr, "tls: Received alert %d '%s'.\n", last_alert, gnutls_alert_get_name(last_alert));
528 nmav 1.1 }
529     }
530    
531     int finish_handshake(request * current)
532     {
533     int retval;
534    
535     retval = gnutls_handshake(current->ssl_state);
536    
537     if (retval == GNUTLS_E_AGAIN)
538     retval = -1;
539     else if (retval == GNUTLS_E_INTERRUPTED)
540     retval = 1;
541     else if (retval < 0) {
542     if (gnutls_error_is_fatal(retval) != 0) {
543     log_error_doc(current);
544 nmav 1.15 fprintf(stderr, "tls: Handshake error '%s'.\n", gnutls_strerror(retval));
545 nmav 1.1 check_ssl_alert( current, retval);
546    
547     /* we ignore the level of the alert, since we always
548     * send fatal alerts.
549     */
550     current->alert_to_send = gnutls_error_to_alert( retval, NULL);
551 nmav 1.11 if (current->alert_to_send == GNUTLS_E_INVALID_REQUEST)
552     current->alert_to_send = GNUTLS_A_HANDSHAKE_FAILURE;
553    
554     current->status = SEND_ALERT;
555 nmav 1.1 retval = 1;
556     } else {
557     check_ssl_alert( current, retval);
558     retval = 1;
559     }
560     } else if (retval == 0) {
561 nmav 1.7
562 nmav 1.8 if (ssl_verify >= 1) {
563 nmav 1.17 size_t size;
564     int verify, ret, valid;
565 nmav 1.7 char name[128];
566     const gnutls_datum *cert_list;
567     int cert_list_size;
568 nmav 1.17 gnutls_x509_crt crt = NULL;
569    
570     ret = gnutls_x509_crt_init( &crt);
571     if (ret < 0) {
572     log_error_time();
573     fprintf( stderr, "tls: Error in crt_init(): %s\n", gnutls_strerror(ret));
574     current->alert_to_send = GNUTLS_A_INTERNAL_ERROR;
575     current->status = SEND_ALERT;
576     return 1;
577     }
578    
579     cert_list =
580     gnutls_certificate_get_peers(current->ssl_state, &cert_list_size);
581    
582     if (cert_list) {
583     ret = gnutls_x509_crt_import( crt, &cert_list[0], GNUTLS_X509_FMT_DER);
584     if (ret < 0) {
585     log_error_time();
586     fprintf( stderr, "tls: Could not import X.509 certificate: %s\n", gnutls_strerror(ret));
587     current->alert_to_send = GNUTLS_A_INTERNAL_ERROR;
588     current->status = SEND_ALERT;
589     return 1;
590     }
591    
592     size = sizeof(name);
593     if (gnutls_x509_crt_get_dn(crt, name, &size) < 0)
594     strcpy(name, "Unknown");
595     }
596    
597 nmav 1.7
598     verify = gnutls_certificate_verify_peers( current->ssl_state);
599 nmav 1.8 current->certificate_verified = "NONE";
600    
601 nmav 1.17 if (cert_list == NULL) {
602     log_error_time();
603     fprintf( stderr, "tls: Peer did not send a certificate.\n");
604     if (ssl_verify == 2) {
605     current->alert_to_send = GNUTLS_A_ACCESS_DENIED;
606     current->status = SEND_ALERT;
607     return 1;
608     }
609     } else { /* cert_list */
610     log_error_time();
611     valid = 0;
612     fprintf( stderr, "tls: X.509 Certificate by '%s' is ", name);
613    
614     if (gnutls_x509_crt_get_expiration_time( crt) < current_time) {
615     fprintf(stderr, "Expired");
616     valid = 1;
617     }
618    
619     if (gnutls_x509_crt_get_activation_time( crt) > current_time) {
620     if (!valid) fprintf(stderr, "Not yet activated");
621     valid = 1;
622     }
623 nmav 1.7
624 nmav 1.17 if (valid || verify & GNUTLS_CERT_INVALID || verify & GNUTLS_CERT_REVOKED)
625 nmav 1.7 {
626 nmav 1.8 current->certificate_verified = "FAILED";
627 nmav 1.17 fprintf( stderr, ", NOT trusted");
628     if (verify & GNUTLS_CERT_REVOKED)
629     fprintf( stderr, ", Revoked");
630     if (verify & GNUTLS_CERT_SIGNER_NOT_FOUND)
631     fprintf( stderr, ", Issuer not known");
632     if (verify & GNUTLS_CERT_SIGNER_NOT_CA)
633     fprintf( stderr, ", Issuer is not a CA");
634     fprintf( stderr, ".\n");
635 nmav 1.8
636     if (ssl_verify == 2 || ssl_verify == 1) {
637     current->alert_to_send = GNUTLS_A_BAD_CERTIFICATE;
638     current->status = SEND_ALERT;
639 nmav 1.17 gnutls_x509_crt_deinit(crt);
640 nmav 1.8 return 1;
641     }
642     } else {
643     current->certificate_verified = "SUCCESS";
644 nmav 1.17 fprintf( stderr, "trusted.\n");
645 nmav 1.7 }
646     }
647    
648 nmav 1.17 gnutls_x509_crt_deinit(crt);
649 nmav 1.7 }
650 nmav 1.1 retval = 1;
651     current->status = READ_HEADER;
652     }
653    
654     return retval;
655     }
656    
657     int send_alert(request * current)
658     {
659     int retval;
660    
661     retval = gnutls_alert_send( current->ssl_state,
662     GNUTLS_AL_FATAL, current->alert_to_send);
663    
664     if (retval == GNUTLS_E_AGAIN)
665     retval = -1;
666     else if (retval == GNUTLS_E_INTERRUPTED)
667     retval = 1;
668     else if (retval <= 0) {
669     retval = 0;
670     current->status = DEAD;
671     }
672    
673     return retval;
674     }
675    
676 nmav 1.10 /* This will parse the ciphers given and set the new ciphers.
677     * If required it will regenerate RSA and DHE parameters.
678     */
679     void ssl_reinit()
680     {
681     int i;
682    
683     need_dh_params = 0;
684     need_rsa_params = 0;
685    
686     /* Add ciphers
687     */
688     i = 0;
689     if ( parse_cs_string( ssl_ciphers, "AES") != 0)
690     cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
691     if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
692     cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
693     if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
694     cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
695     if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
696     cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
697     cipher_priority[i] = 0;
698    
699     /* Add key exchange methods
700     */
701     i = 0;
702     if ( parse_cs_string( ssl_kx, "RSA") != 0)
703     kx_priority[i++] = GNUTLS_KX_RSA;
704     if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
705     kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
706     need_rsa_params = 1;
707     }
708     if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
709     kx_priority[i++] = GNUTLS_KX_DHE_RSA;
710     need_dh_params = 1; /* generate DH parameters */
711     }
712     if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
713     kx_priority[i++] = GNUTLS_KX_DHE_DSS;
714     need_dh_params = 1;
715     }
716     kx_priority[i] = 0;
717    
718     /* Add MAC Algorithms
719     */
720     i = 0;
721     if ( parse_cs_string( ssl_mac, "MD5") != 0)
722     mac_priority[i++] = GNUTLS_MAC_MD5;
723 nmav 1.11 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
724 nmav 1.10 mac_priority[i++] = GNUTLS_MAC_SHA;
725     mac_priority[i] = 0;
726    
727     /* Add Compression algorithms
728     */
729     i = 0;
730     if ( parse_cs_string( ssl_comp, "NULL") != 0)
731     comp_priority[i++] = GNUTLS_COMP_NULL;
732     if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
733     comp_priority[i++] = GNUTLS_COMP_ZLIB;
734     if ( parse_cs_string( ssl_comp, "LZO") != 0)
735     comp_priority[i++] = GNUTLS_COMP_LZO;
736     comp_priority[i] = 0;
737    
738     /* Add protocols
739     */
740     i = 0;
741     if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
742     protocol_priority[i++] = GNUTLS_TLS1;
743     if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
744     protocol_priority[i++] = GNUTLS_SSL3;
745     protocol_priority[i] = 0;
746    
747    
748     /* Generate temporary parameters -- if needed.
749     */
750     ssl_regenerate_params();
751    
752     return;
753     }
754    
755 nmav 1.1 #else /* a stub for initialize_ssl */
756    
757     int initialize_ssl(void)
758     {
759     log_error_time();
760 nmav 1.15 fprintf(stderr, "tls: SSL is not available in this build. Disable SSL in Hydra's configuration file.\n");
761 nmav 1.1 exit(1);
762 nmav 1.10 }
763    
764     void ssl_reinit() {
765     return;
766 nmav 1.1 }
767    
768     #endif
webmaster@linux.gr
 ViewVC Help
Powered by ViewVC 1.1.26