/[hydra]/hydra/src/ssl.c
ViewVC logotype

Contents of /hydra/src/ssl.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.17 - (show annotations)
Mon Nov 3 10:59:45 2003 UTC (20 years, 5 months ago) by nmav
Branch: MAIN
CVS Tags: hydra_0_1_4
Changes since 1.16: +70 -48 lines
File MIME type: text/plain 
ported to gnutls 0.9.x and some other minor fixes.
1 /*
2 * Copyright (C) 2002,2003 Nikos Mavroyanopoulos
3 *
4 * This file is part of Hydra webserver.
5 *
6 * Hydra is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * Hydra is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19 */
20
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include "boa.h"
25
26 #ifdef ENABLE_SSL
27
28 #include "ssl.h"
29
30 #include <gnutls/gnutls.h>
31 #include <gnutls/x509.h>
32
33 #ifdef ENABLE_SMP
34 pthread_mutex_t ssl_session_cache_lock = PTHREAD_MUTEX_INITIALIZER;
35 #endif
36
37 extern int ssl_session_cache;
38 extern int ssl_session_timeout;
39
40 extern char* ssl_ciphers;
41 extern char* ssl_kx;
42 extern char* ssl_mac;
43 extern char* ssl_comp;
44 extern char* ssl_protocol;
45 extern int ssl_verify; /* 0 no verify, 1 request certificate, and validate
46 * if sent, 2 require certificate and validate.
47 * 3 is request one, and try to verify it. Does not fail in
48 * any case.
49 */
50
51 static void wrap_db_init(void);
52 static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data);
53 static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key);
54 static int wrap_db_delete(void *dbf, gnutls_datum key);
55
56 static int cur = 0; /* points to the credentials structure used */
57 static gnutls_certificate_credentials credentials[2] = { NULL, NULL };
58
59 static int need_dh_params = 0; /* whether we need to generate DHE
60 * parameters. Depend on the chosen ciphersuites.
61 */
62 static int need_rsa_params = 0;
63
64
65 /* we use primes up to 1024 in this server.
66 * otherwise we should add them here.
67 */
68 extern int ssl_dh_bits;
69
70 gnutls_dh_params _dh_params[2];
71 gnutls_rsa_params _rsa_params[2];
72
73 static int generate_dh_primes( gnutls_dh_params* dh_params)
74 {
75 if (gnutls_dh_params_init( dh_params) < 0) {
76 log_error_time();
77 fprintf(stderr, "tls: Error in dh parameter initialization\n");
78 exit(1);
79 }
80
81 /* Generate Diffie Hellman parameters - for use with DHE
82 * kx algorithms. These should be discarded and regenerated
83 * once a day, once a week or once a month. Depends on the
84 * security requirements.
85 */
86
87 if (gnutls_dh_params_generate2( *dh_params, ssl_dh_bits) < 0) {
88 log_error_time();
89 fprintf(stderr, "tls: Error in prime generation\n");
90 exit(1);
91 }
92
93 log_error_time();
94 fprintf
95 (stderr,
96 "tls: Generated Diffie Hellman parameters [%d bits].\n",
97 ssl_dh_bits);
98
99 return 0;
100 }
101
102 static int generate_rsa_params( gnutls_rsa_params* rsa_params)
103 {
104 if (gnutls_rsa_params_init( rsa_params) < 0) {
105 log_error_time();
106 fprintf(stderr, "tls: Error in rsa parameter initialization\n");
107 exit(1);
108 }
109
110 /* Generate RSA parameters - for use with RSA-export
111 * cipher suites. These should be discarded and regenerated
112 * once a day, once every 500 transactions etc. Depends on the
113 * security requirements.
114 */
115
116 if (gnutls_rsa_params_generate2( *rsa_params, 512) < 0) {
117 log_error_time();
118 fprintf(stderr, "tls: Error in rsa parameter generation\n");
119 exit(1);
120 }
121
122 log_error_time();
123 fprintf
124 (stderr, "tls: Generated temporary RSA parameters.\n");
125
126 return 0;
127 }
128
129 static int protocol_priority[16];
130 static int kx_priority[16];
131 static int cipher_priority[16];
132 static int mac_priority[16];
133 static int comp_priority[16];
134
135 /* Parses a string in the form:
136 * CIPHER1, CIPHER2, ... and tries to find the given algorithm.
137 * This is inefficient. Returns true or false.
138 */
139 static int parse_cs_string( const char* string, const char* algo)
140 {
141 char *broken_list[MAX_COMMA_SEP_ELEMENTS];
142 int broken_list_size, i;
143 char list[64];
144
145 if (string == NULL || algo == NULL) return 0;
146
147 if (strlen( string) > sizeof(list)-1) return 0;
148
149 strcpy( list, string);
150
151 break_comma_list( list, broken_list, &broken_list_size);
152
153 for (i=0;i<broken_list_size;i++) {
154 if (strcmp( broken_list[i], algo) == 0) {
155 return 1;
156 }
157 }
158
159 return 0;
160
161 }
162
163 /* Initializes a single SSL/TLS session. That is set the algorithm,
164 * the db backend, whether to request certificates etc.
165 */
166 gnutls_session initialize_ssl_session(void)
167 {
168 gnutls_session state;
169
170 gnutls_init(&state, GNUTLS_SERVER);
171
172 gnutls_cipher_set_priority(state, cipher_priority);
173 gnutls_compression_set_priority(state, comp_priority);
174 gnutls_kx_set_priority(state, kx_priority);
175 gnutls_protocol_set_priority(state, protocol_priority);
176 gnutls_mac_set_priority(state, mac_priority);
177
178 gnutls_credentials_set(state, GNUTLS_CRD_CERTIFICATE, credentials[ cur]);
179
180 gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
181
182 if (ssl_session_cache != 0) {
183 gnutls_db_set_retrieve_function(state, wrap_db_fetch);
184 gnutls_db_set_remove_function(state, wrap_db_delete);
185 gnutls_db_set_store_function(state, wrap_db_store);
186 gnutls_db_set_ptr(state, NULL);
187 }
188 gnutls_db_set_cache_expiration( state, ssl_session_timeout);
189
190 /* gnutls_handshake_set_private_extensions( state, 1); */
191
192 if (ssl_verify == 1 || ssl_verify == 3) {
193 gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUEST);
194 } else if (ssl_verify == 2) {
195 gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUIRE);
196 } else { /* default */
197 gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
198 }
199
200
201 return state;
202 }
203
204 extern char *ca_cert;
205 extern char *server_cert;
206 extern char *server_key;
207
208 /* Initialization of gnutls' global state
209 */
210 int initialize_ssl(void)
211 {
212 int i;
213
214 log_error_time();
215 fprintf(stderr, "tls: Initializing GnuTLS/%s.\n", gnutls_check_version(NULL));
216 gnutls_global_init();
217
218 if (gnutls_certificate_allocate_credentials( &credentials[0]) < 0) {
219 log_error_time();
220 fprintf(stderr, "tls: certificate allocation error\n");
221 exit(1);
222 }
223
224 if (gnutls_certificate_set_x509_key_file
225 ( credentials[0], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
226 log_error_time();
227 fprintf(stderr, "tls: could not find '%s' or '%s'.\n", server_cert,
228 server_key);
229 exit(1);
230 }
231
232 if (ca_cert != NULL && gnutls_certificate_set_x509_trust_file
233 ( credentials[0], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
234 log_error_time();
235 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
236 exit(1);
237 }
238
239 if (ssl_session_cache != 0)
240 wrap_db_init();
241
242 /* Add ciphers
243 */
244 i = 0;
245 if ( parse_cs_string( ssl_ciphers, "AES") != 0)
246 cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
247 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
248 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
249 if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
250 cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
251 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
252 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
253 cipher_priority[i] = 0;
254
255 /* Add key exchange methods
256 */
257 i = 0;
258 if ( parse_cs_string( ssl_kx, "RSA") != 0)
259 kx_priority[i++] = GNUTLS_KX_RSA;
260 if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
261 kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
262 need_rsa_params = 1;
263 }
264 if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
265 kx_priority[i++] = GNUTLS_KX_DHE_RSA;
266 need_dh_params = 1; /* generate DH parameters */
267 }
268 if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
269 kx_priority[i++] = GNUTLS_KX_DHE_DSS;
270 need_dh_params = 1;
271 }
272 kx_priority[i] = 0;
273
274 /* Add MAC Algorithms
275 */
276 i = 0;
277 if ( parse_cs_string( ssl_mac, "MD5") != 0)
278 mac_priority[i++] = GNUTLS_MAC_MD5;
279 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
280 mac_priority[i++] = GNUTLS_MAC_SHA;
281 mac_priority[i] = 0;
282
283 /* Add Compression algorithms
284 */
285 i = 0;
286 if ( parse_cs_string( ssl_comp, "NULL") != 0)
287 comp_priority[i++] = GNUTLS_COMP_NULL;
288 if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
289 comp_priority[i++] = GNUTLS_COMP_ZLIB;
290 if ( parse_cs_string( ssl_comp, "LZO") != 0)
291 comp_priority[i++] = GNUTLS_COMP_LZO;
292 comp_priority[i] = 0;
293
294 /* Add protocols
295 */
296 i = 0;
297 if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
298 protocol_priority[i++] = GNUTLS_TLS1;
299 if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
300 protocol_priority[i++] = GNUTLS_SSL3;
301 protocol_priority[i] = 0;
302
303 /* Generate temporary parameters -- if needed.
304 */
305 if (need_rsa_params) {
306 generate_rsa_params( &_rsa_params[0]);
307 gnutls_certificate_set_rsa_params(credentials[0], _rsa_params[0]);
308 }
309
310 if (need_dh_params) {
311 generate_dh_primes( &_dh_params[0]);
312 gnutls_certificate_set_dh_params(credentials[0], _dh_params[0]);
313 }
314
315 return 0;
316 }
317
318 /* This function will regenerate the SSL parameters (RSA and DH) without
319 * any need for downtime.
320 */
321
322 void ssl_regenerate_params(void)
323 {
324 static int already_here; /* static so the default value == 0 */
325 int _cur = (cur + 1) % 2;
326
327 /* There is a rare situation where we have been here, because of
328 * a SIGHUP signal, and the process receives a SIGALRM as well.
329 * We try to avoid messing everything up.
330 */
331 if (already_here != 0) return;
332 already_here = 1;
333
334 /* The hint here, is that we keep a copy of 2 certificate credentials.
335 * When we come here, we free the unused copy and allocate new
336 * parameters to it. Then we make the current copy to be this copy.
337 *
338 * We don't free the previous copy because we don't know if anyone
339 * is using it. (this has to be fixed)
340 */
341
342 time(&current_time);
343
344 if ( !credentials[_cur]) {
345 if (gnutls_certificate_allocate_credentials( &credentials[ _cur]) < 0) {
346 log_error_time();
347 fprintf(stderr, "tls: certificate allocation error\n");
348 exit(1);
349 }
350
351 if (gnutls_certificate_set_x509_key_file
352 ( credentials[_cur], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
353 log_error_time();
354 fprintf(stderr, "tls: could not find '%s' or '%s'.", server_cert,
355 server_key);
356 exit(1);
357 }
358
359 if (ca_cert!=NULL && gnutls_certificate_set_x509_trust_file
360 ( credentials[_cur], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
361 log_error_time();
362 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
363 exit(1);
364 }
365 }
366
367 if (need_rsa_params) {
368 gnutls_rsa_params_deinit( _rsa_params[ _cur]);
369 generate_rsa_params( &_rsa_params[ _cur]);
370 gnutls_certificate_set_rsa_params(credentials[_cur], _rsa_params[ _cur]);
371 }
372
373 if (need_dh_params) {
374 gnutls_dh_params_deinit( _dh_params[ _cur]);
375 generate_dh_primes( &_dh_params[ _cur]);
376 gnutls_certificate_set_dh_params(credentials[_cur], _dh_params[ _cur]);
377 }
378
379 cur = _cur;
380
381 already_here = 0;
382 return;
383 }
384
385
386 /* Session resuming:
387 */
388
389 #define SESSION_ID_SIZE 32
390 #define SESSION_DATA_SIZE 1024
391
392 typedef struct {
393 char session_id[SESSION_ID_SIZE];
394 int session_id_size;
395
396 char session_data[SESSION_DATA_SIZE];
397 int session_data_size;
398 } CACHE;
399
400 static CACHE *cache_db;
401 static int cache_db_ptr;
402
403 static void wrap_db_init(void)
404 {
405
406 /* allocate cache_db */
407 cache_db = calloc(1, ssl_session_cache * sizeof(CACHE));
408 }
409
410 static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data)
411 {
412
413 if (cache_db == NULL)
414 return -1;
415
416 if (key.size > SESSION_ID_SIZE)
417 return -1;
418 if (data.size > SESSION_DATA_SIZE)
419 return -1;
420
421 #ifdef ENABLE_SMP
422 pthread_mutex_lock( &ssl_session_cache_lock);
423 #endif
424
425 memcpy(cache_db[cache_db_ptr].session_id, key.data, key.size);
426 cache_db[cache_db_ptr].session_id_size = key.size;
427
428 memcpy(cache_db[cache_db_ptr].session_data, data.data, data.size);
429 cache_db[cache_db_ptr].session_data_size = data.size;
430
431 cache_db_ptr++;
432 cache_db_ptr %= ssl_session_cache;
433
434 #ifdef ENABLE_SMP
435 pthread_mutex_unlock( &ssl_session_cache_lock);
436 #endif
437
438 return 0;
439 }
440
441 static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key)
442 {
443 gnutls_datum res = { NULL, 0 };
444 int i;
445
446 if (cache_db == NULL)
447 return res;
448
449 #ifdef ENABLE_SMP
450 pthread_mutex_lock( &ssl_session_cache_lock);
451 #endif
452
453 for (i = 0; i < ssl_session_cache; i++) {
454 if (key.size == cache_db[i].session_id_size &&
455 memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
456
457 res.size = cache_db[i].session_data_size;
458
459 res.data = malloc(res.size);
460 if (res.data == NULL) {
461 #ifdef ENABLE_SMP
462 pthread_mutex_unlock( &ssl_session_cache_lock);
463 #endif
464 return res;
465 }
466
467 memcpy(res.data, cache_db[i].session_data, res.size);
468
469 #ifdef ENABLE_SMP
470 pthread_mutex_unlock( &ssl_session_cache_lock);
471 #endif
472 return res;
473 }
474 }
475
476 #ifdef ENABLE_SMP
477 pthread_mutex_unlock( &ssl_session_cache_lock);
478 #endif
479
480 return res;
481 }
482
483 static int wrap_db_delete(void *dbf, gnutls_datum key)
484 {
485 int i;
486
487 if (cache_db == NULL)
488 return -1;
489
490 #ifdef ENABLE_SMP
491 pthread_mutex_lock( &ssl_session_cache_lock);
492 #endif
493
494 for (i = 0; i < ssl_session_cache; i++) {
495 if (key.size == cache_db[i].session_id_size &&
496 memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
497
498 cache_db[i].session_id_size = 0;
499 cache_db[i].session_data_size = 0;
500
501 #ifdef ENABLE_SMP
502 pthread_mutex_unlock( &ssl_session_cache_lock);
503 #endif
504
505 return 0;
506 }
507 }
508
509 #ifdef ENABLE_SMP
510 pthread_mutex_unlock( &ssl_session_cache_lock);
511 #endif
512 return -1;
513
514 }
515
516 void check_ssl_alert( request* req, int ret)
517 {
518 int last_alert;
519
520 if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
521 {
522 last_alert = gnutls_alert_get(req->ssl_state);
523 log_error_doc(req);
524 fprintf(stderr, "tls: Received alert %d '%s'.\n", last_alert, gnutls_alert_get_name(last_alert));
525 }
526 }
527
528 int finish_handshake(request * current)
529 {
530 int retval;
531
532 retval = gnutls_handshake(current->ssl_state);
533
534 if (retval == GNUTLS_E_AGAIN)
535 retval = -1;
536 else if (retval == GNUTLS_E_INTERRUPTED)
537 retval = 1;
538 else if (retval < 0) {
539 if (gnutls_error_is_fatal(retval) != 0) {
540 log_error_doc(current);
541 fprintf(stderr, "tls: Handshake error '%s'.\n", gnutls_strerror(retval));
542 check_ssl_alert( current, retval);
543
544 /* we ignore the level of the alert, since we always
545 * send fatal alerts.
546 */
547 current->alert_to_send = gnutls_error_to_alert( retval, NULL);
548 if (current->alert_to_send == GNUTLS_E_INVALID_REQUEST)
549 current->alert_to_send = GNUTLS_A_HANDSHAKE_FAILURE;
550
551 current->status = SEND_ALERT;
552 retval = 1;
553 } else {
554 check_ssl_alert( current, retval);
555 retval = 1;
556 }
557 } else if (retval == 0) {
558
559 if (ssl_verify >= 1) {
560 size_t size;
561 int verify, ret, valid;
562 char name[128];
563 const gnutls_datum *cert_list;
564 int cert_list_size;
565 gnutls_x509_crt crt = NULL;
566
567 ret = gnutls_x509_crt_init( &crt);
568 if (ret < 0) {
569 log_error_time();
570 fprintf( stderr, "tls: Error in crt_init(): %s\n", gnutls_strerror(ret));
571 current->alert_to_send = GNUTLS_A_INTERNAL_ERROR;
572 current->status = SEND_ALERT;
573 return 1;
574 }
575
576 cert_list =
577 gnutls_certificate_get_peers(current->ssl_state, &cert_list_size);
578
579 if (cert_list) {
580 ret = gnutls_x509_crt_import( crt, &cert_list[0], GNUTLS_X509_FMT_DER);
581 if (ret < 0) {
582 log_error_time();
583 fprintf( stderr, "tls: Could not import X.509 certificate: %s\n", gnutls_strerror(ret));
584 current->alert_to_send = GNUTLS_A_INTERNAL_ERROR;
585 current->status = SEND_ALERT;
586 return 1;
587 }
588
589 size = sizeof(name);
590 if (gnutls_x509_crt_get_dn(crt, name, &size) < 0)
591 strcpy(name, "Unknown");
592 }
593
594
595 verify = gnutls_certificate_verify_peers( current->ssl_state);
596 current->certificate_verified = "NONE";
597
598 if (cert_list == NULL) {
599 log_error_time();
600 fprintf( stderr, "tls: Peer did not send a certificate.\n");
601 if (ssl_verify == 2) {
602 current->alert_to_send = GNUTLS_A_ACCESS_DENIED;
603 current->status = SEND_ALERT;
604 return 1;
605 }
606 } else { /* cert_list */
607 log_error_time();
608 valid = 0;
609 fprintf( stderr, "tls: X.509 Certificate by '%s' is ", name);
610
611 if (gnutls_x509_crt_get_expiration_time( crt) < current_time) {
612 fprintf(stderr, "Expired");
613 valid = 1;
614 }
615
616 if (gnutls_x509_crt_get_activation_time( crt) > current_time) {
617 if (!valid) fprintf(stderr, "Not yet activated");
618 valid = 1;
619 }
620
621 if (valid || verify & GNUTLS_CERT_INVALID || verify & GNUTLS_CERT_REVOKED)
622 {
623 current->certificate_verified = "FAILED";
624 fprintf( stderr, ", NOT trusted");
625 if (verify & GNUTLS_CERT_REVOKED)
626 fprintf( stderr, ", Revoked");
627 if (verify & GNUTLS_CERT_SIGNER_NOT_FOUND)
628 fprintf( stderr, ", Issuer not known");
629 if (verify & GNUTLS_CERT_SIGNER_NOT_CA)
630 fprintf( stderr, ", Issuer is not a CA");
631 fprintf( stderr, ".\n");
632
633 if (ssl_verify == 2 || ssl_verify == 1) {
634 current->alert_to_send = GNUTLS_A_BAD_CERTIFICATE;
635 current->status = SEND_ALERT;
636 gnutls_x509_crt_deinit(crt);
637 return 1;
638 }
639 } else {
640 current->certificate_verified = "SUCCESS";
641 fprintf( stderr, "trusted.\n");
642 }
643 }
644
645 gnutls_x509_crt_deinit(crt);
646 }
647 retval = 1;
648 current->status = READ_HEADER;
649 }
650
651 return retval;
652 }
653
654 int send_alert(request * current)
655 {
656 int retval;
657
658 retval = gnutls_alert_send( current->ssl_state,
659 GNUTLS_AL_FATAL, current->alert_to_send);
660
661 if (retval == GNUTLS_E_AGAIN)
662 retval = -1;
663 else if (retval == GNUTLS_E_INTERRUPTED)
664 retval = 1;
665 else if (retval <= 0) {
666 retval = 0;
667 current->status = DEAD;
668 }
669
670 return retval;
671 }
672
673 /* This will parse the ciphers given and set the new ciphers.
674 * If required it will regenerate RSA and DHE parameters.
675 */
676 void ssl_reinit()
677 {
678 int i;
679
680 need_dh_params = 0;
681 need_rsa_params = 0;
682
683 /* Add ciphers
684 */
685 i = 0;
686 if ( parse_cs_string( ssl_ciphers, "AES") != 0)
687 cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
688 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
689 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
690 if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
691 cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
692 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
693 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
694 cipher_priority[i] = 0;
695
696 /* Add key exchange methods
697 */
698 i = 0;
699 if ( parse_cs_string( ssl_kx, "RSA") != 0)
700 kx_priority[i++] = GNUTLS_KX_RSA;
701 if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
702 kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
703 need_rsa_params = 1;
704 }
705 if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
706 kx_priority[i++] = GNUTLS_KX_DHE_RSA;
707 need_dh_params = 1; /* generate DH parameters */
708 }
709 if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
710 kx_priority[i++] = GNUTLS_KX_DHE_DSS;
711 need_dh_params = 1;
712 }
713 kx_priority[i] = 0;
714
715 /* Add MAC Algorithms
716 */
717 i = 0;
718 if ( parse_cs_string( ssl_mac, "MD5") != 0)
719 mac_priority[i++] = GNUTLS_MAC_MD5;
720 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
721 mac_priority[i++] = GNUTLS_MAC_SHA;
722 mac_priority[i] = 0;
723
724 /* Add Compression algorithms
725 */
726 i = 0;
727 if ( parse_cs_string( ssl_comp, "NULL") != 0)
728 comp_priority[i++] = GNUTLS_COMP_NULL;
729 if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
730 comp_priority[i++] = GNUTLS_COMP_ZLIB;
731 if ( parse_cs_string( ssl_comp, "LZO") != 0)
732 comp_priority[i++] = GNUTLS_COMP_LZO;
733 comp_priority[i] = 0;
734
735 /* Add protocols
736 */
737 i = 0;
738 if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
739 protocol_priority[i++] = GNUTLS_TLS1;
740 if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
741 protocol_priority[i++] = GNUTLS_SSL3;
742 protocol_priority[i] = 0;
743
744
745 /* Generate temporary parameters -- if needed.
746 */
747 ssl_regenerate_params();
748
749 return;
750 }
751
752 #else /* a stub for initialize_ssl */
753
754 int initialize_ssl(void)
755 {
756 log_error_time();
757 fprintf(stderr, "tls: SSL is not available in this build. Disable SSL in Hydra's configuration file.\n");
758 exit(1);
759 }
760
761 void ssl_reinit() {
762 return;
763 }
764
765 #endif
webmaster@linux.gr
 ViewVC Help
Powered by ViewVC 1.1.26