/[hydra]/hydra/src/ssl.c
ViewVC logotype

Contents of /hydra/src/ssl.c

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.18 - (show annotations)
Sat Apr 3 10:27:46 2004 UTC (20 years ago) by nmav
Branch: MAIN
Changes since 1.17: +3 -0 lines
File MIME type: text/plain
ported to the new gnutls 1.0.9

1 /*
2 * Copyright (C) 2002,2003 Nikos Mavroyanopoulos
3 *
4 * This file is part of Hydra webserver.
5 *
6 * Hydra is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * Hydra is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19 */
20
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include "boa.h"
25
26 #ifdef ENABLE_SSL
27
28 #include "ssl.h"
29
30 #include <gnutls/gnutls.h>
31 #include <gnutls/x509.h>
32 #include <gcrypt.h>
33 GCRY_THREAD_OPTION_PTHREAD_IMPL;
34
35 #ifdef ENABLE_SMP
36 pthread_mutex_t ssl_session_cache_lock = PTHREAD_MUTEX_INITIALIZER;
37 #endif
38
39 extern int ssl_session_cache;
40 extern int ssl_session_timeout;
41
42 extern char* ssl_ciphers;
43 extern char* ssl_kx;
44 extern char* ssl_mac;
45 extern char* ssl_comp;
46 extern char* ssl_protocol;
47 extern int ssl_verify; /* 0 no verify, 1 request certificate, and validate
48 * if sent, 2 require certificate and validate.
49 * 3 is request one, and try to verify it. Does not fail in
50 * any case.
51 */
52
53 static void wrap_db_init(void);
54 static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data);
55 static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key);
56 static int wrap_db_delete(void *dbf, gnutls_datum key);
57
58 static int cur = 0; /* points to the credentials structure used */
59 static gnutls_certificate_credentials credentials[2] = { NULL, NULL };
60
61 static int need_dh_params = 0; /* whether we need to generate DHE
62 * parameters. Depend on the chosen ciphersuites.
63 */
64 static int need_rsa_params = 0;
65
66
67 /* we use primes up to 1024 in this server.
68 * otherwise we should add them here.
69 */
70 extern int ssl_dh_bits;
71
72 gnutls_dh_params _dh_params[2];
73 gnutls_rsa_params _rsa_params[2];
74
75 static int generate_dh_primes( gnutls_dh_params* dh_params)
76 {
77 if (gnutls_dh_params_init( dh_params) < 0) {
78 log_error_time();
79 fprintf(stderr, "tls: Error in dh parameter initialization\n");
80 exit(1);
81 }
82
83 /* Generate Diffie Hellman parameters - for use with DHE
84 * kx algorithms. These should be discarded and regenerated
85 * once a day, once a week or once a month. Depends on the
86 * security requirements.
87 */
88
89 if (gnutls_dh_params_generate2( *dh_params, ssl_dh_bits) < 0) {
90 log_error_time();
91 fprintf(stderr, "tls: Error in prime generation\n");
92 exit(1);
93 }
94
95 log_error_time();
96 fprintf
97 (stderr,
98 "tls: Generated Diffie Hellman parameters [%d bits].\n",
99 ssl_dh_bits);
100
101 return 0;
102 }
103
104 static int generate_rsa_params( gnutls_rsa_params* rsa_params)
105 {
106 if (gnutls_rsa_params_init( rsa_params) < 0) {
107 log_error_time();
108 fprintf(stderr, "tls: Error in rsa parameter initialization\n");
109 exit(1);
110 }
111
112 /* Generate RSA parameters - for use with RSA-export
113 * cipher suites. These should be discarded and regenerated
114 * once a day, once every 500 transactions etc. Depends on the
115 * security requirements.
116 */
117
118 if (gnutls_rsa_params_generate2( *rsa_params, 512) < 0) {
119 log_error_time();
120 fprintf(stderr, "tls: Error in rsa parameter generation\n");
121 exit(1);
122 }
123
124 log_error_time();
125 fprintf
126 (stderr, "tls: Generated temporary RSA parameters.\n");
127
128 return 0;
129 }
130
131 static int protocol_priority[16];
132 static int kx_priority[16];
133 static int cipher_priority[16];
134 static int mac_priority[16];
135 static int comp_priority[16];
136
137 /* Parses a string in the form:
138 * CIPHER1, CIPHER2, ... and tries to find the given algorithm.
139 * This is inefficient. Returns true or false.
140 */
141 static int parse_cs_string( const char* string, const char* algo)
142 {
143 char *broken_list[MAX_COMMA_SEP_ELEMENTS];
144 int broken_list_size, i;
145 char list[64];
146
147 if (string == NULL || algo == NULL) return 0;
148
149 if (strlen( string) > sizeof(list)-1) return 0;
150
151 strcpy( list, string);
152
153 break_comma_list( list, broken_list, &broken_list_size);
154
155 for (i=0;i<broken_list_size;i++) {
156 if (strcmp( broken_list[i], algo) == 0) {
157 return 1;
158 }
159 }
160
161 return 0;
162
163 }
164
165 /* Initializes a single SSL/TLS session. That is set the algorithm,
166 * the db backend, whether to request certificates etc.
167 */
168 gnutls_session initialize_ssl_session(void)
169 {
170 gnutls_session state;
171
172 gnutls_init(&state, GNUTLS_SERVER);
173
174 gnutls_cipher_set_priority(state, cipher_priority);
175 gnutls_compression_set_priority(state, comp_priority);
176 gnutls_kx_set_priority(state, kx_priority);
177 gnutls_protocol_set_priority(state, protocol_priority);
178 gnutls_mac_set_priority(state, mac_priority);
179
180 gnutls_credentials_set(state, GNUTLS_CRD_CERTIFICATE, credentials[ cur]);
181
182 gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
183
184 if (ssl_session_cache != 0) {
185 gnutls_db_set_retrieve_function(state, wrap_db_fetch);
186 gnutls_db_set_remove_function(state, wrap_db_delete);
187 gnutls_db_set_store_function(state, wrap_db_store);
188 gnutls_db_set_ptr(state, NULL);
189 }
190 gnutls_db_set_cache_expiration( state, ssl_session_timeout);
191
192 /* gnutls_handshake_set_private_extensions( state, 1); */
193
194 if (ssl_verify == 1 || ssl_verify == 3) {
195 gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUEST);
196 } else if (ssl_verify == 2) {
197 gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUIRE);
198 } else { /* default */
199 gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
200 }
201
202
203 return state;
204 }
205
206 extern char *ca_cert;
207 extern char *server_cert;
208 extern char *server_key;
209
210 /* Initialization of gnutls' global state
211 */
212 int initialize_ssl(void)
213 {
214 int i;
215
216 log_error_time();
217 fprintf(stderr, "tls: Initializing GnuTLS/%s.\n", gnutls_check_version(NULL));
218 gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
219 gnutls_global_init();
220
221 if (gnutls_certificate_allocate_credentials( &credentials[0]) < 0) {
222 log_error_time();
223 fprintf(stderr, "tls: certificate allocation error\n");
224 exit(1);
225 }
226
227 if (gnutls_certificate_set_x509_key_file
228 ( credentials[0], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
229 log_error_time();
230 fprintf(stderr, "tls: could not find '%s' or '%s'.\n", server_cert,
231 server_key);
232 exit(1);
233 }
234
235 if (ca_cert != NULL && gnutls_certificate_set_x509_trust_file
236 ( credentials[0], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
237 log_error_time();
238 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
239 exit(1);
240 }
241
242 if (ssl_session_cache != 0)
243 wrap_db_init();
244
245 /* Add ciphers
246 */
247 i = 0;
248 if ( parse_cs_string( ssl_ciphers, "AES") != 0)
249 cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
250 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
251 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
252 if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
253 cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
254 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
255 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
256 cipher_priority[i] = 0;
257
258 /* Add key exchange methods
259 */
260 i = 0;
261 if ( parse_cs_string( ssl_kx, "RSA") != 0)
262 kx_priority[i++] = GNUTLS_KX_RSA;
263 if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
264 kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
265 need_rsa_params = 1;
266 }
267 if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
268 kx_priority[i++] = GNUTLS_KX_DHE_RSA;
269 need_dh_params = 1; /* generate DH parameters */
270 }
271 if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
272 kx_priority[i++] = GNUTLS_KX_DHE_DSS;
273 need_dh_params = 1;
274 }
275 kx_priority[i] = 0;
276
277 /* Add MAC Algorithms
278 */
279 i = 0;
280 if ( parse_cs_string( ssl_mac, "MD5") != 0)
281 mac_priority[i++] = GNUTLS_MAC_MD5;
282 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
283 mac_priority[i++] = GNUTLS_MAC_SHA;
284 mac_priority[i] = 0;
285
286 /* Add Compression algorithms
287 */
288 i = 0;
289 if ( parse_cs_string( ssl_comp, "NULL") != 0)
290 comp_priority[i++] = GNUTLS_COMP_NULL;
291 if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
292 comp_priority[i++] = GNUTLS_COMP_ZLIB;
293 if ( parse_cs_string( ssl_comp, "LZO") != 0)
294 comp_priority[i++] = GNUTLS_COMP_LZO;
295 comp_priority[i] = 0;
296
297 /* Add protocols
298 */
299 i = 0;
300 if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
301 protocol_priority[i++] = GNUTLS_TLS1;
302 if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
303 protocol_priority[i++] = GNUTLS_SSL3;
304 protocol_priority[i] = 0;
305
306 /* Generate temporary parameters -- if needed.
307 */
308 if (need_rsa_params) {
309 generate_rsa_params( &_rsa_params[0]);
310 gnutls_certificate_set_rsa_params(credentials[0], _rsa_params[0]);
311 }
312
313 if (need_dh_params) {
314 generate_dh_primes( &_dh_params[0]);
315 gnutls_certificate_set_dh_params(credentials[0], _dh_params[0]);
316 }
317
318 return 0;
319 }
320
321 /* This function will regenerate the SSL parameters (RSA and DH) without
322 * any need for downtime.
323 */
324
325 void ssl_regenerate_params(void)
326 {
327 static int already_here; /* static so the default value == 0 */
328 int _cur = (cur + 1) % 2;
329
330 /* There is a rare situation where we have been here, because of
331 * a SIGHUP signal, and the process receives a SIGALRM as well.
332 * We try to avoid messing everything up.
333 */
334 if (already_here != 0) return;
335 already_here = 1;
336
337 /* The hint here, is that we keep a copy of 2 certificate credentials.
338 * When we come here, we free the unused copy and allocate new
339 * parameters to it. Then we make the current copy to be this copy.
340 *
341 * We don't free the previous copy because we don't know if anyone
342 * is using it. (this has to be fixed)
343 */
344
345 time(&current_time);
346
347 if ( !credentials[_cur]) {
348 if (gnutls_certificate_allocate_credentials( &credentials[ _cur]) < 0) {
349 log_error_time();
350 fprintf(stderr, "tls: certificate allocation error\n");
351 exit(1);
352 }
353
354 if (gnutls_certificate_set_x509_key_file
355 ( credentials[_cur], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
356 log_error_time();
357 fprintf(stderr, "tls: could not find '%s' or '%s'.", server_cert,
358 server_key);
359 exit(1);
360 }
361
362 if (ca_cert!=NULL && gnutls_certificate_set_x509_trust_file
363 ( credentials[_cur], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
364 log_error_time();
365 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
366 exit(1);
367 }
368 }
369
370 if (need_rsa_params) {
371 gnutls_rsa_params_deinit( _rsa_params[ _cur]);
372 generate_rsa_params( &_rsa_params[ _cur]);
373 gnutls_certificate_set_rsa_params(credentials[_cur], _rsa_params[ _cur]);
374 }
375
376 if (need_dh_params) {
377 gnutls_dh_params_deinit( _dh_params[ _cur]);
378 generate_dh_primes( &_dh_params[ _cur]);
379 gnutls_certificate_set_dh_params(credentials[_cur], _dh_params[ _cur]);
380 }
381
382 cur = _cur;
383
384 already_here = 0;
385 return;
386 }
387
388
389 /* Session resuming:
390 */
391
392 #define SESSION_ID_SIZE 32
393 #define SESSION_DATA_SIZE 1024
394
395 typedef struct {
396 char session_id[SESSION_ID_SIZE];
397 int session_id_size;
398
399 char session_data[SESSION_DATA_SIZE];
400 int session_data_size;
401 } CACHE;
402
403 static CACHE *cache_db;
404 static int cache_db_ptr;
405
406 static void wrap_db_init(void)
407 {
408
409 /* allocate cache_db */
410 cache_db = calloc(1, ssl_session_cache * sizeof(CACHE));
411 }
412
413 static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data)
414 {
415
416 if (cache_db == NULL)
417 return -1;
418
419 if (key.size > SESSION_ID_SIZE)
420 return -1;
421 if (data.size > SESSION_DATA_SIZE)
422 return -1;
423
424 #ifdef ENABLE_SMP
425 pthread_mutex_lock( &ssl_session_cache_lock);
426 #endif
427
428 memcpy(cache_db[cache_db_ptr].session_id, key.data, key.size);
429 cache_db[cache_db_ptr].session_id_size = key.size;
430
431 memcpy(cache_db[cache_db_ptr].session_data, data.data, data.size);
432 cache_db[cache_db_ptr].session_data_size = data.size;
433
434 cache_db_ptr++;
435 cache_db_ptr %= ssl_session_cache;
436
437 #ifdef ENABLE_SMP
438 pthread_mutex_unlock( &ssl_session_cache_lock);
439 #endif
440
441 return 0;
442 }
443
444 static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key)
445 {
446 gnutls_datum res = { NULL, 0 };
447 int i;
448
449 if (cache_db == NULL)
450 return res;
451
452 #ifdef ENABLE_SMP
453 pthread_mutex_lock( &ssl_session_cache_lock);
454 #endif
455
456 for (i = 0; i < ssl_session_cache; i++) {
457 if (key.size == cache_db[i].session_id_size &&
458 memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
459
460 res.size = cache_db[i].session_data_size;
461
462 res.data = malloc(res.size);
463 if (res.data == NULL) {
464 #ifdef ENABLE_SMP
465 pthread_mutex_unlock( &ssl_session_cache_lock);
466 #endif
467 return res;
468 }
469
470 memcpy(res.data, cache_db[i].session_data, res.size);
471
472 #ifdef ENABLE_SMP
473 pthread_mutex_unlock( &ssl_session_cache_lock);
474 #endif
475 return res;
476 }
477 }
478
479 #ifdef ENABLE_SMP
480 pthread_mutex_unlock( &ssl_session_cache_lock);
481 #endif
482
483 return res;
484 }
485
486 static int wrap_db_delete(void *dbf, gnutls_datum key)
487 {
488 int i;
489
490 if (cache_db == NULL)
491 return -1;
492
493 #ifdef ENABLE_SMP
494 pthread_mutex_lock( &ssl_session_cache_lock);
495 #endif
496
497 for (i = 0; i < ssl_session_cache; i++) {
498 if (key.size == cache_db[i].session_id_size &&
499 memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
500
501 cache_db[i].session_id_size = 0;
502 cache_db[i].session_data_size = 0;
503
504 #ifdef ENABLE_SMP
505 pthread_mutex_unlock( &ssl_session_cache_lock);
506 #endif
507
508 return 0;
509 }
510 }
511
512 #ifdef ENABLE_SMP
513 pthread_mutex_unlock( &ssl_session_cache_lock);
514 #endif
515 return -1;
516
517 }
518
519 void check_ssl_alert( request* req, int ret)
520 {
521 int last_alert;
522
523 if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
524 {
525 last_alert = gnutls_alert_get(req->ssl_state);
526 log_error_doc(req);
527 fprintf(stderr, "tls: Received alert %d '%s'.\n", last_alert, gnutls_alert_get_name(last_alert));
528 }
529 }
530
531 int finish_handshake(request * current)
532 {
533 int retval;
534
535 retval = gnutls_handshake(current->ssl_state);
536
537 if (retval == GNUTLS_E_AGAIN)
538 retval = -1;
539 else if (retval == GNUTLS_E_INTERRUPTED)
540 retval = 1;
541 else if (retval < 0) {
542 if (gnutls_error_is_fatal(retval) != 0) {
543 log_error_doc(current);
544 fprintf(stderr, "tls: Handshake error '%s'.\n", gnutls_strerror(retval));
545 check_ssl_alert( current, retval);
546
547 /* we ignore the level of the alert, since we always
548 * send fatal alerts.
549 */
550 current->alert_to_send = gnutls_error_to_alert( retval, NULL);
551 if (current->alert_to_send == GNUTLS_E_INVALID_REQUEST)
552 current->alert_to_send = GNUTLS_A_HANDSHAKE_FAILURE;
553
554 current->status = SEND_ALERT;
555 retval = 1;
556 } else {
557 check_ssl_alert( current, retval);
558 retval = 1;
559 }
560 } else if (retval == 0) {
561
562 if (ssl_verify >= 1) {
563 size_t size;
564 int verify, ret, valid;
565 char name[128];
566 const gnutls_datum *cert_list;
567 int cert_list_size;
568 gnutls_x509_crt crt = NULL;
569
570 ret = gnutls_x509_crt_init( &crt);
571 if (ret < 0) {
572 log_error_time();
573 fprintf( stderr, "tls: Error in crt_init(): %s\n", gnutls_strerror(ret));
574 current->alert_to_send = GNUTLS_A_INTERNAL_ERROR;
575 current->status = SEND_ALERT;
576 return 1;
577 }
578
579 cert_list =
580 gnutls_certificate_get_peers(current->ssl_state, &cert_list_size);
581
582 if (cert_list) {
583 ret = gnutls_x509_crt_import( crt, &cert_list[0], GNUTLS_X509_FMT_DER);
584 if (ret < 0) {
585 log_error_time();
586 fprintf( stderr, "tls: Could not import X.509 certificate: %s\n", gnutls_strerror(ret));
587 current->alert_to_send = GNUTLS_A_INTERNAL_ERROR;
588 current->status = SEND_ALERT;
589 return 1;
590 }
591
592 size = sizeof(name);
593 if (gnutls_x509_crt_get_dn(crt, name, &size) < 0)
594 strcpy(name, "Unknown");
595 }
596
597
598 verify = gnutls_certificate_verify_peers( current->ssl_state);
599 current->certificate_verified = "NONE";
600
601 if (cert_list == NULL) {
602 log_error_time();
603 fprintf( stderr, "tls: Peer did not send a certificate.\n");
604 if (ssl_verify == 2) {
605 current->alert_to_send = GNUTLS_A_ACCESS_DENIED;
606 current->status = SEND_ALERT;
607 return 1;
608 }
609 } else { /* cert_list */
610 log_error_time();
611 valid = 0;
612 fprintf( stderr, "tls: X.509 Certificate by '%s' is ", name);
613
614 if (gnutls_x509_crt_get_expiration_time( crt) < current_time) {
615 fprintf(stderr, "Expired");
616 valid = 1;
617 }
618
619 if (gnutls_x509_crt_get_activation_time( crt) > current_time) {
620 if (!valid) fprintf(stderr, "Not yet activated");
621 valid = 1;
622 }
623
624 if (valid || verify & GNUTLS_CERT_INVALID || verify & GNUTLS_CERT_REVOKED)
625 {
626 current->certificate_verified = "FAILED";
627 fprintf( stderr, ", NOT trusted");
628 if (verify & GNUTLS_CERT_REVOKED)
629 fprintf( stderr, ", Revoked");
630 if (verify & GNUTLS_CERT_SIGNER_NOT_FOUND)
631 fprintf( stderr, ", Issuer not known");
632 if (verify & GNUTLS_CERT_SIGNER_NOT_CA)
633 fprintf( stderr, ", Issuer is not a CA");
634 fprintf( stderr, ".\n");
635
636 if (ssl_verify == 2 || ssl_verify == 1) {
637 current->alert_to_send = GNUTLS_A_BAD_CERTIFICATE;
638 current->status = SEND_ALERT;
639 gnutls_x509_crt_deinit(crt);
640 return 1;
641 }
642 } else {
643 current->certificate_verified = "SUCCESS";
644 fprintf( stderr, "trusted.\n");
645 }
646 }
647
648 gnutls_x509_crt_deinit(crt);
649 }
650 retval = 1;
651 current->status = READ_HEADER;
652 }
653
654 return retval;
655 }
656
657 int send_alert(request * current)
658 {
659 int retval;
660
661 retval = gnutls_alert_send( current->ssl_state,
662 GNUTLS_AL_FATAL, current->alert_to_send);
663
664 if (retval == GNUTLS_E_AGAIN)
665 retval = -1;
666 else if (retval == GNUTLS_E_INTERRUPTED)
667 retval = 1;
668 else if (retval <= 0) {
669 retval = 0;
670 current->status = DEAD;
671 }
672
673 return retval;
674 }
675
676 /* This will parse the ciphers given and set the new ciphers.
677 * If required it will regenerate RSA and DHE parameters.
678 */
679 void ssl_reinit()
680 {
681 int i;
682
683 need_dh_params = 0;
684 need_rsa_params = 0;
685
686 /* Add ciphers
687 */
688 i = 0;
689 if ( parse_cs_string( ssl_ciphers, "AES") != 0)
690 cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
691 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
692 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
693 if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
694 cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
695 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
696 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
697 cipher_priority[i] = 0;
698
699 /* Add key exchange methods
700 */
701 i = 0;
702 if ( parse_cs_string( ssl_kx, "RSA") != 0)
703 kx_priority[i++] = GNUTLS_KX_RSA;
704 if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
705 kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
706 need_rsa_params = 1;
707 }
708 if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
709 kx_priority[i++] = GNUTLS_KX_DHE_RSA;
710 need_dh_params = 1; /* generate DH parameters */
711 }
712 if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
713 kx_priority[i++] = GNUTLS_KX_DHE_DSS;
714 need_dh_params = 1;
715 }
716 kx_priority[i] = 0;
717
718 /* Add MAC Algorithms
719 */
720 i = 0;
721 if ( parse_cs_string( ssl_mac, "MD5") != 0)
722 mac_priority[i++] = GNUTLS_MAC_MD5;
723 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
724 mac_priority[i++] = GNUTLS_MAC_SHA;
725 mac_priority[i] = 0;
726
727 /* Add Compression algorithms
728 */
729 i = 0;
730 if ( parse_cs_string( ssl_comp, "NULL") != 0)
731 comp_priority[i++] = GNUTLS_COMP_NULL;
732 if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
733 comp_priority[i++] = GNUTLS_COMP_ZLIB;
734 if ( parse_cs_string( ssl_comp, "LZO") != 0)
735 comp_priority[i++] = GNUTLS_COMP_LZO;
736 comp_priority[i] = 0;
737
738 /* Add protocols
739 */
740 i = 0;
741 if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
742 protocol_priority[i++] = GNUTLS_TLS1;
743 if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
744 protocol_priority[i++] = GNUTLS_SSL3;
745 protocol_priority[i] = 0;
746
747
748 /* Generate temporary parameters -- if needed.
749 */
750 ssl_regenerate_params();
751
752 return;
753 }
754
755 #else /* a stub for initialize_ssl */
756
757 int initialize_ssl(void)
758 {
759 log_error_time();
760 fprintf(stderr, "tls: SSL is not available in this build. Disable SSL in Hydra's configuration file.\n");
761 exit(1);
762 }
763
764 void ssl_reinit() {
765 return;
766 }
767
768 #endif

webmaster@linux.gr
ViewVC Help
Powered by ViewVC 1.1.26