/[hydra]/hydra/src/ssl.c

Diff of /hydra/src/ssl.c

Parent Directory | Revision Log | View Patch Patch

-revision 1.16 by nmav,
Wed Jan 22 07:51:50 2003 UTC
+revision 1.17 by nmav,
Mon Nov  3 10:59:45 2003 UTC
 Line 1
  /*
-  * Copyright (C) 2002 Nikos Mavroyanopoulos
+  * Copyright (C) 2002,2003 Nikos Mavroyanopoulos
   *
   * This file is part of Hydra webserver.
   *
 Line 28
  #include "ssl.h"
  #include <gnutls/gnutls.h>
- #include <gcrypt.h>
+ #include <gnutls/x509.h>
  #ifdef ENABLE_SMP
  pthread_mutex_t ssl_session_cache_lock = PTHREAD_MUTEX_INITIALIZER;
 Line 72 
 gnutls_rsa_params _rsa_params[2];
  static int generate_dh_primes( gnutls_dh_params* dh_params)
  {
-     gnutls_datum prime, generator;
      if (gnutls_dh_params_init( dh_params) < 0) {
          log_error_time();
          fprintf(stderr, "tls: Error in dh parameter initialization\n");
-Line 86 
 static int generate_dh_primes( gnutls_dh
+Line 84 
 static int generate_dh_primes( gnutls_dh
       * security requirements.
       */
-      if (gnutls_dh_params_generate(&prime, &generator, ssl_dh_bits) <
+      if (gnutls_dh_params_generate2( *dh_params, ssl_dh_bits) < 0) {
-) {
              log_error_time();
              fprintf(stderr, "tls: Error in prime generation\n");
              exit(1);
       }
-      if (gnutls_dh_params_set
-             (*dh_params, prime, generator, ssl_dh_bits) < 0) {
-             log_error_time();
-             fprintf(stderr, "tls: Error in prime replacement\n");
-             exit(1);
-      }
       log_error_time();
       fprintf
              (stderr,
               "tls: Generated Diffie Hellman parameters [%d bits].\n",
               ssl_dh_bits);
-      free(prime.data);
+      return 0;
-      free(generator.data);
-     return 0;
  }
  static int generate_rsa_params( gnutls_rsa_params* rsa_params)
  {
-     gnutls_datum m, e, d, p, q, u;
      if (gnutls_rsa_params_init( rsa_params) < 0) {
          log_error_time();
          fprintf(stderr, "tls: Error in rsa parameter initialization\n");
-Line 128 
 static int generate_rsa_params( gnutls_r
+Line 113 
 static int generate_rsa_params( gnutls_r
       * security requirements.
       */
-     if (gnutls_rsa_params_generate(&m, &e, &d, &p, &q, &u, 512) < 0) {
+     if (gnutls_rsa_params_generate2( *rsa_params, 512) < 0) {
          log_error_time();
          fprintf(stderr, "tls: Error in rsa parameter generation\n");
          exit(1);
      }
-     if (gnutls_rsa_params_set( *rsa_params, m, e, d, p, q, u, 512) < 0) {
-         log_error_time();
-         fprintf(stderr, "tls: Error in rsa parameter setting\n");
-         exit(1);
-     }
-     free(m.data);
-     free(e.data);
-     free(d.data);
-     free(p.data);
-     free(q.data);
-     free(u.data);
      log_error_time();
      fprintf
          (stderr, "tls: Generated temporary RSA parameters.\n");
-Line 242 
 int initialize_ssl(void)
+Line 214 
 int initialize_ssl(void)
      log_error_time();
      fprintf(stderr, "tls: Initializing GnuTLS/%s.\n", gnutls_check_version(NULL));
      gnutls_global_init();
- /*    gcry_control (GCRYCTL_DISABLE_INTERNAL_LOCKING, NULL, 0); */
      if (gnutls_certificate_allocate_credentials( &credentials[0]) < 0) {
          log_error_time();
-Line 586 
 int finish_handshake(request * current)
+Line 557 
 int finish_handshake(request * current)
      } else if (retval == 0) {
          if (ssl_verify >= 1) {
-            int verify;
+            size_t size;
+            int verify, ret, valid;
             char name[128];
             const gnutls_datum *cert_list;
             int cert_list_size;
+            gnutls_x509_crt crt = NULL;
-            verify = gnutls_certificate_verify_peers( current->ssl_state);
+            ret = gnutls_x509_crt_init( &crt);
-            current->certificate_verified = "NONE";
+            if (ret < 0) {
+                log_error_time();
+                fprintf( stderr, "tls: Error in crt_init(): %s\n", gnutls_strerror(ret));
+                current->alert_to_send = GNUTLS_A_INTERNAL_ERROR;
+                current->status = SEND_ALERT;
+                return 1;
+            }
-            if (verify != GNUTLS_E_NO_CERTIFICATE_FOUND || ssl_verify == 2) {
+            cert_list =
-               cert_list =
+              gnutls_certificate_get_peers(current->ssl_state, &cert_list_size);
-                 gnutls_certificate_get_peers(current->ssl_state, &cert_list_size);
-               if (cert_list)
+            if (cert_list) {
-                  if (gnutls_x509_extract_certificate_dn_string(name, sizeof(name),
+               ret = gnutls_x509_crt_import( crt, &cert_list[0], GNUTLS_X509_FMT_DER);
-                     &cert_list[0], 0) < 0) strcpy(name, "Unknown");
+               if (ret < 0) {
+                   log_error_time();
+                   fprintf( stderr, "tls: Could not import X.509 certificate: %s\n", gnutls_strerror(ret));
+                   current->alert_to_send = GNUTLS_A_INTERNAL_ERROR;
+                   current->status = SEND_ALERT;
+                   return 1;
+               }
+               size = sizeof(name);
+               if (gnutls_x509_crt_get_dn(crt, name, &size) < 0)
+                    strcpy(name, "Unknown");
+            }
+            verify = gnutls_certificate_verify_peers( current->ssl_state);
+            current->certificate_verified = "NONE";
+            if (cert_list == NULL) {
+                   log_error_time();
+                   fprintf( stderr, "tls: Peer did not send a certificate.\n");
+                   if (ssl_verify == 2) {
+                      current->alert_to_send = GNUTLS_A_ACCESS_DENIED;
+                      current->status = SEND_ALERT;
+                      return 1;
+                   }
+            } else { /* cert_list */
                log_error_time();
-               if (verify & GNUTLS_CERT_NOT_TRUSTED || verify & GNUTLS_CERT_INVALID ||
+               valid = 0;
-                  verify & GNUTLS_CERT_CORRUPTED || verify & GNUTLS_CERT_REVOKED)
+               fprintf( stderr, "tls: X.509 Certificate by '%s' is ", name);
+               if (gnutls_x509_crt_get_expiration_time( crt) < current_time) {
+                  fprintf(stderr, "Expired");
+                  valid = 1;
+               }
+               if (gnutls_x509_crt_get_activation_time( crt) > current_time) {
+                  if (!valid) fprintf(stderr, "Not yet activated");
+                  valid = 1;
+               }
+               if (valid || verify & GNUTLS_CERT_INVALID || verify & GNUTLS_CERT_REVOKED)
                {
                   current->certificate_verified = "FAILED";
-                  fprintf( stderr, "tls: X.509 Certificate by '%s' is NOT trusted.\n", name);
+                  fprintf( stderr, ", NOT trusted");
+                  if (verify & GNUTLS_CERT_REVOKED)
+                     fprintf( stderr, ", Revoked");
+                  if (verify & GNUTLS_CERT_SIGNER_NOT_FOUND)
+                     fprintf( stderr, ", Issuer not known");
+                  if (verify & GNUTLS_CERT_SIGNER_NOT_CA)
+                     fprintf( stderr, ", Issuer is not a CA");
+                  fprintf( stderr, ".\n");
                   if (ssl_verify == 2 || ssl_verify == 1) {
                       current->alert_to_send = GNUTLS_A_BAD_CERTIFICATE;
                       current->status = SEND_ALERT;
+                      gnutls_x509_crt_deinit(crt);
                       return 1;
                   }
                } else {
                   current->certificate_verified = "SUCCESS";
-                  fprintf( stderr, "tls: X.509 Certificate by '%s' was verified.\n", name);
+                  fprintf( stderr, "trusted.\n");
                }
             }
+            gnutls_x509_crt_deinit(crt);
          }
          retval = 1;
          current->status = READ_HEADER;

 Legend:



Removed from v.1.16
 


changed lines


 
Added in v.1.17
 Legend:



Removed from v.1.16
 


changed lines


 
Added in v.1.17
-Removed from v.1.16
+Added in v.1.17

webmaster@linux.gr	ViewVC Help
Powered by ViewVC 1.1.26