25 |
|
|
26 |
#ifdef ENABLE_SSL |
#ifdef ENABLE_SSL |
27 |
|
|
28 |
|
#include "ssl.h" |
29 |
|
|
30 |
#include <gnutls/gnutls.h> |
#include <gnutls/gnutls.h> |
31 |
#include <gcrypt.h> |
#include <gcrypt.h> |
32 |
|
|
42 |
extern char* ssl_mac; |
extern char* ssl_mac; |
43 |
extern char* ssl_comp; |
extern char* ssl_comp; |
44 |
extern char* ssl_protocol; |
extern char* ssl_protocol; |
45 |
|
extern int ssl_verify; /* 0 no verify, 1 request certificate, and validate |
46 |
|
* if sent, 2 require certificate and validate. |
47 |
|
*/ |
48 |
|
|
49 |
static void wrap_db_init(void); |
static void wrap_db_init(void); |
50 |
static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data); |
static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data); |
200 |
|
|
201 |
gnutls_handshake_set_private_extensions( state, 1); |
gnutls_handshake_set_private_extensions( state, 1); |
202 |
|
|
203 |
|
if (ssl_verify == 1) { |
204 |
|
gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUEST); |
205 |
|
} else if (ssl_verify == 2) { |
206 |
|
gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUIRE); |
207 |
|
} |
208 |
|
|
209 |
return state; |
return state; |
210 |
} |
} |
211 |
|
|
212 |
|
extern char *ca_cert; |
213 |
extern char *server_cert; |
extern char *server_cert; |
214 |
extern char *server_key; |
extern char *server_key; |
215 |
|
|
231 |
if (gnutls_certificate_set_x509_key_file |
if (gnutls_certificate_set_x509_key_file |
232 |
( credentials[0], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) { |
( credentials[0], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) { |
233 |
log_error_time(); |
log_error_time(); |
234 |
fprintf(stderr, "could not find %s or %s", server_cert, |
fprintf(stderr, "could not find %s or %s\n", server_cert, |
235 |
server_key); |
server_key); |
236 |
exit(1); |
exit(1); |
237 |
} |
} |
238 |
|
|
239 |
|
if (ca_cert != NULL && gnutls_certificate_set_x509_trust_file |
240 |
|
( credentials[0], ca_cert, GNUTLS_X509_FMT_PEM) < 0) { |
241 |
|
log_error_time(); |
242 |
|
fprintf(stderr, "could not find %s\n", ca_cert); |
243 |
|
exit(1); |
244 |
|
} |
245 |
|
|
246 |
if (ssl_session_cache != 0) |
if (ssl_session_cache != 0) |
247 |
wrap_db_init(); |
wrap_db_init(); |
248 |
|
|
353 |
server_key); |
server_key); |
354 |
exit(1); |
exit(1); |
355 |
} |
} |
356 |
|
|
357 |
|
if (ca_cert!=NULL && gnutls_certificate_set_x509_trust_file |
358 |
|
( credentials[_cur], ca_cert, GNUTLS_X509_FMT_PEM) < 0) { |
359 |
|
log_error_time(); |
360 |
|
fprintf(stderr, "could not find %s\n", ca_cert); |
361 |
|
exit(1); |
362 |
|
} |
363 |
} |
} |
364 |
|
|
365 |
if (need_rsa_params) { |
if (need_rsa_params) { |
551 |
retval = 1; |
retval = 1; |
552 |
} |
} |
553 |
} else if (retval == 0) { |
} else if (retval == 0) { |
554 |
|
|
555 |
|
if (ssl_verify == 2 || ssl_verify == 1) { |
556 |
|
int verify; |
557 |
|
char name[128]; |
558 |
|
const gnutls_datum *cert_list; |
559 |
|
int cert_list_size; |
560 |
|
|
561 |
|
|
562 |
|
verify = gnutls_certificate_verify_peers( current->ssl_state); |
563 |
|
|
564 |
|
if (verify != GNUTLS_E_NO_CERTIFICATE_FOUND || ssl_verify != 1) { |
565 |
|
cert_list = |
566 |
|
gnutls_certificate_get_peers(current->ssl_state, &cert_list_size); |
567 |
|
|
568 |
|
if (cert_list) |
569 |
|
generate_x509_dn( name, sizeof(name), &cert_list[0]); |
570 |
|
|
571 |
|
log_error_time(); |
572 |
|
if (verify & GNUTLS_CERT_NOT_TRUSTED || verify & GNUTLS_CERT_INVALID || |
573 |
|
verify & GNUTLS_CERT_CORRUPTED || verify & GNUTLS_CERT_REVOKED) |
574 |
|
{ |
575 |
|
fprintf( stderr, "tls: X.509 Certificate by '%s' is NOT trusted. Rejecting connection.\n", name); |
576 |
|
current->alert_to_send = GNUTLS_A_BAD_CERTIFICATE; |
577 |
|
current->status = SEND_ALERT; |
578 |
|
return 1; |
579 |
|
} |
580 |
|
fprintf( stderr, "tls: X.509 Certificate by '%s' was verified.\n", name); |
581 |
|
} |
582 |
|
|
583 |
|
} |
584 |
retval = 1; |
retval = 1; |
585 |
current->status = READ_HEADER; |
current->status = READ_HEADER; |
586 |
} |
} |