/[hydra]/hydra/src/ssl.c

Diff of /hydra/src/ssl.c

Parent Directory | Revision Log | View Patch Patch

-revision 1.6 by nmav,
Fri Oct  4 19:09:12 2002 UTC
+revision 1.7 by nmav,
Sat Oct  5 08:32:52 2002 UTC
 Line 25
  #ifdef ENABLE_SSL
+ #include "ssl.h"
  #include <gnutls/gnutls.h>
  #include <gcrypt.h>
-Line 40 
 extern char* ssl_kx;
+Line 42 
 extern char* ssl_kx;
  extern char* ssl_mac;
  extern char* ssl_comp;
  extern char* ssl_protocol;
+ extern int ssl_verify; /* 0 no verify, 1 request certificate, and validate
+                         * if sent, 2 require certificate and validate.
+                         */
  static void wrap_db_init(void);
  static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data);
-Line 195 
 gnutls_session initialize_ssl_session(vo
+Line 200 
 gnutls_session initialize_ssl_session(vo
      gnutls_handshake_set_private_extensions( state, 1);
+     if (ssl_verify == 1) {
+        gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUEST);
+     } else if (ssl_verify == 2) {
+        gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUIRE);
+     }
      return state;
  }
+ extern char *ca_cert;
  extern char *server_cert;
  extern char *server_key;
-Line 219 
 int initialize_ssl(void)
+Line 231 
 int initialize_ssl(void)
      if (gnutls_certificate_set_x509_key_file
          ( credentials[0], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
          log_error_time();
-         fprintf(stderr, "could not find %s or %s", server_cert,
+         fprintf(stderr, "could not find %s or %s\n", server_cert,
                  server_key);
          exit(1);
      }
+     if (ca_cert != NULL && gnutls_certificate_set_x509_trust_file
+         ( credentials[0], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
+         log_error_time();
+         fprintf(stderr, "could not find %s\n", ca_cert);
+         exit(1);
+     }
      if (ssl_session_cache != 0)
          wrap_db_init();
-Line 334 
 int _cur = (cur + 1) % 2;
+Line 353 
 int _cur = (cur + 1) % 2;
                  server_key);
             exit(1);
         }
+        if (ca_cert!=NULL && gnutls_certificate_set_x509_trust_file
+           ( credentials[_cur], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
+           log_error_time();
+           fprintf(stderr, "could not find %s\n", ca_cert);
+           exit(1);
+        }
      }
      if (need_rsa_params) {
-Line 525 
 int finish_handshake(request * current)
+Line 551 
 int finish_handshake(request * current)
              retval = 1;
          }
      } else if (retval == 0) {
+         if (ssl_verify == 2 || ssl_verify == 1) {
+            int verify;
+            char name[128];
+            const gnutls_datum *cert_list;
+            int cert_list_size;
+            verify = gnutls_certificate_verify_peers( current->ssl_state);
+            if (verify != GNUTLS_E_NO_CERTIFICATE_FOUND || ssl_verify != 1) {
+               cert_list =
+                 gnutls_certificate_get_peers(current->ssl_state, &cert_list_size);
+               if (cert_list)
+                  generate_x509_dn( name, sizeof(name), &cert_list[0]);
+               log_error_time();
+               if (verify & GNUTLS_CERT_NOT_TRUSTED || verify & GNUTLS_CERT_INVALID ||
+                  verify & GNUTLS_CERT_CORRUPTED || verify & GNUTLS_CERT_REVOKED)
+               {
+                  fprintf( stderr, "tls: X.509 Certificate by '%s' is NOT trusted. Rejecting connection.\n", name);
+                  current->alert_to_send = GNUTLS_A_BAD_CERTIFICATE;
+                  current->status = SEND_ALERT;
+                  return 1;
+               }
+               fprintf( stderr, "tls: X.509 Certificate by '%s' was verified.\n", name);
+            }
+         }
          retval = 1;
          current->status = READ_HEADER;
      }

 Legend:



Removed from v.1.6
 


changed lines


 
Added in v.1.7
 Legend:



Removed from v.1.6
 


changed lines


 
Added in v.1.7
-Removed from v.1.6
+Added in v.1.7

webmaster@linux.gr	ViewVC Help
Powered by ViewVC 1.1.26