41 |
static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key); |
static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key); |
42 |
static int wrap_db_delete(void *dbf, gnutls_datum key); |
static int wrap_db_delete(void *dbf, gnutls_datum key); |
43 |
|
|
44 |
static gnutls_certificate_credentials credentials; |
static int cur = 0; /* points to the credentials structure used */ |
45 |
|
static gnutls_certificate_credentials credentials[2]; |
46 |
|
|
47 |
static int need_dh_params = 0; /* whether we need to generate DHE |
static int need_dh_params = 0; /* whether we need to generate DHE |
48 |
* parameters. Depend on the chosen ciphersuites. |
* parameters. Depend on the chosen ciphersuites. |
55 |
*/ |
*/ |
56 |
extern int ssl_dh_bits; |
extern int ssl_dh_bits; |
57 |
|
|
58 |
gnutls_dh_params dh_params; |
gnutls_dh_params _dh_params[2]; |
59 |
gnutls_rsa_params rsa_params; |
gnutls_rsa_params _rsa_params[2]; |
60 |
|
|
61 |
static int generate_dh_primes() |
static int generate_dh_primes( gnutls_dh_params* dh_params) |
62 |
{ |
{ |
63 |
gnutls_datum prime, generator; |
gnutls_datum prime, generator; |
64 |
|
|
65 |
if (gnutls_dh_params_init( &dh_params) < 0) { |
if (gnutls_dh_params_init( dh_params) < 0) { |
66 |
log_error_time(); |
log_error_time(); |
67 |
fprintf(stderr, "Error in dh parameter initialization\n"); |
fprintf(stderr, "Error in dh parameter initialization\n"); |
68 |
exit(1); |
exit(1); |
82 |
} |
} |
83 |
|
|
84 |
if (gnutls_dh_params_set |
if (gnutls_dh_params_set |
85 |
(dh_params, prime, generator, ssl_dh_bits) < 0) { |
(*dh_params, prime, generator, ssl_dh_bits) < 0) { |
86 |
log_error_time(); |
log_error_time(); |
87 |
fprintf(stderr, "Error in prime replacement\n"); |
fprintf(stderr, "Error in prime replacement\n"); |
88 |
exit(1); |
exit(1); |
100 |
return 0; |
return 0; |
101 |
} |
} |
102 |
|
|
103 |
static int generate_rsa_params() |
static int generate_rsa_params( gnutls_rsa_params* rsa_params) |
104 |
{ |
{ |
105 |
gnutls_datum m, e, d, p, q, u; |
gnutls_datum m, e, d, p, q, u; |
106 |
|
|
107 |
if (gnutls_rsa_params_init(&rsa_params) < 0) { |
if (gnutls_rsa_params_init( rsa_params) < 0) { |
108 |
log_error_time(); |
log_error_time(); |
109 |
fprintf(stderr, "Error in rsa parameter initialization\n"); |
fprintf(stderr, "Error in rsa parameter initialization\n"); |
110 |
exit(1); |
exit(1); |
122 |
exit(1); |
exit(1); |
123 |
} |
} |
124 |
|
|
125 |
if (gnutls_rsa_params_set(rsa_params, m, e, d, p, q, u, 512) < 0) { |
if (gnutls_rsa_params_set( *rsa_params, m, e, d, p, q, u, 512) < 0) { |
126 |
log_error_time(); |
log_error_time(); |
127 |
fprintf(stderr, "Error in rsa parameter setting\n"); |
fprintf(stderr, "Error in rsa parameter setting\n"); |
128 |
exit(1); |
exit(1); |
176 |
gnutls_protocol_set_priority(state, protocol_priority); |
gnutls_protocol_set_priority(state, protocol_priority); |
177 |
gnutls_mac_set_priority(state, mac_priority); |
gnutls_mac_set_priority(state, mac_priority); |
178 |
|
|
179 |
gnutls_cred_set(state, GNUTLS_CRD_CERTIFICATE, credentials); |
gnutls_cred_set(state, GNUTLS_CRD_CERTIFICATE, credentials[ cur]); |
|
|
|
180 |
|
|
181 |
gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE); |
gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE); |
182 |
|
|
205 |
gnutls_global_init(); |
gnutls_global_init(); |
206 |
/* gcry_control (GCRYCTL_DISABLE_INTERNAL_LOCKING, NULL, 0); */ |
/* gcry_control (GCRYCTL_DISABLE_INTERNAL_LOCKING, NULL, 0); */ |
207 |
|
|
208 |
if (gnutls_certificate_allocate_credentials( &credentials) < 0) { |
if (gnutls_certificate_allocate_credentials( &credentials[0]) < 0) { |
209 |
log_error_time(); |
log_error_time(); |
210 |
fprintf(stderr, "certificate allocation error\n"); |
fprintf(stderr, "certificate allocation error\n"); |
211 |
exit(1); |
exit(1); |
212 |
} |
} |
213 |
|
|
214 |
if (gnutls_certificate_set_x509_key_file |
if (gnutls_certificate_set_x509_key_file |
215 |
( credentials, server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) { |
( credentials[0], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) { |
216 |
log_error_time(); |
log_error_time(); |
217 |
fprintf(stderr, "could not find %s or %s", server_cert, |
fprintf(stderr, "could not find %s or %s", server_cert, |
218 |
server_key); |
server_key); |
286 |
/* Generate temporary parameters -- if needed. |
/* Generate temporary parameters -- if needed. |
287 |
*/ |
*/ |
288 |
if (need_rsa_params) { |
if (need_rsa_params) { |
289 |
generate_rsa_params(); |
generate_rsa_params( &_rsa_params[0]); |
290 |
gnutls_certificate_set_rsa_params(credentials, rsa_params); |
gnutls_certificate_set_rsa_params(credentials[0], _rsa_params[0]); |
291 |
} |
} |
292 |
|
|
293 |
if (need_dh_params) { |
if (need_dh_params) { |
294 |
generate_dh_primes(); |
generate_dh_primes( &_dh_params[0]); |
295 |
gnutls_certificate_set_dh_params(credentials, dh_params); |
gnutls_certificate_set_dh_params(credentials[0], _dh_params[0]); |
296 |
} |
} |
297 |
|
|
298 |
return 0; |
return 0; |
303 |
*/ |
*/ |
304 |
void ssl_regenerate_params(void) |
void ssl_regenerate_params(void) |
305 |
{ |
{ |
306 |
/* This is tricky, and should not be used in any kind of |
int _cur = (cur + 1) % 2; |
307 |
* servers (ie threaded ones). This works just because no |
|
308 |
* tls session works in parallel with this function. |
/* The hint here, is that we keep a copy of 2 certificate credentials. |
309 |
*/ |
* When we come here, we free the unused copy and allocate new |
310 |
|
* parameters to it. Then we make the current copy to be this copy. |
311 |
|
* |
312 |
|
* We don't free the previous copy because we don't know if anyone |
313 |
|
* is using it. (this has to be fixed) |
314 |
|
*/ |
315 |
|
|
316 |
time(¤t_time); |
time(¤t_time); |
317 |
|
|
318 |
|
if ( !credentials[_cur]) { |
319 |
|
if (gnutls_certificate_allocate_credentials( &credentials[ _cur]) < 0) { |
320 |
|
log_error_time(); |
321 |
|
fprintf(stderr, "certificate allocation error\n"); |
322 |
|
exit(1); |
323 |
|
} |
324 |
|
|
325 |
|
if (gnutls_certificate_set_x509_key_file |
326 |
|
( credentials[_cur], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) { |
327 |
|
log_error_time(); |
328 |
|
fprintf(stderr, "could not find %s or %s", server_cert, |
329 |
|
server_key); |
330 |
|
exit(1); |
331 |
|
} |
332 |
|
} |
333 |
|
|
334 |
if (need_rsa_params) { |
if (need_rsa_params) { |
335 |
gnutls_rsa_params_deinit( rsa_params); |
gnutls_rsa_params_deinit( _rsa_params[ _cur]); |
336 |
generate_rsa_params(); |
generate_rsa_params( &_rsa_params[ _cur]); |
337 |
gnutls_certificate_set_rsa_params(credentials, rsa_params); |
gnutls_certificate_set_rsa_params(credentials[_cur], _rsa_params[ _cur]); |
338 |
} |
} |
339 |
|
|
340 |
if (need_dh_params) { |
if (need_dh_params) { |
341 |
gnutls_dh_params_deinit( dh_params); |
gnutls_dh_params_deinit( _dh_params[ _cur]); |
342 |
generate_dh_primes(); |
generate_dh_primes( &_dh_params[ _cur]); |
343 |
gnutls_certificate_set_dh_params(credentials, dh_params); |
gnutls_certificate_set_dh_params(credentials[_cur], _dh_params[ _cur]); |
344 |
} |
} |
345 |
|
|
346 |
|
cur = _cur; |
347 |
|
|
348 |
return; |
return; |
349 |
} |
} |
350 |
|
|