/[hydra]/hydra/src/ssl.c
ViewVC logotype

Contents of /hydra/src/ssl.c

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.15.2.1 - (show annotations)
Sun Dec 15 23:47:52 2002 UTC (21 years, 3 months ago) by nmav
Branch: hydra_0_1_0_patches
CVS Tags: hydra_0_1_2, hydra_0_1_1
Changes since 1.15: +2 -2 lines
File MIME type: text/plain
Corrected Keep Alive mode in SSL and TLS connections.

1 /*
2 * Copyright (C) 2002 Nikos Mavroyanopoulos
3 *
4 * This file is part of Hydra webserver.
5 *
6 * Hydra is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * Hydra is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19 */
20
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include "boa.h"
25
26 #ifdef ENABLE_SSL
27
28 #include "ssl.h"
29
30 #include <gnutls/gnutls.h>
31 #include <gcrypt.h>
32
33 #ifdef ENABLE_SMP
34 pthread_mutex_t ssl_session_cache_lock = PTHREAD_MUTEX_INITIALIZER;
35 #endif
36
37 extern int ssl_session_cache;
38 extern int ssl_session_timeout;
39
40 extern char* ssl_ciphers;
41 extern char* ssl_kx;
42 extern char* ssl_mac;
43 extern char* ssl_comp;
44 extern char* ssl_protocol;
45 extern int ssl_verify; /* 0 no verify, 1 request certificate, and validate
46 * if sent, 2 require certificate and validate.
47 * 3 is request one, and try to verify it. Does not fail in
48 * any case.
49 */
50
51 static void wrap_db_init(void);
52 static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data);
53 static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key);
54 static int wrap_db_delete(void *dbf, gnutls_datum key);
55
56 static int cur = 0; /* points to the credentials structure used */
57 static gnutls_certificate_credentials credentials[2] = { NULL, NULL };
58
59 static int need_dh_params = 0; /* whether we need to generate DHE
60 * parameters. Depend on the chosen ciphersuites.
61 */
62 static int need_rsa_params = 0;
63
64
65 /* we use primes up to 1024 in this server.
66 * otherwise we should add them here.
67 */
68 extern int ssl_dh_bits;
69
70 gnutls_dh_params _dh_params[2];
71 gnutls_rsa_params _rsa_params[2];
72
73 static int generate_dh_primes( gnutls_dh_params* dh_params)
74 {
75 gnutls_datum prime, generator;
76
77 if (gnutls_dh_params_init( dh_params) < 0) {
78 log_error_time();
79 fprintf(stderr, "tls: Error in dh parameter initialization\n");
80 exit(1);
81 }
82
83 /* Generate Diffie Hellman parameters - for use with DHE
84 * kx algorithms. These should be discarded and regenerated
85 * once a day, once a week or once a month. Depends on the
86 * security requirements.
87 */
88
89 if (gnutls_dh_params_generate(&prime, &generator, ssl_dh_bits) <
90 0) {
91 log_error_time();
92 fprintf(stderr, "tls: Error in prime generation\n");
93 exit(1);
94 }
95
96 if (gnutls_dh_params_set
97 (*dh_params, prime, generator, ssl_dh_bits) < 0) {
98 log_error_time();
99 fprintf(stderr, "tls: Error in prime replacement\n");
100 exit(1);
101 }
102
103 log_error_time();
104 fprintf
105 (stderr,
106 "tls: Generated Diffie Hellman parameters [%d bits].\n",
107 ssl_dh_bits);
108
109 free(prime.data);
110 free(generator.data);
111
112 return 0;
113 }
114
115 static int generate_rsa_params( gnutls_rsa_params* rsa_params)
116 {
117 gnutls_datum m, e, d, p, q, u;
118
119 if (gnutls_rsa_params_init( rsa_params) < 0) {
120 log_error_time();
121 fprintf(stderr, "tls: Error in rsa parameter initialization\n");
122 exit(1);
123 }
124
125 /* Generate RSA parameters - for use with RSA-export
126 * cipher suites. These should be discarded and regenerated
127 * once a day, once every 500 transactions etc. Depends on the
128 * security requirements.
129 */
130
131 if (gnutls_rsa_params_generate(&m, &e, &d, &p, &q, &u, 512) < 0) {
132 log_error_time();
133 fprintf(stderr, "tls: Error in rsa parameter generation\n");
134 exit(1);
135 }
136
137 if (gnutls_rsa_params_set( *rsa_params, m, e, d, p, q, u, 512) < 0) {
138 log_error_time();
139 fprintf(stderr, "tls: Error in rsa parameter setting\n");
140 exit(1);
141 }
142
143 free(m.data);
144 free(e.data);
145 free(d.data);
146 free(p.data);
147 free(q.data);
148 free(u.data);
149
150 log_error_time();
151 fprintf
152 (stderr, "tls: Generated temporary RSA parameters.\n");
153
154 return 0;
155 }
156
157 static int protocol_priority[16];
158 static int kx_priority[16];
159 static int cipher_priority[16];
160 static int mac_priority[16];
161 static int comp_priority[16];
162
163 /* Parses a string in the form:
164 * CIPHER1, CIPHER2, ... and tries to find the given algorithm.
165 * This is inefficient. Returns true or false.
166 */
167 static int parse_cs_string( const char* string, const char* algo)
168 {
169 char *broken_list[MAX_COMMA_SEP_ELEMENTS];
170 int broken_list_size, i;
171 char list[64];
172
173 if (string == NULL || algo == NULL) return 0;
174
175 if (strlen( string) > sizeof(list)-1) return 0;
176
177 strcpy( list, string);
178
179 break_comma_list( list, broken_list, &broken_list_size);
180
181 for (i=0;i<broken_list_size;i++) {
182 if (strcmp( broken_list[i], algo) == 0) {
183 return 1;
184 }
185 }
186
187 return 0;
188
189 }
190
191 /* Initializes a single SSL/TLS session. That is set the algorithm,
192 * the db backend, whether to request certificates etc.
193 */
194 gnutls_session initialize_ssl_session(void)
195 {
196 gnutls_session state;
197
198 gnutls_init(&state, GNUTLS_SERVER);
199
200 gnutls_cipher_set_priority(state, cipher_priority);
201 gnutls_compression_set_priority(state, comp_priority);
202 gnutls_kx_set_priority(state, kx_priority);
203 gnutls_protocol_set_priority(state, protocol_priority);
204 gnutls_mac_set_priority(state, mac_priority);
205
206 gnutls_cred_set(state, GNUTLS_CRD_CERTIFICATE, credentials[ cur]);
207
208 gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
209
210 if (ssl_session_cache != 0) {
211 gnutls_db_set_retrieve_function(state, wrap_db_fetch);
212 gnutls_db_set_remove_function(state, wrap_db_delete);
213 gnutls_db_set_store_function(state, wrap_db_store);
214 gnutls_db_set_ptr(state, NULL);
215 }
216 gnutls_db_set_cache_expiration( state, ssl_session_timeout);
217
218 /* gnutls_handshake_set_private_extensions( state, 1); */
219
220 if (ssl_verify == 1 || ssl_verify == 3) {
221 gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUEST);
222 } else if (ssl_verify == 2) {
223 gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUIRE);
224 } else { /* default */
225 gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
226 }
227
228
229 return state;
230 }
231
232 extern char *ca_cert;
233 extern char *server_cert;
234 extern char *server_key;
235
236 /* Initialization of gnutls' global state
237 */
238 int initialize_ssl(void)
239 {
240 int i;
241
242 log_error_time();
243 fprintf(stderr, "tls: Initializing GnuTLS/%s.\n", gnutls_check_version(NULL));
244 gnutls_global_init();
245 /* gcry_control (GCRYCTL_DISABLE_INTERNAL_LOCKING, NULL, 0); */
246
247 if (gnutls_certificate_allocate_credentials( &credentials[0]) < 0) {
248 log_error_time();
249 fprintf(stderr, "tls: certificate allocation error\n");
250 exit(1);
251 }
252
253 if (gnutls_certificate_set_x509_key_file
254 ( credentials[0], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
255 log_error_time();
256 fprintf(stderr, "tls: could not find '%s' or '%s'.\n", server_cert,
257 server_key);
258 exit(1);
259 }
260
261 if (ca_cert != NULL && gnutls_certificate_set_x509_trust_file
262 ( credentials[0], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
263 log_error_time();
264 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
265 exit(1);
266 }
267
268 if (ssl_session_cache != 0)
269 wrap_db_init();
270
271 /* Add ciphers
272 */
273 i = 0;
274 if ( parse_cs_string( ssl_ciphers, "AES") != 0)
275 cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
276 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
277 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
278 if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
279 cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
280 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
281 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
282 cipher_priority[i] = 0;
283
284 /* Add key exchange methods
285 */
286 i = 0;
287 if ( parse_cs_string( ssl_kx, "RSA") != 0)
288 kx_priority[i++] = GNUTLS_KX_RSA;
289 if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
290 kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
291 need_rsa_params = 1;
292 }
293 if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
294 kx_priority[i++] = GNUTLS_KX_DHE_RSA;
295 need_dh_params = 1; /* generate DH parameters */
296 }
297 if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
298 kx_priority[i++] = GNUTLS_KX_DHE_DSS;
299 need_dh_params = 1;
300 }
301 kx_priority[i] = 0;
302
303 /* Add MAC Algorithms
304 */
305 i = 0;
306 if ( parse_cs_string( ssl_mac, "MD5") != 0)
307 mac_priority[i++] = GNUTLS_MAC_MD5;
308 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
309 mac_priority[i++] = GNUTLS_MAC_SHA;
310 mac_priority[i] = 0;
311
312 /* Add Compression algorithms
313 */
314 i = 0;
315 if ( parse_cs_string( ssl_comp, "NULL") != 0)
316 comp_priority[i++] = GNUTLS_COMP_NULL;
317 if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
318 comp_priority[i++] = GNUTLS_COMP_ZLIB;
319 if ( parse_cs_string( ssl_comp, "LZO") != 0)
320 comp_priority[i++] = GNUTLS_COMP_LZO;
321 comp_priority[i] = 0;
322
323 /* Add protocols
324 */
325 i = 0;
326 if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
327 protocol_priority[i++] = GNUTLS_TLS1;
328 if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
329 protocol_priority[i++] = GNUTLS_SSL3;
330 protocol_priority[i] = 0;
331
332 /* Generate temporary parameters -- if needed.
333 */
334 if (need_rsa_params) {
335 generate_rsa_params( &_rsa_params[0]);
336 gnutls_certificate_set_rsa_params(credentials[0], _rsa_params[0]);
337 }
338
339 if (need_dh_params) {
340 generate_dh_primes( &_dh_params[0]);
341 gnutls_certificate_set_dh_params(credentials[0], _dh_params[0]);
342 }
343
344 return 0;
345 }
346
347 /* This function will regenerate the SSL parameters (RSA and DH) without
348 * any need for downtime.
349 */
350
351 void ssl_regenerate_params(void)
352 {
353 static int already_here; /* static so the default value == 0 */
354 int _cur = (cur + 1) % 2;
355
356 /* There is a rare situation where we have been here, because of
357 * a SIGHUP signal, and the process receives a SIGALRM as well.
358 * We try to avoid messing everything up.
359 */
360 if (already_here != 0) return;
361 already_here = 1;
362
363 /* The hint here, is that we keep a copy of 2 certificate credentials.
364 * When we come here, we free the unused copy and allocate new
365 * parameters to it. Then we make the current copy to be this copy.
366 *
367 * We don't free the previous copy because we don't know if anyone
368 * is using it. (this has to be fixed)
369 */
370
371 time(&current_time);
372
373 if ( !credentials[_cur]) {
374 if (gnutls_certificate_allocate_credentials( &credentials[ _cur]) < 0) {
375 log_error_time();
376 fprintf(stderr, "tls: certificate allocation error\n");
377 exit(1);
378 }
379
380 if (gnutls_certificate_set_x509_key_file
381 ( credentials[_cur], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
382 log_error_time();
383 fprintf(stderr, "tls: could not find '%s' or '%s'.", server_cert,
384 server_key);
385 exit(1);
386 }
387
388 if (ca_cert!=NULL && gnutls_certificate_set_x509_trust_file
389 ( credentials[_cur], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
390 log_error_time();
391 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
392 exit(1);
393 }
394 }
395
396 if (need_rsa_params) {
397 gnutls_rsa_params_deinit( _rsa_params[ _cur]);
398 generate_rsa_params( &_rsa_params[ _cur]);
399 gnutls_certificate_set_rsa_params(credentials[_cur], _rsa_params[ _cur]);
400 }
401
402 if (need_dh_params) {
403 gnutls_dh_params_deinit( _dh_params[ _cur]);
404 generate_dh_primes( &_dh_params[ _cur]);
405 gnutls_certificate_set_dh_params(credentials[_cur], _dh_params[ _cur]);
406 }
407
408 cur = _cur;
409
410 already_here = 0;
411 return;
412 }
413
414
415 /* Session resuming:
416 */
417
418 #define SESSION_ID_SIZE 32
419 #define SESSION_DATA_SIZE 1024
420
421 typedef struct {
422 char session_id[SESSION_ID_SIZE];
423 int session_id_size;
424
425 char session_data[SESSION_DATA_SIZE];
426 int session_data_size;
427 } CACHE;
428
429 static CACHE *cache_db;
430 static int cache_db_ptr;
431
432 static void wrap_db_init(void)
433 {
434
435 /* allocate cache_db */
436 cache_db = calloc(1, ssl_session_cache * sizeof(CACHE));
437 }
438
439 static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data)
440 {
441
442 if (cache_db == NULL)
443 return -1;
444
445 if (key.size > SESSION_ID_SIZE)
446 return -1;
447 if (data.size > SESSION_DATA_SIZE)
448 return -1;
449
450 #ifdef ENABLE_SMP
451 pthread_mutex_lock( &ssl_session_cache_lock);
452 #endif
453
454 memcpy(cache_db[cache_db_ptr].session_id, key.data, key.size);
455 cache_db[cache_db_ptr].session_id_size = key.size;
456
457 memcpy(cache_db[cache_db_ptr].session_data, data.data, data.size);
458 cache_db[cache_db_ptr].session_data_size = data.size;
459
460 cache_db_ptr++;
461 cache_db_ptr %= ssl_session_cache;
462
463 #ifdef ENABLE_SMP
464 pthread_mutex_unlock( &ssl_session_cache_lock);
465 #endif
466
467 return 0;
468 }
469
470 static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key)
471 {
472 gnutls_datum res = { NULL, 0 };
473 int i;
474
475 if (cache_db == NULL)
476 return res;
477
478 #ifdef ENABLE_SMP
479 pthread_mutex_lock( &ssl_session_cache_lock);
480 #endif
481
482 for (i = 0; i < ssl_session_cache; i++) {
483 if (key.size == cache_db[i].session_id_size &&
484 memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
485
486 res.size = cache_db[i].session_data_size;
487
488 res.data = malloc(res.size);
489 if (res.data == NULL) {
490 #ifdef ENABLE_SMP
491 pthread_mutex_unlock( &ssl_session_cache_lock);
492 #endif
493 return res;
494 }
495
496 memcpy(res.data, cache_db[i].session_data, res.size);
497
498 #ifdef ENABLE_SMP
499 pthread_mutex_unlock( &ssl_session_cache_lock);
500 #endif
501 return res;
502 }
503 }
504
505 #ifdef ENABLE_SMP
506 pthread_mutex_unlock( &ssl_session_cache_lock);
507 #endif
508
509 return res;
510 }
511
512 static int wrap_db_delete(void *dbf, gnutls_datum key)
513 {
514 int i;
515
516 if (cache_db == NULL)
517 return -1;
518
519 #ifdef ENABLE_SMP
520 pthread_mutex_lock( &ssl_session_cache_lock);
521 #endif
522
523 for (i = 0; i < ssl_session_cache; i++) {
524 if (key.size == cache_db[i].session_id_size &&
525 memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
526
527 cache_db[i].session_id_size = 0;
528 cache_db[i].session_data_size = 0;
529
530 #ifdef ENABLE_SMP
531 pthread_mutex_unlock( &ssl_session_cache_lock);
532 #endif
533
534 return 0;
535 }
536 }
537
538 #ifdef ENABLE_SMP
539 pthread_mutex_unlock( &ssl_session_cache_lock);
540 #endif
541 return -1;
542
543 }
544
545 void check_ssl_alert( request* req, int ret)
546 {
547 int last_alert;
548
549 if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
550 {
551 last_alert = gnutls_alert_get(req->ssl_state);
552 log_error_doc(req);
553 fprintf(stderr, "tls: Received alert %d '%s'.\n", last_alert, gnutls_alert_get_name(last_alert));
554 }
555 }
556
557 int finish_handshake(request * current)
558 {
559 int retval;
560
561 retval = gnutls_handshake(current->ssl_state);
562
563 if (retval == GNUTLS_E_AGAIN)
564 retval = -1;
565 else if (retval == GNUTLS_E_INTERRUPTED)
566 retval = 1;
567 else if (retval < 0) {
568 if (gnutls_error_is_fatal(retval) != 0) {
569 log_error_doc(current);
570 fprintf(stderr, "tls: Handshake error '%s'.\n", gnutls_strerror(retval));
571 check_ssl_alert( current, retval);
572
573 /* we ignore the level of the alert, since we always
574 * send fatal alerts.
575 */
576 current->alert_to_send = gnutls_error_to_alert( retval, NULL);
577 if (current->alert_to_send == GNUTLS_E_INVALID_REQUEST)
578 current->alert_to_send = GNUTLS_A_HANDSHAKE_FAILURE;
579
580 current->status = SEND_ALERT;
581 retval = 1;
582 } else {
583 check_ssl_alert( current, retval);
584 retval = 1;
585 }
586 } else if (retval == 0) {
587
588 if (ssl_verify >= 1) {
589 int verify;
590 char name[128];
591 const gnutls_datum *cert_list;
592 int cert_list_size;
593
594
595 verify = gnutls_certificate_verify_peers( current->ssl_state);
596 current->certificate_verified = "NONE";
597
598 if (verify != GNUTLS_E_NO_CERTIFICATE_FOUND || ssl_verify == 2) {
599 cert_list =
600 gnutls_certificate_get_peers(current->ssl_state, &cert_list_size);
601
602 if (cert_list)
603 if (gnutls_x509_extract_certificate_dn_string(name, sizeof(name),
604 &cert_list[0], 0) < 0) strcpy(name, "Unknown");
605
606 log_error_time();
607 if (verify & GNUTLS_CERT_NOT_TRUSTED || verify & GNUTLS_CERT_INVALID ||
608 verify & GNUTLS_CERT_CORRUPTED || verify & GNUTLS_CERT_REVOKED)
609 {
610 current->certificate_verified = "FAILED";
611 fprintf( stderr, "tls: X.509 Certificate by '%s' is NOT trusted.\n", name);
612
613 if (ssl_verify == 2 || ssl_verify == 1) {
614 current->alert_to_send = GNUTLS_A_BAD_CERTIFICATE;
615 current->status = SEND_ALERT;
616 return 1;
617 }
618 } else {
619 current->certificate_verified = "SUCCESS";
620 fprintf( stderr, "tls: X.509 Certificate by '%s' was verified.\n", name);
621 }
622 }
623
624 }
625 retval = 1;
626 current->status = READ_HEADER;
627 }
628
629 return retval;
630 }
631
632 int send_alert(request * current)
633 {
634 int retval;
635
636 retval = gnutls_alert_send( current->ssl_state,
637 GNUTLS_AL_FATAL, current->alert_to_send);
638
639 if (retval == GNUTLS_E_AGAIN)
640 retval = -1;
641 else if (retval == GNUTLS_E_INTERRUPTED)
642 retval = 1;
643 else if (retval <= 0) {
644 retval = 0;
645 current->status = DEAD;
646 }
647
648 return retval;
649 }
650
651 /* This will parse the ciphers given and set the new ciphers.
652 * If required it will regenerate RSA and DHE parameters.
653 */
654 void ssl_reinit()
655 {
656 int i;
657
658 need_dh_params = 0;
659 need_rsa_params = 0;
660
661 /* Add ciphers
662 */
663 i = 0;
664 if ( parse_cs_string( ssl_ciphers, "AES") != 0)
665 cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
666 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
667 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
668 if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
669 cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
670 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
671 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
672 cipher_priority[i] = 0;
673
674 /* Add key exchange methods
675 */
676 i = 0;
677 if ( parse_cs_string( ssl_kx, "RSA") != 0)
678 kx_priority[i++] = GNUTLS_KX_RSA;
679 if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
680 kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
681 need_rsa_params = 1;
682 }
683 if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
684 kx_priority[i++] = GNUTLS_KX_DHE_RSA;
685 need_dh_params = 1; /* generate DH parameters */
686 }
687 if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
688 kx_priority[i++] = GNUTLS_KX_DHE_DSS;
689 need_dh_params = 1;
690 }
691 kx_priority[i] = 0;
692
693 /* Add MAC Algorithms
694 */
695 i = 0;
696 if ( parse_cs_string( ssl_mac, "MD5") != 0)
697 mac_priority[i++] = GNUTLS_MAC_MD5;
698 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
699 mac_priority[i++] = GNUTLS_MAC_SHA;
700 mac_priority[i] = 0;
701
702 /* Add Compression algorithms
703 */
704 i = 0;
705 if ( parse_cs_string( ssl_comp, "NULL") != 0)
706 comp_priority[i++] = GNUTLS_COMP_NULL;
707 if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
708 comp_priority[i++] = GNUTLS_COMP_ZLIB;
709 if ( parse_cs_string( ssl_comp, "LZO") != 0)
710 comp_priority[i++] = GNUTLS_COMP_LZO;
711 comp_priority[i] = 0;
712
713 /* Add protocols
714 */
715 i = 0;
716 if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
717 protocol_priority[i++] = GNUTLS_TLS1;
718 if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
719 protocol_priority[i++] = GNUTLS_SSL3;
720 protocol_priority[i] = 0;
721
722
723 /* Generate temporary parameters -- if needed.
724 */
725 ssl_regenerate_params();
726
727 return;
728 }
729
730 #else /* a stub for initialize_ssl */
731
732 int initialize_ssl(void)
733 {
734 log_error_time();
735 fprintf(stderr, "tls: SSL is not available in this build. Disable SSL in Hydra's configuration file.\n");
736 exit(1);
737 }
738
739 void ssl_reinit() {
740 return;
741 }
742
743 #endif

webmaster@linux.gr
ViewVC Help
Powered by ViewVC 1.1.26