/[hydra]/hydra/src/ssl.c
ViewVC logotype

Contents of /hydra/src/ssl.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.19 - (show annotations)
Sat Jul 24 17:35:38 2004 UTC (19 years, 8 months ago) by nmav
Branch: MAIN
CVS Tags: hydra_0_1_6_without_hic, hydra_0_1_7, hydra_0_1_6
Changes since 1.18: +6 -2 lines
File MIME type: text/plain 
* Some changes to support the new PHP REQUEST_STATUS environment
  variable.
* Some fixes for gnutls.
1 /*
2 * Copyright (C) 2002,2003 Nikos Mavroyanopoulos
3 *
4 * This file is part of Hydra webserver.
5 *
6 * Hydra is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * Hydra is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19 */
20
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include "boa.h"
25
26 #ifdef ENABLE_SSL
27
28 #include "ssl.h"
29
30 #include <gnutls/gnutls.h>
31 #include <gnutls/x509.h>
32 #include <gcrypt.h>
33 GCRY_THREAD_OPTION_PTHREAD_IMPL;
34
35 #ifdef ENABLE_SMP
36 pthread_mutex_t ssl_session_cache_lock = PTHREAD_MUTEX_INITIALIZER;
37 #endif
38
39 extern int ssl_session_cache;
40 extern int ssl_session_timeout;
41
42 extern char* ssl_ciphers;
43 extern char* ssl_kx;
44 extern char* ssl_mac;
45 extern char* ssl_comp;
46 extern char* ssl_protocol;
47 extern int ssl_verify; /* 0 no verify, 1 request certificate, and validate
48 * if sent, 2 require certificate and validate.
49 * 3 is request one, and try to verify it. Does not fail in
50 * any case.
51 */
52
53 static void wrap_db_init(void);
54 static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data);
55 static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key);
56 static int wrap_db_delete(void *dbf, gnutls_datum key);
57
58 static int cur = 0; /* points to the credentials structure used */
59 static gnutls_certificate_credentials credentials[2] = { NULL, NULL };
60
61 static int need_dh_params = 0; /* whether we need to generate DHE
62 * parameters. Depend on the chosen ciphersuites.
63 */
64 static int need_rsa_params = 0;
65
66
67 /* we use primes up to 1024 in this server.
68 * otherwise we should add them here.
69 */
70 extern int ssl_dh_bits;
71
72 gnutls_dh_params _dh_params[2];
73 gnutls_rsa_params _rsa_params[2];
74
75 static int generate_dh_primes( gnutls_dh_params* dh_params)
76 {
77 if (gnutls_dh_params_init( dh_params) < 0) {
78 log_error_time();
79 fprintf(stderr, "tls: Error in dh parameter initialization\n");
80 exit(1);
81 }
82
83 /* Generate Diffie Hellman parameters - for use with DHE
84 * kx algorithms. These should be discarded and regenerated
85 * once a day, once a week or once a month. Depends on the
86 * security requirements.
87 */
88
89 if (gnutls_dh_params_generate2( *dh_params, ssl_dh_bits) < 0) {
90 log_error_time();
91 fprintf(stderr, "tls: Error in prime generation\n");
92 exit(1);
93 }
94
95 log_error_time();
96 fprintf
97 (stderr,
98 "tls: Generated Diffie Hellman parameters [%d bits].\n",
99 ssl_dh_bits);
100
101 return 0;
102 }
103
104 static int generate_rsa_params( gnutls_rsa_params* rsa_params)
105 {
106 if (gnutls_rsa_params_init( rsa_params) < 0) {
107 log_error_time();
108 fprintf(stderr, "tls: Error in rsa parameter initialization\n");
109 exit(1);
110 }
111
112 /* Generate RSA parameters - for use with RSA-export
113 * cipher suites. These should be discarded and regenerated
114 * once a day, once every 500 transactions etc. Depends on the
115 * security requirements.
116 */
117
118 if (gnutls_rsa_params_generate2( *rsa_params, 512) < 0) {
119 log_error_time();
120 fprintf(stderr, "tls: Error in rsa parameter generation\n");
121 exit(1);
122 }
123
124 log_error_time();
125 fprintf
126 (stderr, "tls: Generated temporary RSA parameters.\n");
127
128 return 0;
129 }
130
131 static int protocol_priority[16];
132 static int kx_priority[16];
133 static int cipher_priority[16];
134 static int mac_priority[16];
135 static int comp_priority[16];
136
137 /* Parses a string in the form:
138 * CIPHER1, CIPHER2, ... and tries to find the given algorithm.
139 * This is inefficient. Returns true or false.
140 */
141 static int parse_cs_string( const char* string, const char* algo)
142 {
143 char *broken_list[MAX_COMMA_SEP_ELEMENTS];
144 int broken_list_size, i;
145 char list[64];
146
147 if (string == NULL || algo == NULL) return 0;
148
149 if (strlen( string) > sizeof(list)-1) return 0;
150
151 strcpy( list, string);
152
153 break_comma_list( list, broken_list, &broken_list_size);
154
155 for (i=0;i<broken_list_size;i++) {
156 if (strcmp( broken_list[i], algo) == 0) {
157 return 1;
158 }
159 }
160
161 return 0;
162
163 }
164
165 /* Initializes a single SSL/TLS session. That is set the algorithm,
166 * the db backend, whether to request certificates etc.
167 */
168 gnutls_session initialize_ssl_session(void)
169 {
170 gnutls_session state;
171
172 gnutls_init(&state, GNUTLS_SERVER);
173
174 gnutls_cipher_set_priority(state, cipher_priority);
175 gnutls_compression_set_priority(state, comp_priority);
176 gnutls_kx_set_priority(state, kx_priority);
177 gnutls_protocol_set_priority(state, protocol_priority);
178 gnutls_mac_set_priority(state, mac_priority);
179
180 gnutls_credentials_set(state, GNUTLS_CRD_CERTIFICATE, credentials[ cur]);
181
182 gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
183
184 if (ssl_session_cache != 0) {
185 gnutls_db_set_retrieve_function(state, wrap_db_fetch);
186 gnutls_db_set_remove_function(state, wrap_db_delete);
187 gnutls_db_set_store_function(state, wrap_db_store);
188 gnutls_db_set_ptr(state, NULL);
189 }
190 gnutls_db_set_cache_expiration( state, ssl_session_timeout);
191
192 /* gnutls_handshake_set_private_extensions( state, 1); */
193
194 if (ssl_verify == 1 || ssl_verify == 3) {
195 gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUEST);
196 } else if (ssl_verify == 2) {
197 gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUIRE);
198 } else { /* default */
199 gnutls_certificate_server_set_request(state, GNUTLS_CERT_IGNORE);
200 }
201
202
203 return state;
204 }
205
206 extern char *ca_cert;
207 extern char *server_cert;
208 extern char *server_key;
209
210 /* Initialization of gnutls' global state
211 */
212 int initialize_ssl(void)
213 {
214 int i;
215
216 log_error_time();
217 fprintf(stderr, "tls: Initializing GnuTLS/%s.\n", gnutls_check_version(NULL));
218 gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
219 gnutls_global_init();
220
221 if (gnutls_certificate_allocate_credentials( &credentials[0]) < 0) {
222 log_error_time();
223 fprintf(stderr, "tls: certificate allocation error\n");
224 exit(1);
225 }
226
227 if (gnutls_certificate_set_x509_key_file
228 ( credentials[0], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
229 log_error_time();
230 fprintf(stderr, "tls: could not find '%s' or '%s'.\n", server_cert,
231 server_key);
232 exit(1);
233 }
234
235 if (ca_cert != NULL && gnutls_certificate_set_x509_trust_file
236 ( credentials[0], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
237 log_error_time();
238 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
239 exit(1);
240 }
241
242 if (ssl_session_cache != 0)
243 wrap_db_init();
244
245 /* Add ciphers
246 */
247 i = 0;
248 if ( parse_cs_string( ssl_ciphers, "AES") != 0)
249 cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
250 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
251 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
252 if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
253 cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
254 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
255 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
256 cipher_priority[i] = 0;
257
258 /* Add key exchange methods
259 */
260 i = 0;
261 if ( parse_cs_string( ssl_kx, "RSA") != 0)
262 kx_priority[i++] = GNUTLS_KX_RSA;
263 if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
264 kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
265 need_rsa_params = 1;
266 }
267 if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
268 kx_priority[i++] = GNUTLS_KX_DHE_RSA;
269 need_dh_params = 1; /* generate DH parameters */
270 }
271 if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
272 kx_priority[i++] = GNUTLS_KX_DHE_DSS;
273 need_dh_params = 1;
274 }
275 kx_priority[i] = 0;
276
277 /* Add MAC Algorithms
278 */
279 i = 0;
280 if ( parse_cs_string( ssl_mac, "MD5") != 0)
281 mac_priority[i++] = GNUTLS_MAC_MD5;
282 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
283 mac_priority[i++] = GNUTLS_MAC_SHA;
284 if ( parse_cs_string( ssl_mac, "RMD160") != 0)
285 mac_priority[i++] = GNUTLS_MAC_RMD160;
286 mac_priority[i] = 0;
287
288 /* Add Compression algorithms
289 */
290 i = 0;
291 if ( parse_cs_string( ssl_comp, "NULL") != 0)
292 comp_priority[i++] = GNUTLS_COMP_NULL;
293 if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
294 comp_priority[i++] = GNUTLS_COMP_ZLIB;
295 if ( parse_cs_string( ssl_comp, "LZO") != 0)
296 comp_priority[i++] = GNUTLS_COMP_LZO;
297 comp_priority[i] = 0;
298
299 /* Add protocols
300 */
301 i = 0;
302 if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
303 protocol_priority[i++] = GNUTLS_TLS1;
304 if ( parse_cs_string( ssl_protocol, "TLS1.1") != 0)
305 protocol_priority[i++] = GNUTLS_TLS1_1;
306 if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
307 protocol_priority[i++] = GNUTLS_SSL3;
308 protocol_priority[i] = 0;
309
310 /* Generate temporary parameters -- if needed.
311 */
312 if (need_rsa_params) {
313 generate_rsa_params( &_rsa_params[0]);
314 gnutls_certificate_set_rsa_export_params(credentials[0], _rsa_params[0]);
315 }
316
317 if (need_dh_params) {
318 generate_dh_primes( &_dh_params[0]);
319 gnutls_certificate_set_dh_params(credentials[0], _dh_params[0]);
320 }
321
322 return 0;
323 }
324
325 /* This function will regenerate the SSL parameters (RSA and DH) without
326 * any need for downtime.
327 */
328
329 void ssl_regenerate_params(void)
330 {
331 static int already_here; /* static so the default value == 0 */
332 int _cur = (cur + 1) % 2;
333
334 /* There is a rare situation where we have been here, because of
335 * a SIGHUP signal, and the process receives a SIGALRM as well.
336 * We try to avoid messing everything up.
337 */
338 if (already_here != 0) return;
339 already_here = 1;
340
341 /* The hint here, is that we keep a copy of 2 certificate credentials.
342 * When we come here, we free the unused copy and allocate new
343 * parameters to it. Then we make the current copy to be this copy.
344 *
345 * We don't free the previous copy because we don't know if anyone
346 * is using it. (this has to be fixed)
347 */
348
349 time(&current_time);
350
351 if ( !credentials[_cur]) {
352 if (gnutls_certificate_allocate_credentials( &credentials[ _cur]) < 0) {
353 log_error_time();
354 fprintf(stderr, "tls: certificate allocation error\n");
355 exit(1);
356 }
357
358 if (gnutls_certificate_set_x509_key_file
359 ( credentials[_cur], server_cert, server_key, GNUTLS_X509_FMT_PEM) < 0) {
360 log_error_time();
361 fprintf(stderr, "tls: could not find '%s' or '%s'.", server_cert,
362 server_key);
363 exit(1);
364 }
365
366 if (ca_cert!=NULL && gnutls_certificate_set_x509_trust_file
367 ( credentials[_cur], ca_cert, GNUTLS_X509_FMT_PEM) < 0) {
368 log_error_time();
369 fprintf(stderr, "tls: could not find '%s'.\n", ca_cert);
370 exit(1);
371 }
372 }
373
374 if (need_rsa_params) {
375 gnutls_rsa_params_deinit( _rsa_params[ _cur]);
376 generate_rsa_params( &_rsa_params[ _cur]);
377 gnutls_certificate_set_rsa_export_params(credentials[_cur], _rsa_params[ _cur]);
378 }
379
380 if (need_dh_params) {
381 gnutls_dh_params_deinit( _dh_params[ _cur]);
382 generate_dh_primes( &_dh_params[ _cur]);
383 gnutls_certificate_set_dh_params(credentials[_cur], _dh_params[ _cur]);
384 }
385
386 cur = _cur;
387
388 already_here = 0;
389 return;
390 }
391
392
393 /* Session resuming:
394 */
395
396 #define SESSION_ID_SIZE 32
397 #define SESSION_DATA_SIZE 1024
398
399 typedef struct {
400 char session_id[SESSION_ID_SIZE];
401 int session_id_size;
402
403 char session_data[SESSION_DATA_SIZE];
404 int session_data_size;
405 } CACHE;
406
407 static CACHE *cache_db;
408 static int cache_db_ptr;
409
410 static void wrap_db_init(void)
411 {
412
413 /* allocate cache_db */
414 cache_db = calloc(1, ssl_session_cache * sizeof(CACHE));
415 }
416
417 static int wrap_db_store(void *dbf, gnutls_datum key, gnutls_datum data)
418 {
419
420 if (cache_db == NULL)
421 return -1;
422
423 if (key.size > SESSION_ID_SIZE)
424 return -1;
425 if (data.size > SESSION_DATA_SIZE)
426 return -1;
427
428 #ifdef ENABLE_SMP
429 pthread_mutex_lock( &ssl_session_cache_lock);
430 #endif
431
432 memcpy(cache_db[cache_db_ptr].session_id, key.data, key.size);
433 cache_db[cache_db_ptr].session_id_size = key.size;
434
435 memcpy(cache_db[cache_db_ptr].session_data, data.data, data.size);
436 cache_db[cache_db_ptr].session_data_size = data.size;
437
438 cache_db_ptr++;
439 cache_db_ptr %= ssl_session_cache;
440
441 #ifdef ENABLE_SMP
442 pthread_mutex_unlock( &ssl_session_cache_lock);
443 #endif
444
445 return 0;
446 }
447
448 static gnutls_datum wrap_db_fetch(void *dbf, gnutls_datum key)
449 {
450 gnutls_datum res = { NULL, 0 };
451 int i;
452
453 if (cache_db == NULL)
454 return res;
455
456 #ifdef ENABLE_SMP
457 pthread_mutex_lock( &ssl_session_cache_lock);
458 #endif
459
460 for (i = 0; i < ssl_session_cache; i++) {
461 if (key.size == cache_db[i].session_id_size &&
462 memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
463
464 res.size = cache_db[i].session_data_size;
465
466 res.data = malloc(res.size);
467 if (res.data == NULL) {
468 #ifdef ENABLE_SMP
469 pthread_mutex_unlock( &ssl_session_cache_lock);
470 #endif
471 return res;
472 }
473
474 memcpy(res.data, cache_db[i].session_data, res.size);
475
476 #ifdef ENABLE_SMP
477 pthread_mutex_unlock( &ssl_session_cache_lock);
478 #endif
479 return res;
480 }
481 }
482
483 #ifdef ENABLE_SMP
484 pthread_mutex_unlock( &ssl_session_cache_lock);
485 #endif
486
487 return res;
488 }
489
490 static int wrap_db_delete(void *dbf, gnutls_datum key)
491 {
492 int i;
493
494 if (cache_db == NULL)
495 return -1;
496
497 #ifdef ENABLE_SMP
498 pthread_mutex_lock( &ssl_session_cache_lock);
499 #endif
500
501 for (i = 0; i < ssl_session_cache; i++) {
502 if (key.size == cache_db[i].session_id_size &&
503 memcmp(key.data, cache_db[i].session_id, key.size) == 0) {
504
505 cache_db[i].session_id_size = 0;
506 cache_db[i].session_data_size = 0;
507
508 #ifdef ENABLE_SMP
509 pthread_mutex_unlock( &ssl_session_cache_lock);
510 #endif
511
512 return 0;
513 }
514 }
515
516 #ifdef ENABLE_SMP
517 pthread_mutex_unlock( &ssl_session_cache_lock);
518 #endif
519 return -1;
520
521 }
522
523 void check_ssl_alert( request* req, int ret)
524 {
525 int last_alert;
526
527 if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
528 {
529 last_alert = gnutls_alert_get(req->ssl_state);
530 log_error_doc(req);
531 fprintf(stderr, "tls: Received alert %d '%s'.\n", last_alert, gnutls_alert_get_name(last_alert));
532 }
533 }
534
535 int finish_handshake(request * current)
536 {
537 int retval;
538
539 retval = gnutls_handshake(current->ssl_state);
540
541 if (retval == GNUTLS_E_AGAIN)
542 retval = -1;
543 else if (retval == GNUTLS_E_INTERRUPTED)
544 retval = 1;
545 else if (retval < 0) {
546 if (gnutls_error_is_fatal(retval) != 0) {
547 log_error_doc(current);
548 fprintf(stderr, "tls: Handshake error '%s'.\n", gnutls_strerror(retval));
549 check_ssl_alert( current, retval);
550
551 /* we ignore the level of the alert, since we always
552 * send fatal alerts.
553 */
554 current->alert_to_send = gnutls_error_to_alert( retval, NULL);
555 if (current->alert_to_send == GNUTLS_E_INVALID_REQUEST)
556 current->alert_to_send = GNUTLS_A_HANDSHAKE_FAILURE;
557
558 current->status = SEND_ALERT;
559 retval = 1;
560 } else {
561 check_ssl_alert( current, retval);
562 retval = 1;
563 }
564 } else if (retval == 0) {
565
566 if (ssl_verify >= 1) {
567 size_t size;
568 int verify, ret, valid;
569 char name[128];
570 const gnutls_datum *cert_list;
571 int cert_list_size;
572 gnutls_x509_crt crt = NULL;
573
574 ret = gnutls_x509_crt_init( &crt);
575 if (ret < 0) {
576 log_error_time();
577 fprintf( stderr, "tls: Error in crt_init(): %s\n", gnutls_strerror(ret));
578 current->alert_to_send = GNUTLS_A_INTERNAL_ERROR;
579 current->status = SEND_ALERT;
580 return 1;
581 }
582
583 cert_list =
584 gnutls_certificate_get_peers(current->ssl_state, &cert_list_size);
585
586 if (cert_list) {
587 ret = gnutls_x509_crt_import( crt, &cert_list[0], GNUTLS_X509_FMT_DER);
588 if (ret < 0) {
589 log_error_time();
590 fprintf( stderr, "tls: Could not import X.509 certificate: %s\n", gnutls_strerror(ret));
591 current->alert_to_send = GNUTLS_A_INTERNAL_ERROR;
592 current->status = SEND_ALERT;
593 return 1;
594 }
595
596 size = sizeof(name);
597 if (gnutls_x509_crt_get_dn(crt, name, &size) < 0)
598 strcpy(name, "Unknown");
599 }
600
601
602 verify = gnutls_certificate_verify_peers( current->ssl_state);
603 current->certificate_verified = "NONE";
604
605 if (cert_list == NULL) {
606 log_error_time();
607 fprintf( stderr, "tls: Peer did not send a certificate.\n");
608 if (ssl_verify == 2) {
609 current->alert_to_send = GNUTLS_A_ACCESS_DENIED;
610 current->status = SEND_ALERT;
611 return 1;
612 }
613 } else { /* cert_list */
614 log_error_time();
615 valid = 0;
616 fprintf( stderr, "tls: X.509 Certificate by '%s' is ", name);
617
618 if (gnutls_x509_crt_get_expiration_time( crt) < current_time) {
619 fprintf(stderr, "Expired");
620 valid = 1;
621 }
622
623 if (gnutls_x509_crt_get_activation_time( crt) > current_time) {
624 if (!valid) fprintf(stderr, "Not yet activated");
625 valid = 1;
626 }
627
628 if (valid || verify & GNUTLS_CERT_INVALID || verify & GNUTLS_CERT_REVOKED)
629 {
630 current->certificate_verified = "FAILED";
631 fprintf( stderr, ", NOT trusted");
632 if (verify & GNUTLS_CERT_REVOKED)
633 fprintf( stderr, ", Revoked");
634 if (verify & GNUTLS_CERT_SIGNER_NOT_FOUND)
635 fprintf( stderr, ", Issuer not known");
636 if (verify & GNUTLS_CERT_SIGNER_NOT_CA)
637 fprintf( stderr, ", Issuer is not a CA");
638 fprintf( stderr, ".\n");
639
640 if (ssl_verify == 2 || ssl_verify == 1) {
641 current->alert_to_send = GNUTLS_A_BAD_CERTIFICATE;
642 current->status = SEND_ALERT;
643 gnutls_x509_crt_deinit(crt);
644 return 1;
645 }
646 } else {
647 current->certificate_verified = "SUCCESS";
648 fprintf( stderr, "trusted.\n");
649 }
650 }
651
652 gnutls_x509_crt_deinit(crt);
653 }
654 retval = 1;
655 current->status = READ_HEADER;
656 }
657
658 return retval;
659 }
660
661 int send_alert(request * current)
662 {
663 int retval;
664
665 retval = gnutls_alert_send( current->ssl_state,
666 GNUTLS_AL_FATAL, current->alert_to_send);
667
668 if (retval == GNUTLS_E_AGAIN)
669 retval = -1;
670 else if (retval == GNUTLS_E_INTERRUPTED)
671 retval = 1;
672 else if (retval <= 0) {
673 retval = 0;
674 current->status = DEAD;
675 }
676
677 return retval;
678 }
679
680 /* This will parse the ciphers given and set the new ciphers.
681 * If required it will regenerate RSA and DHE parameters.
682 */
683 void ssl_reinit()
684 {
685 int i;
686
687 need_dh_params = 0;
688 need_rsa_params = 0;
689
690 /* Add ciphers
691 */
692 i = 0;
693 if ( parse_cs_string( ssl_ciphers, "AES") != 0)
694 cipher_priority[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
695 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-128") != 0)
696 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_128;
697 if ( parse_cs_string( ssl_ciphers, "3DES") != 0)
698 cipher_priority[i++] = GNUTLS_CIPHER_3DES_CBC;
699 if ( parse_cs_string( ssl_ciphers, "ARCFOUR-40") != 0)
700 cipher_priority[i++] = GNUTLS_CIPHER_ARCFOUR_40;
701 cipher_priority[i] = 0;
702
703 /* Add key exchange methods
704 */
705 i = 0;
706 if ( parse_cs_string( ssl_kx, "RSA") != 0)
707 kx_priority[i++] = GNUTLS_KX_RSA;
708 if ( parse_cs_string( ssl_kx, "RSA-EXPORT") != 0) {
709 kx_priority[i++] = GNUTLS_KX_RSA_EXPORT;
710 need_rsa_params = 1;
711 }
712 if ( parse_cs_string( ssl_kx, "DHE-RSA") != 0) {
713 kx_priority[i++] = GNUTLS_KX_DHE_RSA;
714 need_dh_params = 1; /* generate DH parameters */
715 }
716 if ( parse_cs_string( ssl_kx, "DHE-DSS") != 0) {
717 kx_priority[i++] = GNUTLS_KX_DHE_DSS;
718 need_dh_params = 1;
719 }
720 kx_priority[i] = 0;
721
722 /* Add MAC Algorithms
723 */
724 i = 0;
725 if ( parse_cs_string( ssl_mac, "MD5") != 0)
726 mac_priority[i++] = GNUTLS_MAC_MD5;
727 if ( parse_cs_string( ssl_mac, "SHA1") != 0)
728 mac_priority[i++] = GNUTLS_MAC_SHA;
729 mac_priority[i] = 0;
730
731 /* Add Compression algorithms
732 */
733 i = 0;
734 if ( parse_cs_string( ssl_comp, "NULL") != 0)
735 comp_priority[i++] = GNUTLS_COMP_NULL;
736 if ( parse_cs_string( ssl_comp, "ZLIB") != 0)
737 comp_priority[i++] = GNUTLS_COMP_ZLIB;
738 if ( parse_cs_string( ssl_comp, "LZO") != 0)
739 comp_priority[i++] = GNUTLS_COMP_LZO;
740 comp_priority[i] = 0;
741
742 /* Add protocols
743 */
744 i = 0;
745 if ( parse_cs_string( ssl_protocol, "TLS1.0") != 0)
746 protocol_priority[i++] = GNUTLS_TLS1;
747 if ( parse_cs_string( ssl_protocol, "SSL3.0") != 0)
748 protocol_priority[i++] = GNUTLS_SSL3;
749 protocol_priority[i] = 0;
750
751
752 /* Generate temporary parameters -- if needed.
753 */
754 ssl_regenerate_params();
755
756 return;
757 }
758
759 #else /* a stub for initialize_ssl */
760
761 int initialize_ssl(void)
762 {
763 log_error_time();
764 fprintf(stderr, "tls: SSL is not available in this build. Disable SSL in Hydra's configuration file.\n");
765 exit(1);
766 }
767
768 void ssl_reinit() {
769 return;
770 }
771
772 #endif
webmaster@linux.gr
 ViewVC Help
Powered by ViewVC 1.1.26