diff options
-rw-r--r-- | src/daemon/connection.c | 65 | ||||
-rw-r--r-- | src/daemon/daemon.c | 12 | ||||
-rw-r--r-- | src/daemon/https/https_common.c | 175 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_db.c | 2 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_int.h | 1 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_record.c | 6 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_session.h | 23 | ||||
-rw-r--r-- | src/examples/https_server_example.c | 157 |
8 files changed, 62 insertions, 379 deletions
diff --git a/src/daemon/connection.c b/src/daemon/connection.c index 1041604f..1cfd4029 100644 --- a/src/daemon/connection.c +++ b/src/daemon/connection.c | |||
@@ -1531,8 +1531,8 @@ MHDS_connection_handle_read (struct MHD_Connection *connection) | |||
1531 | return MHD_NO; | 1531 | return MHD_NO; |
1532 | 1532 | ||
1533 | /* discover content type */ | 1533 | /* discover content type */ |
1534 | unsigned char msg_type[7]; | 1534 | unsigned char msg_type; |
1535 | if (recv (connection->socket_fd, msg_type, 1, MSG_PEEK) == -1) | 1535 | if (recv (connection->socket_fd, &msg_type, 1, MSG_PEEK) == -1) |
1536 | { | 1536 | { |
1537 | #if HAVE_MESSAGES | 1537 | #if HAVE_MESSAGES |
1538 | MHD_DLOG (connection->daemon, "Failed to peek into TLS content type\n"); | 1538 | MHD_DLOG (connection->daemon, "Failed to peek into TLS content type\n"); |
@@ -1540,39 +1540,68 @@ MHDS_connection_handle_read (struct MHD_Connection *connection) | |||
1540 | return MHD_NO; | 1540 | return MHD_NO; |
1541 | } | 1541 | } |
1542 | 1542 | ||
1543 | switch (msg_type[0]) | 1543 | switch (msg_type) |
1544 | { | 1544 | { |
1545 | case GNUTLS_CHANGE_CIPHER_SPEC: | 1545 | case GNUTLS_CHANGE_CIPHER_SPEC: |
1546 | 1546 | ||
1547 | break; | 1547 | break; |
1548 | case GNUTLS_ALERT: | 1548 | case GNUTLS_ALERT: |
1549 | /* find out if alert is fatal */ | 1549 | /* |
1550 | if (recv (connection->socket_fd, msg_type, 7, MSG_PEEK) == -1) | 1550 | * this call of _gnutls_recv_int expects 0 bytes read. |
1551 | * done to decrypt alert message | ||
1552 | */ | ||
1553 | _gnutls_recv_int (connection->tls_session, GNUTLS_ALERT, | ||
1554 | GNUTLS_HANDSHAKE_FINISHED, 0); | ||
1555 | |||
1556 | /* CLOSE_NOTIFY */ | ||
1557 | if (connection->tls_session->internals.last_alert == | ||
1558 | GNUTLS_A_CLOSE_NOTIFY) | ||
1559 | { | ||
1560 | gnutls_bye (connection->tls_session, GNUTLS_SHUT_WR); | ||
1561 | connection->tls_session->internals.read_eof = 1; | ||
1562 | connection->socket_fd = -1; | ||
1563 | gnutls_deinit (connection->tls_session); | ||
1564 | return MHD_YES; | ||
1565 | } | ||
1566 | /* non FATAL or WARNING */ | ||
1567 | else if (connection->tls_session->internals.last_alert != | ||
1568 | GNUTLS_AL_FATAL) | ||
1551 | { | 1569 | { |
1552 | #if HAVE_MESSAGES | 1570 | #if HAVE_MESSAGES |
1553 | MHD_DLOG (connection->daemon, | 1571 | MHD_DLOG (connection->daemon, |
1554 | "Failed to peek into TLS alert level\n"); | 1572 | "Received TLS alert: %s\n", |
1573 | gnutls_alert_get_name ((int) connection->tls_session-> | ||
1574 | internals.last_alert)); | ||
1555 | #endif | 1575 | #endif |
1556 | return MHD_NO; | 1576 | return MHD_YES; |
1557 | } | 1577 | } |
1578 | /* FATAL */ | ||
1579 | else if (connection->tls_session->internals.last_alert == | ||
1580 | GNUTLS_AL_FATAL) | ||
1581 | { | ||
1582 | connection->tls_session->internals.resumable = RESUME_FALSE; | ||
1583 | connection->tls_session->internals.valid_connection = VALID_FALSE; | ||
1584 | connection->socket_fd = -1; | ||
1585 | gnutls_deinit (connection->tls_session); | ||
1558 | 1586 | ||
1559 | if (msg_type[5] == GNUTLS_AL_FATAL) | 1587 | return MHD_NO; |
1588 | } | ||
1589 | /* this should never execut */ | ||
1590 | else | ||
1560 | { | 1591 | { |
1561 | #if HAVE_MESSAGES | 1592 | #if HAVE_MESSAGES |
1562 | MHD_DLOG (connection->daemon, "Received TLS alert: %s\n", | 1593 | MHD_DLOG (connection->daemon, |
1563 | gnutls_alert_get_name ((int) msg_type[6])); | 1594 | "Received unrecognized alert: %s\n", |
1595 | connection->tls_session->internals.last_alert); | ||
1564 | #endif | 1596 | #endif |
1565 | gnutls_bye (connection->tls_session, GNUTLS_SHUT_WR); | ||
1566 | connection->socket_fd = -1; | ||
1567 | gnutls_deinit (connection->tls_session); | ||
1568 | return MHD_NO; | 1597 | return MHD_NO; |
1569 | } | 1598 | } |
1570 | 1599 | ||
1600 | |||
1571 | /* forward application level content to MHD */ | 1601 | /* forward application level content to MHD */ |
1572 | case GNUTLS_APPLICATION_DATA: | 1602 | case GNUTLS_APPLICATION_DATA: |
1573 | return MHD_connection_handle_read (connection); | 1603 | return MHD_connection_handle_read (connection); |
1574 | 1604 | // TODO impl | |
1575 | // TODO impl | ||
1576 | case GNUTLS_HANDSHAKE: | 1605 | case GNUTLS_HANDSHAKE: |
1577 | break; | 1606 | break; |
1578 | case GNUTLS_INNER_APPLICATION: | 1607 | case GNUTLS_INNER_APPLICATION: |
@@ -1621,7 +1650,6 @@ MHD_connection_handle_write (struct MHD_Connection *connection) | |||
1621 | { | 1650 | { |
1622 | struct MHD_Response *response; | 1651 | struct MHD_Response *response; |
1623 | int ret; | 1652 | int ret; |
1624 | |||
1625 | connection->last_activity = time (NULL); | 1653 | connection->last_activity = time (NULL); |
1626 | while (1) | 1654 | while (1) |
1627 | { | 1655 | { |
@@ -1775,7 +1803,6 @@ int | |||
1775 | MHDS_connection_handle_write (struct MHD_Connection *connection) | 1803 | MHDS_connection_handle_write (struct MHD_Connection *connection) |
1776 | { | 1804 | { |
1777 | connection->last_activity = time (NULL); | 1805 | connection->last_activity = time (NULL); |
1778 | |||
1779 | while (1) | 1806 | while (1) |
1780 | { | 1807 | { |
1781 | #if HAVE_MESSAGES | 1808 | #if HAVE_MESSAGES |
@@ -1796,7 +1823,7 @@ MHDS_connection_handle_write (struct MHD_Connection *connection) | |||
1796 | connection->s_state = MHDS_REPLY_SENDING; | 1823 | connection->s_state = MHDS_REPLY_SENDING; |
1797 | do_write (connection); | 1824 | do_write (connection); |
1798 | break; | 1825 | break; |
1799 | 1826 | ||
1800 | case MHDS_CONNECTION_CLOSED: | 1827 | case MHDS_CONNECTION_CLOSED: |
1801 | if (connection->socket_fd != -1) | 1828 | if (connection->socket_fd != -1) |
1802 | connection_close_error (connection); | 1829 | connection_close_error (connection); |
@@ -1832,7 +1859,6 @@ MHD_connection_handle_idle (struct MHD_Connection *connection) | |||
1832 | unsigned int timeout; | 1859 | unsigned int timeout; |
1833 | const char *end; | 1860 | const char *end; |
1834 | char *line; | 1861 | char *line; |
1835 | |||
1836 | while (1) | 1862 | while (1) |
1837 | { | 1863 | { |
1838 | #if DEBUG_STATES | 1864 | #if DEBUG_STATES |
@@ -2154,7 +2180,6 @@ MHDS_connection_handle_idle (struct MHD_Connection *connection) | |||
2154 | const char *end; | 2180 | const char *end; |
2155 | char *line; | 2181 | char *line; |
2156 | ssize_t msgLength; | 2182 | ssize_t msgLength; |
2157 | |||
2158 | while (1) | 2183 | while (1) |
2159 | { | 2184 | { |
2160 | #if HAVE_MESSAGES | 2185 | #if HAVE_MESSAGES |
diff --git a/src/daemon/daemon.c b/src/daemon/daemon.c index e17776cc..2831bd00 100644 --- a/src/daemon/daemon.c +++ b/src/daemon/daemon.c | |||
@@ -237,16 +237,14 @@ MHDS_handle_connection (void *data) | |||
237 | /* set connection as closed */ | 237 | /* set connection as closed */ |
238 | fprintf (stderr, "*** Handshake has failed (%s)\n\n", | 238 | fprintf (stderr, "*** Handshake has failed (%s)\n\n", |
239 | gnutls_strerror (ret)); | 239 | gnutls_strerror (ret)); |
240 | gnutls_deinit (tls_session); | ||
241 | con->s_state = MHDS_HANDSHAKE_FAILED; | 240 | con->s_state = MHDS_HANDSHAKE_FAILED; |
241 | gnutls_bye (con->tls_session, GNUTLS_SHUT_WR); | ||
242 | gnutls_deinit (tls_session); | ||
242 | con->socket_fd = 1; | 243 | con->socket_fd = 1; |
243 | return MHD_NO; | 244 | return MHD_NO; |
244 | 245 | ||
245 | } | 246 | } |
246 | 247 | ||
247 | // printf ("TLS Handshake completed\n"); | ||
248 | |||
249 | |||
250 | MHD_handle_connection (data); | 248 | MHD_handle_connection (data); |
251 | } | 249 | } |
252 | #endif | 250 | #endif |
@@ -958,7 +956,9 @@ MHDS_init (struct MHD_Daemon *daemon) | |||
958 | gnutls_dh_params_init (&daemon->dh_params); | 956 | gnutls_dh_params_init (&daemon->dh_params); |
959 | gnutls_dh_params_generate2 (daemon->dh_params, DH_BITS); | 957 | gnutls_dh_params_generate2 (daemon->dh_params, DH_BITS); |
960 | 958 | ||
961 | gnutls_priority_init (&daemon->priority_cache, "NORMAL", NULL); | 959 | gnutls_priority_init (&daemon->priority_cache, |
960 | "NONE:+AES-256-CBC:+RSA:+SHA1:+COMP-NULL", | ||
961 | NULL); | ||
962 | 962 | ||
963 | /* setup server certificate */ | 963 | /* setup server certificate */ |
964 | gnutls_certificate_allocate_credentials (&daemon->x509_cret); | 964 | gnutls_certificate_allocate_credentials (&daemon->x509_cret); |
diff --git a/src/daemon/https/https_common.c b/src/daemon/https/https_common.c index 748bc5bc..b22e19af 100644 --- a/src/daemon/https/https_common.c +++ b/src/daemon/https/https_common.c | |||
@@ -246,7 +246,6 @@ print_x509_info (gnutls_session_t session, const char *hostname) | |||
246 | } | 246 | } |
247 | 247 | ||
248 | #ifdef ENABLE_OPENPGP | 248 | #ifdef ENABLE_OPENPGP |
249 | |||
250 | void | 249 | void |
251 | print_openpgp_info (gnutls_session_t session, const char *hostname) | 250 | print_openpgp_info (gnutls_session_t session, const char *hostname) |
252 | { | 251 | { |
@@ -356,7 +355,6 @@ print_openpgp_info (gnutls_session_t session, const char *hostname) | |||
356 | 355 | ||
357 | } | 356 | } |
358 | } | 357 | } |
359 | |||
360 | #endif | 358 | #endif |
361 | 359 | ||
362 | void | 360 | void |
@@ -662,179 +660,6 @@ print_license (void) | |||
662 | stdout); | 660 | stdout); |
663 | } | 661 | } |
664 | 662 | ||
665 | static int depr_printed = 0; | ||
666 | #define DEPRECATED if (depr_printed==0) { \ | ||
667 | fprintf(stderr, "This method of specifying algorithms is deprecated. Please use the --priority option.\n"); \ | ||
668 | depr_printed = 1; \ | ||
669 | } | ||
670 | |||
671 | void | ||
672 | parse_protocols (char **protocols, int protocols_size, int *protocol_priority) | ||
673 | { | ||
674 | int i, j; | ||
675 | |||
676 | if (protocols != NULL && protocols_size > 0) | ||
677 | { | ||
678 | DEPRECATED; | ||
679 | |||
680 | for (j = i = 0; i < protocols_size; i++) | ||
681 | { | ||
682 | if (strncasecmp (protocols[i], "SSL", 3) == 0) | ||
683 | protocol_priority[j++] = GNUTLS_SSL3; | ||
684 | else if (strncasecmp (protocols[i], "TLS1.1", 6) == 0) | ||
685 | protocol_priority[j++] = GNUTLS_TLS1_1; | ||
686 | else if (strncasecmp (protocols[i], "TLS1.2", 6) == 0) | ||
687 | protocol_priority[j++] = GNUTLS_TLS1_2; | ||
688 | else if (strncasecmp (protocols[i], "TLS", 3) == 0) | ||
689 | protocol_priority[j++] = GNUTLS_TLS1_0; | ||
690 | else | ||
691 | fprintf (stderr, "Unknown protocol: '%s'\n", protocols[i]); | ||
692 | } | ||
693 | protocol_priority[j] = 0; | ||
694 | } | ||
695 | } | ||
696 | |||
697 | void | ||
698 | parse_ciphers (char **ciphers, int nciphers, int *cipher_priority) | ||
699 | { | ||
700 | int j, i; | ||
701 | |||
702 | if (ciphers != NULL && nciphers > 0) | ||
703 | { | ||
704 | DEPRECATED; | ||
705 | for (j = i = 0; i < nciphers; i++) | ||
706 | { | ||
707 | if (strncasecmp (ciphers[i], "AES-2", 5) == 0) | ||
708 | cipher_priority[j++] = GNUTLS_CIPHER_AES_256_CBC; | ||
709 | else if (strncasecmp (ciphers[i], "AES", 3) == 0) | ||
710 | cipher_priority[j++] = GNUTLS_CIPHER_AES_128_CBC; | ||
711 | else if (strncasecmp (ciphers[i], "3DE", 3) == 0) | ||
712 | cipher_priority[j++] = GNUTLS_CIPHER_3DES_CBC; | ||
713 | else if (strcasecmp (ciphers[i], "ARCFOUR-40") == 0) | ||
714 | cipher_priority[j++] = GNUTLS_CIPHER_ARCFOUR_40; | ||
715 | else if (strcasecmp (ciphers[i], "ARCFOUR") == 0) | ||
716 | cipher_priority[j++] = GNUTLS_CIPHER_ARCFOUR_128; | ||
717 | #ifdef ENABLE_CAMELLIA | ||
718 | else if (strncasecmp (ciphers[i], "CAMELLIA-2", 10) == 0) | ||
719 | cipher_priority[j++] = GNUTLS_CIPHER_CAMELLIA_256_CBC; | ||
720 | else if (strncasecmp (ciphers[i], "CAM", 3) == 0) | ||
721 | cipher_priority[j++] = GNUTLS_CIPHER_CAMELLIA_128_CBC; | ||
722 | #endif | ||
723 | else if (strncasecmp (ciphers[i], "NUL", 3) == 0) | ||
724 | cipher_priority[j++] = GNUTLS_CIPHER_NULL; | ||
725 | else | ||
726 | fprintf (stderr, "Unknown cipher: '%s'\n", ciphers[i]); | ||
727 | } | ||
728 | cipher_priority[j] = 0; | ||
729 | } | ||
730 | } | ||
731 | |||
732 | void | ||
733 | parse_macs (char **macs, int nmacs, int *mac_priority) | ||
734 | { | ||
735 | int i, j; | ||
736 | |||
737 | if (macs != NULL && nmacs > 0) | ||
738 | { | ||
739 | DEPRECATED; | ||
740 | for (j = i = 0; i < nmacs; i++) | ||
741 | { | ||
742 | if (strncasecmp (macs[i], "MD5", 3) == 0) | ||
743 | mac_priority[j++] = GNUTLS_MAC_MD5; | ||
744 | else if (strncasecmp (macs[i], "SHA256", 6) == 0) | ||
745 | mac_priority[j++] = GNUTLS_MAC_SHA256; | ||
746 | else if (strncasecmp (macs[i], "SHA", 3) == 0) | ||
747 | mac_priority[j++] = GNUTLS_MAC_SHA1; | ||
748 | else | ||
749 | fprintf (stderr, "Unknown MAC: '%s'\n", macs[i]); | ||
750 | } | ||
751 | mac_priority[j] = 0; | ||
752 | } | ||
753 | } | ||
754 | |||
755 | void | ||
756 | parse_ctypes (char **ctype, int nctype, int *cert_type_priority) | ||
757 | { | ||
758 | int i, j; | ||
759 | |||
760 | if (ctype != NULL && nctype > 0) | ||
761 | { | ||
762 | DEPRECATED; | ||
763 | for (j = i = 0; i < nctype; i++) | ||
764 | { | ||
765 | if (strncasecmp (ctype[i], "OPE", 3) == 0) | ||
766 | cert_type_priority[j++] = GNUTLS_CRT_OPENPGP; | ||
767 | else if (strncasecmp (ctype[i], "X", 1) == 0) | ||
768 | cert_type_priority[j++] = GNUTLS_CRT_X509; | ||
769 | else | ||
770 | fprintf (stderr, "Unknown certificate type: '%s'\n", ctype[i]); | ||
771 | } | ||
772 | cert_type_priority[j] = 0; | ||
773 | } | ||
774 | } | ||
775 | |||
776 | void | ||
777 | parse_kx (char **kx, int nkx, int *kx_priority) | ||
778 | { | ||
779 | int i, j; | ||
780 | |||
781 | if (kx != NULL && nkx > 0) | ||
782 | { | ||
783 | DEPRECATED; | ||
784 | for (j = i = 0; i < nkx; i++) | ||
785 | { | ||
786 | if (strcasecmp (kx[i], "SRP") == 0) | ||
787 | kx_priority[j++] = GNUTLS_KX_SRP; | ||
788 | else if (strcasecmp (kx[i], "SRP-RSA") == 0) | ||
789 | kx_priority[j++] = GNUTLS_KX_SRP_RSA; | ||
790 | else if (strcasecmp (kx[i], "SRP-DSS") == 0) | ||
791 | kx_priority[j++] = GNUTLS_KX_SRP_DSS; | ||
792 | else if (strcasecmp (kx[i], "RSA") == 0) | ||
793 | kx_priority[j++] = GNUTLS_KX_RSA; | ||
794 | else if (strcasecmp (kx[i], "PSK") == 0) | ||
795 | kx_priority[j++] = GNUTLS_KX_PSK; | ||
796 | else if (strcasecmp (kx[i], "DHE-PSK") == 0) | ||
797 | kx_priority[j++] = GNUTLS_KX_DHE_PSK; | ||
798 | else if (strcasecmp (kx[i], "RSA-EXPORT") == 0) | ||
799 | kx_priority[j++] = GNUTLS_KX_RSA_EXPORT; | ||
800 | else if (strncasecmp (kx[i], "DHE-RSA", 7) == 0) | ||
801 | kx_priority[j++] = GNUTLS_KX_DHE_RSA; | ||
802 | else if (strncasecmp (kx[i], "DHE-DSS", 7) == 0) | ||
803 | kx_priority[j++] = GNUTLS_KX_DHE_DSS; | ||
804 | else if (strncasecmp (kx[i], "ANON", 4) == 0) | ||
805 | kx_priority[j++] = GNUTLS_KX_ANON_DH; | ||
806 | else | ||
807 | fprintf (stderr, "Unknown key exchange: '%s'\n", kx[i]); | ||
808 | } | ||
809 | kx_priority[j] = 0; | ||
810 | } | ||
811 | } | ||
812 | |||
813 | void | ||
814 | parse_comp (char **comp, int ncomp, int *comp_priority) | ||
815 | { | ||
816 | int i, j; | ||
817 | |||
818 | if (comp != NULL && ncomp > 0) | ||
819 | { | ||
820 | DEPRECATED; | ||
821 | for (j = i = 0; i < ncomp; i++) | ||
822 | { | ||
823 | if (strncasecmp (comp[i], "NUL", 3) == 0) | ||
824 | comp_priority[j++] = GNUTLS_COMP_NULL; | ||
825 | else if (strncasecmp (comp[i], "ZLI", 3) == 0) | ||
826 | comp_priority[j++] = GNUTLS_COMP_DEFLATE; | ||
827 | else if (strncasecmp (comp[i], "DEF", 3) == 0) | ||
828 | comp_priority[j++] = GNUTLS_COMP_DEFLATE; | ||
829 | else if (strncasecmp (comp[i], "LZO", 3) == 0) | ||
830 | comp_priority[j++] = GNUTLS_COMP_LZO; | ||
831 | else | ||
832 | fprintf (stderr, "Unknown compression: '%s'\n", comp[i]); | ||
833 | } | ||
834 | comp_priority[j] = 0; | ||
835 | } | ||
836 | } | ||
837 | |||
838 | void | 663 | void |
839 | sockets_init (void) | 664 | sockets_init (void) |
840 | { | 665 | { |
diff --git a/src/daemon/https/tls/gnutls_db.c b/src/daemon/https/tls/gnutls_db.c index 701be2f0..806961c1 100644 --- a/src/daemon/https/tls/gnutls_db.c +++ b/src/daemon/https/tls/gnutls_db.c | |||
@@ -28,7 +28,7 @@ | |||
28 | 28 | ||
29 | #include "gnutls_int.h" | 29 | #include "gnutls_int.h" |
30 | #include "gnutls_errors.h" | 30 | #include "gnutls_errors.h" |
31 | #include "gnutls_session.h" | 31 | // #include "gnutls_session.h" |
32 | #include <gnutls_db.h> | 32 | #include <gnutls_db.h> |
33 | #include "debug.h" | 33 | #include "debug.h" |
34 | #include <gnutls_session_pack.h> | 34 | #include <gnutls_session_pack.h> |
diff --git a/src/daemon/https/tls/gnutls_int.h b/src/daemon/https/tls/gnutls_int.h index 9c54262e..5161c966 100644 --- a/src/daemon/https/tls/gnutls_int.h +++ b/src/daemon/https/tls/gnutls_int.h | |||
@@ -447,6 +447,7 @@ typedef struct | |||
447 | int read_eof; /* non-zero if we have received a closure alert. */ | 447 | int read_eof; /* non-zero if we have received a closure alert. */ |
448 | 448 | ||
449 | int last_alert; /* last alert received */ | 449 | int last_alert; /* last alert received */ |
450 | int last_alert_level; /* last alert level */ | ||
450 | 451 | ||
451 | /* The last handshake messages sent or received. | 452 | /* The last handshake messages sent or received. |
452 | */ | 453 | */ |
diff --git a/src/daemon/https/tls/gnutls_record.c b/src/daemon/https/tls/gnutls_record.c index cacbdecc..92692fc2 100644 --- a/src/daemon/https/tls/gnutls_record.c +++ b/src/daemon/https/tls/gnutls_record.c | |||
@@ -657,6 +657,7 @@ static int record_check_type(gnutls_session_t session, | |||
657 | data[0], data[1], gnutls_alert_get_name ((int) data[1])); | 657 | data[0], data[1], gnutls_alert_get_name ((int) data[1])); |
658 | 658 | ||
659 | session->internals.last_alert = data[1]; | 659 | session->internals.last_alert = data[1]; |
660 | session->internals.last_alert_level = data[0]; | ||
660 | 661 | ||
661 | /* if close notify is received and | 662 | /* if close notify is received and |
662 | * the alert is not fatal | 663 | * the alert is not fatal |
@@ -674,7 +675,6 @@ static int record_check_type(gnutls_session_t session, | |||
674 | /* if the alert is FATAL or WARNING | 675 | /* if the alert is FATAL or WARNING |
675 | * return the apropriate message | 676 | * return the apropriate message |
676 | */ | 677 | */ |
677 | |||
678 | gnutls_assert (); | 678 | gnutls_assert (); |
679 | ret = GNUTLS_E_WARNING_ALERT_RECEIVED; | 679 | ret = GNUTLS_E_WARNING_ALERT_RECEIVED; |
680 | if (data[0] == GNUTLS_AL_FATAL) | 680 | if (data[0] == GNUTLS_AL_FATAL) |
@@ -968,8 +968,7 @@ ssize_t _gnutls_recv_int(gnutls_session_t session, | |||
968 | return ret; | 968 | return ret; |
969 | } | 969 | } |
970 | 970 | ||
971 | /* decrypt the data we got. | 971 | /* decrypt the data we got. */ |
972 | */ | ||
973 | ret = _gnutls_decrypt(session, ciphertext, length, tmp.data, tmp.size, | 972 | ret = _gnutls_decrypt(session, ciphertext, length, tmp.data, tmp.size, |
974 | recv_type); | 973 | recv_type); |
975 | if (ret < 0) | 974 | if (ret < 0) |
@@ -1015,6 +1014,7 @@ ssize_t _gnutls_recv_int(gnutls_session_t session, | |||
1015 | return GNUTLS_E_RECORD_LIMIT_REACHED; | 1014 | return GNUTLS_E_RECORD_LIMIT_REACHED; |
1016 | } | 1015 | } |
1017 | 1016 | ||
1017 | /* check type - this will also invalidate sessions if a fatal alert has been received */ | ||
1018 | ret = record_check_type(session, recv_type, type, htype, tmp.data, | 1018 | ret = record_check_type(session, recv_type, type, htype, tmp.data, |
1019 | decrypted_length); | 1019 | decrypted_length); |
1020 | if (ret < 0) | 1020 | if (ret < 0) |
diff --git a/src/daemon/https/tls/gnutls_session.h b/src/daemon/https/tls/gnutls_session.h deleted file mode 100644 index dae99edc..00000000 --- a/src/daemon/https/tls/gnutls_session.h +++ /dev/null | |||
@@ -1,23 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation | ||
3 | * | ||
4 | * Author: Nikos Mavrogiannopoulos | ||
5 | * | ||
6 | * This file is part of GNUTLS. | ||
7 | * | ||
8 | * The GNUTLS library is free software; you can redistribute it and/or | ||
9 | * modify it under the terms of the GNU Lesser General Public License | ||
10 | * as published by the Free Software Foundation; either version 2.1 of | ||
11 | * the License, or (at your option) any later version. | ||
12 | * | ||
13 | * This library is distributed in the hope that it will be useful, but | ||
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
16 | * Lesser General Public License for more details. | ||
17 | * | ||
18 | * You should have received a copy of the GNU Lesser General Public | ||
19 | * License along with this library; if not, write to the Free Software | ||
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, | ||
21 | * USA | ||
22 | * | ||
23 | */ | ||
diff --git a/src/examples/https_server_example.c b/src/examples/https_server_example.c index 03ea4cf8..342b3111 100644 --- a/src/examples/https_server_example.c +++ b/src/examples/https_server_example.c | |||
@@ -36,7 +36,7 @@ | |||
36 | 36 | ||
37 | #include "config.h" | 37 | #include "config.h" |
38 | #include <microhttpd.h> | 38 | #include <microhttpd.h> |
39 | #include "internal.h" | 39 | #include <sys/stat.h> |
40 | 40 | ||
41 | #include <stdlib.h> | 41 | #include <stdlib.h> |
42 | #ifndef MINGW | 42 | #ifndef MINGW |
@@ -53,29 +53,13 @@ | |||
53 | #define KEYFILE "key.pem" | 53 | #define KEYFILE "key.pem" |
54 | #define CERTFILE "cert.pem" | 54 | #define CERTFILE "cert.pem" |
55 | 55 | ||
56 | |||
56 | // TODO remove if unused | 57 | // TODO remove if unused |
57 | #define CAFILE "ca.pem" | 58 | #define CAFILE "ca.pem" |
58 | #define CRLFILE "crl.pem" | 59 | #define CRLFILE "crl.pem" |
59 | 60 | ||
60 | #define PAGE_NOT_FOUND "<html><head><title>File not found</title></head><body>File not found</body></html>" | 61 | #define PAGE_NOT_FOUND "<html><head><title>File not found</title></head><body>File not found</body></html>" |
61 | 62 | ||
62 | gnutls_session_t | ||
63 | initialize_tls_session (struct MHD_Connection *connection) | ||
64 | { | ||
65 | gnutls_session_t session; | ||
66 | |||
67 | gnutls_init (&session, GNUTLS_SERVER); | ||
68 | |||
69 | /* sets cipher priorities */ | ||
70 | gnutls_priority_set (session, connection->daemon->priority_cache); | ||
71 | |||
72 | /* set needed credentials for certificate authentication. */ | ||
73 | gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, | ||
74 | connection->daemon->x509_cret); | ||
75 | |||
76 | return session; | ||
77 | } | ||
78 | |||
79 | static int | 63 | static int |
80 | file_reader (void *cls, size_t pos, char *buf, int max) | 64 | file_reader (void *cls, size_t pos, char *buf, int max) |
81 | { | 65 | { |
@@ -85,122 +69,6 @@ file_reader (void *cls, size_t pos, char *buf, int max) | |||
85 | return fread (buf, 1, max, file); | 69 | return fread (buf, 1, max, file); |
86 | } | 70 | } |
87 | 71 | ||
88 | /* HTTPS access handler call back */ | ||
89 | static int | ||
90 | https_ahc (void *cls, | ||
91 | struct MHD_Connection *connection, | ||
92 | const char *url, | ||
93 | const char *method, | ||
94 | const char *upload_data, | ||
95 | const char *version, unsigned int *upload_data_size, void **ptr) | ||
96 | { | ||
97 | /* loopback HTTP socket */ | ||
98 | int loopback_sd, err; | ||
99 | ssize_t ret; | ||
100 | struct sockaddr_in servaddr4; | ||
101 | const struct sockaddr *servaddr; | ||
102 | struct sockaddr_in loopback_sa; | ||
103 | socklen_t addrlen; | ||
104 | |||
105 | gnutls_session_t session; | ||
106 | static int aptr; | ||
107 | struct MHD_Response *response; | ||
108 | char buffer[BUF_SIZE]; | ||
109 | |||
110 | printf ("accepted connection from %d\n", connection->addr->sin_addr); | ||
111 | |||
112 | session = initialize_tls_session (connection); | ||
113 | |||
114 | gnutls_transport_set_ptr (session, connection->socket_fd); | ||
115 | |||
116 | ret = gnutls_handshake (session); | ||
117 | |||
118 | if (ret < 0) | ||
119 | { | ||
120 | /* set connection as closed */ | ||
121 | connection->socket_fd = 1; | ||
122 | gnutls_deinit (session); | ||
123 | fprintf (stderr, "*** Handshake has failed (%s)\n\n", | ||
124 | gnutls_strerror (ret)); | ||
125 | return MHD_NO; | ||
126 | } | ||
127 | |||
128 | printf ("TLS Handshake completed\n"); | ||
129 | connection->state = MHDS_HANDSHAKE_COMPLETE; | ||
130 | |||
131 | /* initialize loopback socket */ | ||
132 | loopback_sd = socket (AF_INET, SOCK_STREAM, 0); | ||
133 | memset (&loopback_sa, '\0', sizeof (loopback_sa)); | ||
134 | loopback_sa.sin_family = AF_INET; | ||
135 | |||
136 | // TODO solve magic number issue - the http's daemons port must be shared with the https daemon - rosolve data sharing point | ||
137 | loopback_sa.sin_port = htons (50000); | ||
138 | inet_pton (AF_INET, "127.0.0.1", &loopback_sa.sin_addr); | ||
139 | |||
140 | /* connect loopback socket */ | ||
141 | err = connect (loopback_sd, (struct sockaddr *) &loopback_sa, | ||
142 | sizeof (loopback_sa)); | ||
143 | if (err < 0) | ||
144 | { | ||
145 | // TODO err handle | ||
146 | fprintf (stderr, "Error : failed to create TLS loopback socket\n"); | ||
147 | exit (1); | ||
148 | } | ||
149 | |||
150 | /* | ||
151 | * This loop pipes data received through the TLS tunnel into the loopback connection. | ||
152 | * message encryption/decryption is acheived via 'gnutls_record_send' & gnutls_record_recv calls. | ||
153 | */ | ||
154 | memset (buffer, 0, BUF_SIZE); | ||
155 | if (gnutls_record_recv (session, buffer, BUF_SIZE) < 0) | ||
156 | { | ||
157 | fprintf (stderr, "\n*** Received corrupted " | ||
158 | "data(%d). Closing the connection.\n\n", ret); | ||
159 | connection->socket_fd = -1; | ||
160 | gnutls_deinit (session); | ||
161 | return MHD_NO; | ||
162 | } | ||
163 | |||
164 | if (write (loopback_sd, buffer, BUF_SIZE) < 0) | ||
165 | { | ||
166 | printf ("failed to write to TLS loopback socket\n"); | ||
167 | connection->socket_fd = -1; | ||
168 | gnutls_deinit (session); | ||
169 | return MHD_NO; | ||
170 | } | ||
171 | |||
172 | for (;;) | ||
173 | { | ||
174 | memset (buffer, 0, BUF_SIZE); | ||
175 | |||
176 | ret = read (loopback_sd, buffer, BUF_SIZE); | ||
177 | |||
178 | if (ret < 0) | ||
179 | { | ||
180 | printf ("failed to read from TLS loopback socket\n"); | ||
181 | break; | ||
182 | } | ||
183 | |||
184 | if (ret == 0) | ||
185 | { | ||
186 | break; | ||
187 | } | ||
188 | |||
189 | /* echo data back to the client */ | ||
190 | ret = gnutls_record_send (session, buffer, ret); | ||
191 | if (ret < 0) | ||
192 | { | ||
193 | printf ("failed to write to TLS socket\n"); | ||
194 | break; | ||
195 | } | ||
196 | } | ||
197 | /* mark connection as closed */ | ||
198 | connection->socket_fd = -1; | ||
199 | gnutls_deinit (session); | ||
200 | |||
201 | return MHD_YES; | ||
202 | } | ||
203 | |||
204 | /* HTTP access handler call back */ | 72 | /* HTTP access handler call back */ |
205 | static int | 73 | static int |
206 | http_ahc (void *cls, | 74 | http_ahc (void *cls, |
@@ -225,7 +93,7 @@ http_ahc (void *cls, | |||
225 | return MHD_YES; | 93 | return MHD_YES; |
226 | } | 94 | } |
227 | *ptr = NULL; /* reset when done */ | 95 | *ptr = NULL; /* reset when done */ |
228 | 96 | ||
229 | file = fopen (url, "r"); | 97 | file = fopen (url, "r"); |
230 | if (file == NULL) | 98 | if (file == NULL) |
231 | { | 99 | { |
@@ -247,17 +115,16 @@ http_ahc (void *cls, | |||
247 | } | 115 | } |
248 | return ret; | 116 | return ret; |
249 | } | 117 | } |
250 | 118 | ||
251 | int | 119 | int |
252 | main (int argc, char *const *argv) | 120 | main (int argc, char *const *argv) |
253 | { | 121 | { |
254 | char keyfile[255] = KEYFILE; | 122 | char keyfile[255] = KEYFILE; |
255 | char certfile[255] = CERTFILE; | 123 | char certfile[255] = CERTFILE; |
256 | struct MHD_Daemon *HTTP_daemon; | ||
257 | struct MHD_Daemon *TLS_daemon; | 124 | struct MHD_Daemon *TLS_daemon; |
258 | 125 | ||
259 | /* look for HTTPS arguments */ | 126 | /* look for HTTPS arguments */ |
260 | if (argc < 6) | 127 | if (argc < 5) |
261 | { | 128 | { |
262 | printf | 129 | printf |
263 | ("Usage : %s HTTP-PORT SECONDS-TO-RUN HTTPS-PORT KEY-FILE CERT-FILE\n", | 130 | ("Usage : %s HTTP-PORT SECONDS-TO-RUN HTTPS-PORT KEY-FILE CERT-FILE\n", |
@@ -268,20 +135,10 @@ main (int argc, char *const *argv) | |||
268 | // TODO check if this is truly necessary - disallow usage of the blocking /dev/random */ | 135 | // TODO check if this is truly necessary - disallow usage of the blocking /dev/random */ |
269 | // gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); | 136 | // gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); |
270 | 137 | ||
271 | HTTP_daemon = | ||
272 | MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_DEBUG, | ||
273 | atoi (argv[1]), NULL, NULL, &http_ahc, NULL, MHD_OPTION_END); | ||
274 | |||
275 | if (HTTP_daemon == NULL) | ||
276 | { | ||
277 | printf ("Error: failed to start HTTP_daemon"); | ||
278 | return 1; | ||
279 | } | ||
280 | |||
281 | TLS_daemon = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_DEBUG | 138 | TLS_daemon = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_DEBUG |
282 | | MHD_USE_SSL, atoi (argv[3]), | 139 | | MHD_USE_SSL, atoi (argv[3]), |
283 | NULL, | 140 | NULL, |
284 | NULL, &https_ahc, | 141 | NULL, &http_ahc, |
285 | NULL, MHD_OPTION_CONNECTION_TIMEOUT, 256, | 142 | NULL, MHD_OPTION_CONNECTION_TIMEOUT, 256, |
286 | MHD_OPTION_HTTPS_KEY_PATH, argv[4], | 143 | MHD_OPTION_HTTPS_KEY_PATH, argv[4], |
287 | MHD_OPTION_HTTPS_CERT_PATH, argv[5], | 144 | MHD_OPTION_HTTPS_CERT_PATH, argv[5], |
@@ -295,8 +152,6 @@ main (int argc, char *const *argv) | |||
295 | 152 | ||
296 | sleep (atoi (argv[2])); | 153 | sleep (atoi (argv[2])); |
297 | 154 | ||
298 | MHD_stop_daemon (HTTP_daemon); | ||
299 | |||
300 | MHD_stop_daemon (TLS_daemon); | 155 | MHD_stop_daemon (TLS_daemon); |
301 | 156 | ||
302 | return 0; | 157 | return 0; |