diff options
Diffstat (limited to 'src/daemon')
-rw-r--r-- | src/daemon/connection_https.c | 5 | ||||
-rw-r--r-- | src/daemon/daemon.c | 398 | ||||
-rw-r--r-- | src/daemon/https/tls/Makefile.am | 1 | ||||
-rw-r--r-- | src/daemon/https/tls/auth_cert.h | 9 | ||||
-rw-r--r-- | src/daemon/https/tls/ext_cert_type.c | 4 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_alert.c | 4 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_algorithms.c | 16 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_anon_cred.c | 3 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_db.c | 386 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_db.h | 37 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_handshake.c | 13 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_int.h | 4 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_priority.c | 4 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_record.c | 33 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_session.c | 6 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_session_pack.c | 330 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_state.c | 5 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_x509.c | 33 | ||||
-rw-r--r-- | src/daemon/https/x509/pkcs12.h | 1 | ||||
-rw-r--r-- | src/daemon/internal.h | 9 |
20 files changed, 572 insertions, 729 deletions
diff --git a/src/daemon/connection_https.c b/src/daemon/connection_https.c index d275bb19..d91e6b90 100644 --- a/src/daemon/connection_https.c +++ b/src/daemon/connection_https.c | |||
@@ -37,7 +37,7 @@ | |||
37 | #include "gnutls_int.h" | 37 | #include "gnutls_int.h" |
38 | #include "gnutls_record.h" | 38 | #include "gnutls_record.h" |
39 | 39 | ||
40 | /* TODO rm #include "gnutls_errors.h" */ | 40 | /* TODO #include rm "gnutls_errors.h" */ |
41 | #include "gnutls_errors.h" | 41 | #include "gnutls_errors.h" |
42 | 42 | ||
43 | /* forward declarations used when setting secure connection callbacks */ | 43 | /* forward declarations used when setting secure connection callbacks */ |
@@ -168,6 +168,9 @@ MHD_tls_connection_handle_idle (struct MHD_Connection *connection) | |||
168 | 168 | ||
169 | switch (connection->state) | 169 | switch (connection->state) |
170 | { | 170 | { |
171 | /* on newly created connections we might reach here before any reply has been received */ | ||
172 | case MHD_TLS_CONNECTION_INIT: | ||
173 | return MHD_YES; | ||
171 | /* close connection if necessary */ | 174 | /* close connection if necessary */ |
172 | case MHD_CONNECTION_CLOSED: | 175 | case MHD_CONNECTION_CLOSED: |
173 | MHD_tls_connection_close (connection); | 176 | MHD_tls_connection_close (connection); |
diff --git a/src/daemon/daemon.c b/src/daemon/daemon.c index 34a9bac6..84662dbd 100644 --- a/src/daemon/daemon.c +++ b/src/daemon/daemon.c | |||
@@ -32,6 +32,7 @@ | |||
32 | #if HTTPS_SUPPORT | 32 | #if HTTPS_SUPPORT |
33 | #include "gnutls_int.h" | 33 | #include "gnutls_int.h" |
34 | #include "gnutls_global.h" | 34 | #include "gnutls_global.h" |
35 | #include "auth_anon.h" | ||
35 | #endif | 36 | #endif |
36 | 37 | ||
37 | /** | 38 | /** |
@@ -56,26 +57,14 @@ | |||
56 | */ | 57 | */ |
57 | #define DEBUG_CONNECT MHD_NO | 58 | #define DEBUG_CONNECT MHD_NO |
58 | 59 | ||
59 | #if HTTPS_SUPPORT | 60 | /* TODO unite with code in gnutls_priority.c */ |
60 | /* initialize security aspects of the HTTPS daemon */ | ||
61 | static int | 61 | static int |
62 | MHD_TLS_init (struct MHD_Daemon *daemon) | 62 | MHD_init_daemon_certificate (struct MHD_Daemon *daemon) |
63 | { | 63 | { |
64 | int i; | ||
65 | priority_st st; | ||
66 | gnutls_datum_t key; | 64 | gnutls_datum_t key; |
67 | gnutls_datum_t cert; | 65 | gnutls_datum_t cert; |
68 | 66 | ||
69 | gnutls_global_set_log_function (MHD_tls_log_func); | 67 | /* certificate & key loaded from file */ |
70 | |||
71 | /* setup server certificate */ | ||
72 | gnutls_certificate_allocate_credentials (&daemon->x509_cret); | ||
73 | |||
74 | /* TODO remove if unused | ||
75 | gnutls_certificate_set_x509_trust_file(x509_cret, CAFILE,GNUTLS_X509_FMT_PEM); | ||
76 | gnutls_certificate_set_x509_crl_file(x509_cret, CRLFILE, GNUTLS_X509_FMT_PEM); */ | ||
77 | |||
78 | /* sets a certificate private key pair */ | ||
79 | if (daemon->https_cert_path && daemon->https_key_path) | 68 | if (daemon->https_cert_path && daemon->https_key_path) |
80 | { | 69 | { |
81 | /* test for private key & certificate file exsitance */ | 70 | /* test for private key & certificate file exsitance */ |
@@ -98,20 +87,21 @@ MHD_TLS_init (struct MHD_Daemon *daemon) | |||
98 | CLOSE (daemon->socket_fd); | 87 | CLOSE (daemon->socket_fd); |
99 | return -1; | 88 | return -1; |
100 | } | 89 | } |
101 | gnutls_certificate_set_x509_key_file (daemon->x509_cret, | 90 | return gnutls_certificate_set_x509_key_file (daemon->x509_cred, |
102 | daemon->https_cert_path, | 91 | daemon->https_cert_path, |
103 | daemon->https_key_path, | 92 | daemon->https_key_path, |
104 | GNUTLS_X509_FMT_PEM); | 93 | GNUTLS_X509_FMT_PEM); |
105 | } | 94 | } |
95 | /* certificate & key loaded from memory */ | ||
106 | else if (daemon->https_mem_cert && daemon->https_mem_key) | 96 | else if (daemon->https_mem_cert && daemon->https_mem_key) |
107 | { | 97 | { |
108 | key.data = (char *) daemon->https_mem_key; | 98 | key.data = (unsigned char *) daemon->https_mem_key; |
109 | key.size = strlen (daemon->https_mem_key); | 99 | key.size = strlen (daemon->https_mem_key); |
110 | cert.data = (char *) daemon->https_mem_cert; | 100 | cert.data = (unsigned char *) daemon->https_mem_cert; |
111 | cert.size = strlen (daemon->https_mem_cert); | 101 | cert.size = strlen (daemon->https_mem_cert); |
112 | 102 | ||
113 | gnutls_certificate_set_x509_key_mem (daemon->x509_cret, &cert, &key, | 103 | return gnutls_certificate_set_x509_key_mem (daemon->x509_cred, &cert, |
114 | GNUTLS_X509_FMT_PEM); | 104 | &key, GNUTLS_X509_FMT_PEM); |
115 | } | 105 | } |
116 | else | 106 | else |
117 | { | 107 | { |
@@ -120,29 +110,44 @@ MHD_TLS_init (struct MHD_Daemon *daemon) | |||
120 | #endif | 110 | #endif |
121 | return MHD_NO; | 111 | return MHD_NO; |
122 | } | 112 | } |
113 | } | ||
123 | 114 | ||
124 | /* generate DH parameters if necessary */ | 115 | /* initialize security aspects of the HTTPS daemon */ |
125 | st = daemon->priority_cache->kx; | 116 | int |
126 | for (i = 0; i < st.algorithms; i++) | 117 | MHD_TLS_init (struct MHD_Daemon *daemon) |
118 | { | ||
119 | int ret; | ||
120 | |||
121 | switch (daemon->cred_type) | ||
127 | { | 122 | { |
128 | /* initialize Diffie Hellman parameters if necessary */ | 123 | case MHD_GNUTLS_CRD_ANON: |
129 | /* TODO add other cipher suits */ | 124 | ret = gnutls_anon_allocate_server_credentials (&daemon->anon_cred); |
130 | if (st.priority[i] == MHD_GNUTLS_KX_DHE_RSA) | 125 | ret += gnutls_dh_params_init (&daemon->dh_params); |
131 | { | 126 | if (ret != 0) { |
132 | gnutls_dh_params_init (&daemon->dh_params); | 127 | return GNUTLS_E_MEMORY_ERROR; |
133 | gnutls_dh_params_generate2 (daemon->dh_params, 1024); | 128 | } |
134 | break; | 129 | gnutls_dh_params_generate2 (daemon->dh_params, 1024); |
135 | } | 130 | gnutls_anon_set_server_dh_params (daemon->anon_cred, daemon->dh_params); |
131 | break; | ||
132 | case MHD_GNUTLS_CRD_CERTIFICATE: | ||
133 | ret = gnutls_certificate_allocate_credentials (&daemon->x509_cred) ; | ||
134 | if (ret != 0) { | ||
135 | return GNUTLS_E_MEMORY_ERROR; | ||
136 | } | ||
137 | if ((ret = MHD_init_daemon_certificate (daemon)) != 0) | ||
138 | return ret; | ||
139 | default: | ||
140 | #if HAVE_MESSAGES | ||
141 | MHD_DLOG (daemon, | ||
142 | "Error: no daemon credentials type found. f: %s, l: %d\n", | ||
143 | __FUNCTION__, __LINE__); | ||
144 | #endif | ||
145 | break; | ||
136 | } | 146 | } |
137 | 147 | ||
138 | gnutls_certificate_set_dh_params (daemon->x509_cret, daemon->dh_params); | 148 | return MHD_NO; |
139 | |||
140 | /* TODO address error case return value */ | ||
141 | return MHD_YES; | ||
142 | } | 149 | } |
143 | 150 | ||
144 | /* TODO unite with code in gnutls_priority.c */ | ||
145 | /* this is used to set HTTPS related daemon priorities */ | ||
146 | inline static int | 151 | inline static int |
147 | _set_priority (priority_st * st, const int *list) | 152 | _set_priority (priority_st * st, const int *list) |
148 | { | 153 | { |
@@ -152,7 +157,7 @@ _set_priority (priority_st * st, const int *list) | |||
152 | num++; | 157 | num++; |
153 | if (num > MAX_ALGOS) | 158 | if (num > MAX_ALGOS) |
154 | num = MAX_ALGOS; | 159 | num = MAX_ALGOS; |
155 | st->algorithms = num; | 160 | st->num_algorithms = num; |
156 | 161 | ||
157 | for (i = 0; i < num; i++) | 162 | for (i = 0; i < num; i++) |
158 | { | 163 | { |
@@ -161,7 +166,6 @@ _set_priority (priority_st * st, const int *list) | |||
161 | 166 | ||
162 | return 0; | 167 | return 0; |
163 | } | 168 | } |
164 | #endif /* HTTPS_SUPPORT */ | ||
165 | 169 | ||
166 | /** | 170 | /** |
167 | * Obtain the select sets for this daemon. | 171 | * Obtain the select sets for this daemon. |
@@ -300,12 +304,13 @@ gnutls_push_param_adapter (void *connection, | |||
300 | } | 304 | } |
301 | #endif | 305 | #endif |
302 | 306 | ||
307 | |||
303 | /** | 308 | /** |
304 | * Handle an individual TLS connection. | 309 | * Handle an individual TLS connection. |
305 | */ | 310 | */ |
306 | #if HTTPS_SUPPORT | 311 | #if HTTPS_SUPPORT |
307 | static void * | 312 | static void * |
308 | MHD_TLS_handle_connection (void *data) | 313 | MHD_TLS_init_connection (void *data) |
309 | { | 314 | { |
310 | struct MHD_Connection *con = data; | 315 | struct MHD_Connection *con = data; |
311 | 316 | ||
@@ -320,16 +325,37 @@ MHD_TLS_handle_connection (void *data) | |||
320 | /* sets cipher priorities */ | 325 | /* sets cipher priorities */ |
321 | gnutls_priority_set (con->tls_session, con->daemon->priority_cache); | 326 | gnutls_priority_set (con->tls_session, con->daemon->priority_cache); |
322 | 327 | ||
323 | /* set needed credentials for certificate authentication. */ | 328 | switch (con->daemon->cred_type) |
324 | gnutls_credentials_set (con->tls_session, MHD_GNUTLS_CRD_CERTIFICATE, | 329 | { |
325 | con->daemon->x509_cret); | 330 | /* set needed credentials for certificate authentication. */ |
331 | case MHD_GNUTLS_CRD_CERTIFICATE: | ||
332 | gnutls_credentials_set (con->tls_session, MHD_GNUTLS_CRD_CERTIFICATE, | ||
333 | con->daemon->x509_cred); | ||
334 | break; | ||
335 | case MHD_GNUTLS_CRD_ANON: | ||
336 | /* set needed credentials for anonymous authentication. */ | ||
337 | gnutls_credentials_set (con->tls_session, MHD_GNUTLS_CRD_ANON, | ||
338 | con->daemon->anon_cred); | ||
339 | gnutls_dh_set_prime_bits (con->tls_session, 1024); | ||
340 | break; | ||
341 | default: | ||
342 | |||
343 | #if HAVE_MESSAGES | ||
344 | MHD_DLOG (con->daemon, | ||
345 | "Error: couldn't init HTTPS session. no appropriate KX algorithm found. f: %s, l: %d\n", | ||
346 | __FUNCTION__, __LINE__); | ||
347 | #endif | ||
348 | break; | ||
349 | } | ||
326 | 350 | ||
327 | /* TODO avoid gnutls blocking recv / write calls | 351 | /* TODO avoid gnutls blocking recv / write calls |
328 | gnutls_transport_set_pull_function(tls_session, &recv); | 352 | gnutls_transport_set_pull_function(tls_session, &recv); |
329 | gnutls_transport_set_push_function(tls_session, &send); | 353 | gnutls_transport_set_push_function(tls_session, &send); |
330 | */ | 354 | */ |
331 | 355 | ||
332 | gnutls_transport_set_ptr (con->tls_session, con->socket_fd); | 356 | gnutls_transport_set_ptr (con->tls_session, |
357 | (gnutls_transport_ptr_t) ((void *) con-> | ||
358 | socket_fd)); | ||
333 | 359 | ||
334 | return MHD_handle_connection (data); | 360 | return MHD_handle_connection (data); |
335 | } | 361 | } |
@@ -489,7 +515,7 @@ MHD_accept_connection (struct MHD_Daemon *daemon) | |||
489 | #if HTTPS_SUPPORT | 515 | #if HTTPS_SUPPORT |
490 | if (daemon->options & MHD_USE_SSL) | 516 | if (daemon->options & MHD_USE_SSL) |
491 | res_thread_create = pthread_create (&connection->pid, NULL, | 517 | res_thread_create = pthread_create (&connection->pid, NULL, |
492 | &MHD_TLS_handle_connection, | 518 | &MHD_TLS_init_connection, |
493 | connection); | 519 | connection); |
494 | else | 520 | else |
495 | #endif | 521 | #endif |
@@ -768,7 +794,7 @@ MHD_select_thread (void *cls) | |||
768 | */ | 794 | */ |
769 | struct MHD_Daemon * | 795 | struct MHD_Daemon * |
770 | MHD_start_daemon_va (unsigned int options, | 796 | MHD_start_daemon_va (unsigned int options, |
771 | unsigned short port, | 797 | unsigned short port, char *ip, |
772 | MHD_AcceptPolicyCallback apc, | 798 | MHD_AcceptPolicyCallback apc, |
773 | void *apc_cls, | 799 | void *apc_cls, |
774 | MHD_AccessHandlerCallback dh, void *dh_cls, va_list ap) | 800 | MHD_AccessHandlerCallback dh, void *dh_cls, va_list ap) |
@@ -875,6 +901,7 @@ MHD_start_daemon_va (unsigned int options, | |||
875 | pthread_mutex_unlock (&gnutls_init_mutex); | 901 | pthread_mutex_unlock (&gnutls_init_mutex); |
876 | /* set default priorities */ | 902 | /* set default priorities */ |
877 | gnutls_priority_init (&retVal->priority_cache, "", NULL); | 903 | gnutls_priority_init (&retVal->priority_cache, "", NULL); |
904 | retVal->cred_type = MHD_GNUTLS_CRD_CERTIFICATE; | ||
878 | } | 905 | } |
879 | #endif | 906 | #endif |
880 | /* initializes the argument pointer variable */ | 907 | /* initializes the argument pointer variable */ |
@@ -906,7 +933,7 @@ MHD_start_daemon_va (unsigned int options, | |||
906 | #if HTTPS_SUPPORT | 933 | #if HTTPS_SUPPORT |
907 | case MHD_OPTION_PROTOCOL_VERSION: | 934 | case MHD_OPTION_PROTOCOL_VERSION: |
908 | _set_priority (&retVal->priority_cache->protocol, | 935 | _set_priority (&retVal->priority_cache->protocol, |
909 | va_arg (ap, const int *)); | 936 | va_arg (ap, const int *)); |
910 | break; | 937 | break; |
911 | case MHD_OPTION_HTTPS_KEY_PATH: | 938 | case MHD_OPTION_HTTPS_KEY_PATH: |
912 | retVal->https_key_path = va_arg (ap, const char *); | 939 | retVal->https_key_path = va_arg (ap, const char *); |
@@ -920,8 +947,11 @@ MHD_start_daemon_va (unsigned int options, | |||
920 | case MHD_OPTION_HTTPS_MEM_CERT: | 947 | case MHD_OPTION_HTTPS_MEM_CERT: |
921 | retVal->https_mem_cert = va_arg (ap, const char *); | 948 | retVal->https_mem_cert = va_arg (ap, const char *); |
922 | break; | 949 | break; |
950 | case MHD_OPTION_CRED_TYPE: | ||
951 | retVal->cred_type = va_arg (ap, const int); | ||
952 | break; | ||
923 | case MHD_OPTION_KX_PRIORITY: | 953 | case MHD_OPTION_KX_PRIORITY: |
924 | _set_priority (&retVal->priority_cache->cipher, | 954 | _set_priority (&retVal->priority_cache->kx, |
925 | va_arg (ap, const int *)); | 955 | va_arg (ap, const int *)); |
926 | break; | 956 | break; |
927 | case MHD_OPTION_CIPHER_ALGORITHM: | 957 | case MHD_OPTION_CIPHER_ALGORITHM: |
@@ -929,16 +959,17 @@ MHD_start_daemon_va (unsigned int options, | |||
929 | va_arg (ap, const int *)); | 959 | va_arg (ap, const int *)); |
930 | break; | 960 | break; |
931 | case MHD_OPTION_MAC_ALGO: | 961 | case MHD_OPTION_MAC_ALGO: |
932 | _set_priority (&retVal->priority_cache->mac, | 962 | _set_priority (&retVal->priority_cache->mac, |
933 | va_arg (ap, const int *)); | 963 | va_arg (ap, const int *)); |
934 | break; | 964 | break; |
935 | #endif | 965 | #endif |
936 | default: | 966 | default: |
937 | #if HAVE_MESSAGES | 967 | #if HAVE_MESSAGES |
938 | if (opt > MHD_HTTPS_OPTION_START && opt < MHD_HTTPS_OPTION_END) | 968 | if (opt > MHD_HTTPS_OPTION_START && opt < MHD_HTTPS_OPTION_END) |
939 | { | 969 | { |
940 | fprintf (stderr, | 970 | fprintf (stderr, |
941 | "Error: HTTPS option %d passed to non HTTPS daemon\n", opt); | 971 | "Error: HTTPS option %d passed to non HTTPS daemon\n", |
972 | opt); | ||
942 | } | 973 | } |
943 | else | 974 | else |
944 | { | 975 | { |
@@ -952,7 +983,7 @@ MHD_start_daemon_va (unsigned int options, | |||
952 | 983 | ||
953 | #if HTTPS_SUPPORT | 984 | #if HTTPS_SUPPORT |
954 | /* initialize HTTPS daemon certificate aspects & send / recv functions */ | 985 | /* initialize HTTPS daemon certificate aspects & send / recv functions */ |
955 | if (options & MHD_USE_SSL && MHD_NO == MHD_TLS_init (retVal)) | 986 | if (options & MHD_USE_SSL && MHD_TLS_init (retVal) != 0) |
956 | { | 987 | { |
957 | #if HAVE_MESSAGES | 988 | #if HAVE_MESSAGES |
958 | MHD_DLOG (retVal, "Failed to initialize HTTPS daemon\n"); | 989 | MHD_DLOG (retVal, "Failed to initialize HTTPS daemon\n"); |
@@ -985,18 +1016,244 @@ MHD_start_daemon (unsigned int options, | |||
985 | unsigned short port, | 1016 | unsigned short port, |
986 | MHD_AcceptPolicyCallback apc, | 1017 | MHD_AcceptPolicyCallback apc, |
987 | void *apc_cls, | 1018 | void *apc_cls, |
988 | MHD_AccessHandlerCallback dh, void *dh_cls, ...){ | 1019 | MHD_AccessHandlerCallback dh, void *dh_cls, ...) |
989 | 1020 | { | |
990 | int ret; | 1021 | const int on = 1; |
991 | va_list ap; | 1022 | struct MHD_Daemon *retVal; |
992 | va_start (ap, dh_cls); | 1023 | |
993 | ret = MHD_start_daemon_va (options, | 1024 | /* listeningss sockets used by the daemon */ |
994 | port, | 1025 | int socket_fd; |
995 | apc, | 1026 | va_list ap; |
996 | apc_cls, | 1027 | |
997 | dh, dh_cls, ap); | 1028 | struct sockaddr_in servaddr4; |
998 | va_end (ap); | 1029 | struct sockaddr_in6 servaddr6; |
999 | return ret; | 1030 | const struct sockaddr *servaddr; |
1031 | socklen_t addrlen; | ||
1032 | enum MHD_OPTION opt; | ||
1033 | |||
1034 | if ((port == 0) || (dh == NULL)) | ||
1035 | return NULL; | ||
1036 | if ((options & MHD_USE_IPv6) != 0) | ||
1037 | socket_fd = SOCKET (PF_INET6, SOCK_STREAM, 0); | ||
1038 | else | ||
1039 | socket_fd = SOCKET (PF_INET, SOCK_STREAM, 0); | ||
1040 | if (socket_fd < 0) | ||
1041 | { | ||
1042 | #if HAVE_MESSAGES | ||
1043 | if ((options & MHD_USE_DEBUG) != 0) | ||
1044 | fprintf (stderr, "Call to socket failed: %s\n", STRERROR (errno)); | ||
1045 | #endif | ||
1046 | return NULL; | ||
1047 | } | ||
1048 | if ((SETSOCKOPT (socket_fd, | ||
1049 | SOL_SOCKET, | ||
1050 | SO_REUSEADDR, | ||
1051 | &on, sizeof (on)) < 0) && (options & MHD_USE_DEBUG) != 0) | ||
1052 | { | ||
1053 | #if HAVE_MESSAGES | ||
1054 | fprintf (stderr, "setsockopt failed: %s\n", STRERROR (errno)); | ||
1055 | #endif | ||
1056 | } | ||
1057 | if ((options & MHD_USE_IPv6) != 0) | ||
1058 | { | ||
1059 | memset (&servaddr6, 0, sizeof (struct sockaddr_in6)); | ||
1060 | servaddr6.sin6_family = AF_INET6; | ||
1061 | servaddr6.sin6_port = htons (port); | ||
1062 | servaddr = (struct sockaddr *) &servaddr6; | ||
1063 | addrlen = sizeof (struct sockaddr_in6); | ||
1064 | } | ||
1065 | else | ||
1066 | { | ||
1067 | memset (&servaddr4, 0, sizeof (struct sockaddr_in)); | ||
1068 | servaddr4.sin_family = AF_INET; | ||
1069 | servaddr4.sin_port = htons (port); | ||
1070 | servaddr = (struct sockaddr *) &servaddr4; | ||
1071 | addrlen = sizeof (struct sockaddr_in); | ||
1072 | } | ||
1073 | if (BIND (socket_fd, servaddr, addrlen) < 0) | ||
1074 | { | ||
1075 | #if HAVE_MESSAGES | ||
1076 | if ((options & MHD_USE_DEBUG) != 0) | ||
1077 | fprintf (stderr, | ||
1078 | "Failed to bind to port %u: %s\n", port, STRERROR (errno)); | ||
1079 | #endif | ||
1080 | CLOSE (socket_fd); | ||
1081 | return NULL; | ||
1082 | } | ||
1083 | if (LISTEN (socket_fd, 20) < 0) | ||
1084 | { | ||
1085 | #if HAVE_MESSAGES | ||
1086 | if ((options & MHD_USE_DEBUG) != 0) | ||
1087 | fprintf (stderr, | ||
1088 | "Failed to listen for connections: %s\n", STRERROR (errno)); | ||
1089 | #endif | ||
1090 | CLOSE (socket_fd); | ||
1091 | return NULL; | ||
1092 | } | ||
1093 | |||
1094 | /* allocate the mhd daemon */ | ||
1095 | |||
1096 | retVal = malloc (sizeof (struct MHD_Daemon)); | ||
1097 | |||
1098 | if (retVal == NULL) | ||
1099 | { | ||
1100 | CLOSE (socket_fd); | ||
1101 | return NULL; | ||
1102 | } | ||
1103 | |||
1104 | memset (retVal, 0, sizeof (struct MHD_Daemon)); | ||
1105 | retVal->options = options; | ||
1106 | retVal->port = port; | ||
1107 | retVal->apc = apc; | ||
1108 | retVal->apc_cls = apc_cls; | ||
1109 | retVal->socket_fd = socket_fd; | ||
1110 | retVal->default_handler = dh; | ||
1111 | retVal->default_handler_cls = dh_cls; | ||
1112 | retVal->max_connections = MHD_MAX_CONNECTIONS_DEFAULT; | ||
1113 | retVal->pool_size = MHD_POOL_SIZE_DEFAULT; | ||
1114 | retVal->connection_timeout = 0; /* no timeout */ | ||
1115 | #if HTTPS_SUPPORT | ||
1116 | if (options & MHD_USE_SSL) | ||
1117 | { | ||
1118 | /* lock gnutls_global mutex since it uses reference counting */ | ||
1119 | pthread_mutex_lock (&gnutls_init_mutex); | ||
1120 | gnutls_global_init (); | ||
1121 | pthread_mutex_unlock (&gnutls_init_mutex); | ||
1122 | /* set default priorities */ | ||
1123 | gnutls_priority_init (&retVal->priority_cache, "", NULL); | ||
1124 | retVal->cred_type = MHD_GNUTLS_CRD_CERTIFICATE; | ||
1125 | } | ||
1126 | #endif | ||
1127 | /* initializes the argument pointer variable */ | ||
1128 | |||
1129 | va_start (ap, dh_cls); | ||
1130 | |||
1131 | /* | ||
1132 | * loop through daemon options | ||
1133 | */ | ||
1134 | while (MHD_OPTION_END != (opt = va_arg (ap, enum MHD_OPTION))) | ||
1135 | { | ||
1136 | switch (opt) | ||
1137 | { | ||
1138 | case MHD_OPTION_CONNECTION_MEMORY_LIMIT: | ||
1139 | retVal->pool_size = va_arg (ap, unsigned int); | ||
1140 | break; | ||
1141 | case MHD_OPTION_CONNECTION_LIMIT: | ||
1142 | retVal->max_connections = va_arg (ap, unsigned int); | ||
1143 | break; | ||
1144 | case MHD_OPTION_CONNECTION_TIMEOUT: | ||
1145 | retVal->connection_timeout = va_arg (ap, unsigned int); | ||
1146 | break; | ||
1147 | case MHD_OPTION_NOTIFY_COMPLETED: | ||
1148 | retVal->notify_completed = | ||
1149 | va_arg (ap, MHD_RequestCompletedCallback); | ||
1150 | retVal->notify_completed_cls = va_arg (ap, void *); | ||
1151 | break; | ||
1152 | case MHD_OPTION_PER_IP_CONNECTION_LIMIT: | ||
1153 | retVal->per_ip_connection_limit = va_arg (ap, unsigned int); | ||
1154 | break; | ||
1155 | #if HTTPS_SUPPORT | ||
1156 | case MHD_OPTION_PROTOCOL_VERSION: | ||
1157 | _set_priority (&retVal->priority_cache->protocol, | ||
1158 | va_arg (ap, const int *)); | ||
1159 | break; | ||
1160 | case MHD_OPTION_HTTPS_KEY_PATH: | ||
1161 | retVal->https_key_path = va_arg (ap, const char *); | ||
1162 | break; | ||
1163 | case MHD_OPTION_HTTPS_CERT_PATH: | ||
1164 | retVal->https_cert_path = va_arg (ap, const char *); | ||
1165 | break; | ||
1166 | case MHD_OPTION_HTTPS_MEM_KEY: | ||
1167 | retVal->https_mem_key = va_arg (ap, const char *); | ||
1168 | break; | ||
1169 | case MHD_OPTION_HTTPS_MEM_CERT: | ||
1170 | retVal->https_mem_cert = va_arg (ap, const char *); | ||
1171 | break; | ||
1172 | case MHD_OPTION_CRED_TYPE: | ||
1173 | retVal->cred_type = va_arg (ap, const int); | ||
1174 | break; | ||
1175 | case MHD_OPTION_KX_PRIORITY: | ||
1176 | _set_priority (&retVal->priority_cache->kx, | ||
1177 | va_arg (ap, const int *)); | ||
1178 | break; | ||
1179 | case MHD_OPTION_CIPHER_ALGORITHM: | ||
1180 | _set_priority (&retVal->priority_cache->cipher, | ||
1181 | va_arg (ap, const int *)); | ||
1182 | break; | ||
1183 | case MHD_OPTION_MAC_ALGO: | ||
1184 | _set_priority (&retVal->priority_cache->mac, | ||
1185 | va_arg (ap, const int *)); | ||
1186 | break; | ||
1187 | #endif | ||
1188 | default: | ||
1189 | #if HAVE_MESSAGES | ||
1190 | if (opt > MHD_HTTPS_OPTION_START && opt < MHD_HTTPS_OPTION_END) | ||
1191 | { | ||
1192 | fprintf (stderr, | ||
1193 | "Error: HTTPS option %d passed to non HTTPS daemon\n", | ||
1194 | opt); | ||
1195 | } | ||
1196 | else | ||
1197 | { | ||
1198 | fprintf (stderr, | ||
1199 | "Invalid MHD_OPTION argument! (Did you terminate the list with MHD_OPTION_END?)\n"); | ||
1200 | } | ||
1201 | #endif | ||
1202 | abort (); | ||
1203 | } | ||
1204 | } | ||
1205 | va_end (ap); | ||
1206 | |||
1207 | /* initialize HTTPS daemon certificate aspects & send / recv functions */ | ||
1208 | if (options & MHD_USE_SSL && MHD_TLS_init (retVal) != 0) | ||
1209 | { | ||
1210 | #if HAVE_MESSAGES | ||
1211 | MHD_DLOG (retVal, "Failed to initialize HTTPS daemon\n"); | ||
1212 | #endif | ||
1213 | free (retVal); | ||
1214 | return NULL; | ||
1215 | } | ||
1216 | |||
1217 | if (((0 != (options & MHD_USE_THREAD_PER_CONNECTION)) || (0 != (options | ||
1218 | & | ||
1219 | MHD_USE_SELECT_INTERNALLY))) | ||
1220 | && (0 != | ||
1221 | pthread_create (&retVal->pid, NULL, &MHD_select_thread, retVal))) | ||
1222 | { | ||
1223 | #if HAVE_MESSAGES | ||
1224 | MHD_DLOG (retVal, "Failed to create listen thread: %s\n", | ||
1225 | STRERROR (errno)); | ||
1226 | #endif | ||
1227 | free (retVal); | ||
1228 | CLOSE (socket_fd); | ||
1229 | return NULL; | ||
1230 | } | ||
1231 | |||
1232 | return retVal; | ||
1233 | } | ||
1234 | |||
1235 | |||
1236 | /* | ||
1237 | * start the MHD_Daemon while binding to a specific ip address. | ||
1238 | * | ||
1239 | * TODO : address adding ip parameter to MHD_start_daemon | ||
1240 | */ | ||
1241 | struct MHD_Daemon * | ||
1242 | MHD_start_daemon_ip (unsigned int options, | ||
1243 | unsigned short port, char *ip, | ||
1244 | MHD_AcceptPolicyCallback apc, | ||
1245 | void *apc_cls, | ||
1246 | MHD_AccessHandlerCallback dh, void *dh_cls, ...) | ||
1247 | { | ||
1248 | |||
1249 | gnutls_global_set_log_level (5); | ||
1250 | |||
1251 | struct MHD_Daemon *ret; | ||
1252 | va_list ap; | ||
1253 | va_start (ap, dh_cls); | ||
1254 | ret = MHD_start_daemon_va (options, port, ip, apc, apc_cls, dh, dh_cls, ap); | ||
1255 | va_end (ap); | ||
1256 | return ret; | ||
1000 | } | 1257 | } |
1001 | 1258 | ||
1002 | /** | 1259 | /** |
@@ -1066,7 +1323,10 @@ MHD_stop_daemon (struct MHD_Daemon *daemon) | |||
1066 | { | 1323 | { |
1067 | gnutls_priority_deinit (daemon->priority_cache); | 1324 | gnutls_priority_deinit (daemon->priority_cache); |
1068 | 1325 | ||
1069 | gnutls_certificate_free_credentials (daemon->x509_cret); | 1326 | if (daemon->x509_cred) |
1327 | gnutls_certificate_free_credentials (daemon->x509_cred); | ||
1328 | if (daemon->anon_cred) | ||
1329 | gnutls_anon_free_server_credentials (daemon->anon_cred); | ||
1070 | 1330 | ||
1071 | /* lock gnutls_global mutex since it uses reference counting */ | 1331 | /* lock gnutls_global mutex since it uses reference counting */ |
1072 | pthread_mutex_lock (&gnutls_init_mutex); | 1332 | pthread_mutex_lock (&gnutls_init_mutex); |
diff --git a/src/daemon/https/tls/Makefile.am b/src/daemon/https/tls/Makefile.am index 40d49e08..3155e0bd 100644 --- a/src/daemon/https/tls/Makefile.am +++ b/src/daemon/https/tls/Makefile.am | |||
@@ -43,7 +43,6 @@ gnutls_compress.c \ | |||
43 | gnutls_compress_int.c \ | 43 | gnutls_compress_int.c \ |
44 | gnutls_constate.c \ | 44 | gnutls_constate.c \ |
45 | gnutls_datum.c \ | 45 | gnutls_datum.c \ |
46 | gnutls_db.c \ | ||
47 | gnutls_dh.c \ | 46 | gnutls_dh.c \ |
48 | gnutls_dh_primes.c \ | 47 | gnutls_dh_primes.c \ |
49 | gnutls_errors.c \ | 48 | gnutls_errors.c \ |
diff --git a/src/daemon/https/tls/auth_cert.h b/src/daemon/https/tls/auth_cert.h index 86e0230f..e49a6089 100644 --- a/src/daemon/https/tls/auth_cert.h +++ b/src/daemon/https/tls/auth_cert.h | |||
@@ -34,6 +34,7 @@ | |||
34 | /* This structure may be complex, but it's the only way to | 34 | /* This structure may be complex, but it's the only way to |
35 | * support a server that has multiple certificates | 35 | * support a server that has multiple certificates |
36 | */ | 36 | */ |
37 | |||
37 | typedef struct gnutls_certificate_credentials_st | 38 | typedef struct gnutls_certificate_credentials_st |
38 | { | 39 | { |
39 | gnutls_dh_params_t dh_params; | 40 | gnutls_dh_params_t dh_params; |
@@ -45,7 +46,7 @@ typedef struct gnutls_certificate_credentials_st | |||
45 | 46 | ||
46 | gnutls_cert **cert_list; | 47 | gnutls_cert **cert_list; |
47 | /* contains a list of a list of certificates. | 48 | /* contains a list of a list of certificates. |
48 | * eg (X509): [0] certificate1, certificate11, certificate111 | 49 | * eg (X509): [0] certificate1, certificate11, certificate111 |
49 | * (if more than one, one certificate certifies the one before) | 50 | * (if more than one, one certificate certifies the one before) |
50 | * [1] certificate2, certificate22, ... | 51 | * [1] certificate2, certificate22, ... |
51 | */ | 52 | */ |
@@ -75,14 +76,14 @@ typedef struct gnutls_certificate_credentials_st | |||
75 | /* X509 specific stuff */ | 76 | /* X509 specific stuff */ |
76 | 77 | ||
77 | gnutls_x509_crt_t *x509_ca_list; | 78 | gnutls_x509_crt_t *x509_ca_list; |
78 | unsigned x509_ncas; /* number of CAs in the ca_list | 79 | unsigned x509_ncas; /* number of CAs in the ca_list |
79 | */ | 80 | */ |
80 | 81 | ||
81 | gnutls_x509_crl_t *x509_crl_list; | 82 | gnutls_x509_crl_t *x509_crl_list; |
82 | unsigned x509_ncrls; /* number of CRLs in the crl_list | 83 | unsigned x509_ncrls; /* number of CRLs in the crl_list |
83 | */ | 84 | */ |
84 | 85 | ||
85 | unsigned int verify_flags; /* flags to be used at | 86 | unsigned int verify_flags; /* flags to be used at |
86 | * certificate verification. | 87 | * certificate verification. |
87 | */ | 88 | */ |
88 | unsigned int verify_depth; | 89 | unsigned int verify_depth; |
diff --git a/src/daemon/https/tls/ext_cert_type.c b/src/daemon/https/tls/ext_cert_type.c index 6f1c17bc..a1bec6a1 100644 --- a/src/daemon/https/tls/ext_cert_type.c +++ b/src/daemon/https/tls/ext_cert_type.c | |||
@@ -150,10 +150,10 @@ _gnutls_cert_type_send_params (gnutls_session_t session, opaque * data, | |||
150 | if (session->security_parameters.entity == GNUTLS_CLIENT) | 150 | if (session->security_parameters.entity == GNUTLS_CLIENT) |
151 | { | 151 | { |
152 | 152 | ||
153 | if (session->internals.priorities.cert_type.algorithms > 0) | 153 | if (session->internals.priorities.cert_type.num_algorithms > 0) |
154 | { | 154 | { |
155 | 155 | ||
156 | len = session->internals.priorities.cert_type.algorithms; | 156 | len = session->internals.priorities.cert_type.num_algorithms; |
157 | 157 | ||
158 | if (len == 1 && | 158 | if (len == 1 && |
159 | session->internals.priorities.cert_type.priority[0] == | 159 | session->internals.priorities.cert_type.priority[0] == |
diff --git a/src/daemon/https/tls/gnutls_alert.c b/src/daemon/https/tls/gnutls_alert.c index dfa35f85..29422dab 100644 --- a/src/daemon/https/tls/gnutls_alert.c +++ b/src/daemon/https/tls/gnutls_alert.c | |||
@@ -148,7 +148,7 @@ gnutls_alert_send (gnutls_session_t session, gnutls_alert_level_t level, | |||
148 | * alert should be sent to the peer indicating that no renegotiation will | 148 | * alert should be sent to the peer indicating that no renegotiation will |
149 | * be performed. | 149 | * be performed. |
150 | * | 150 | * |
151 | * If there is no mapping to a valid alert the alert to indicate internal error | 151 | * If there is no mapping to a valid alert the alert to indicate internal error |
152 | * is returned. | 152 | * is returned. |
153 | * | 153 | * |
154 | **/ | 154 | **/ |
@@ -163,7 +163,7 @@ gnutls_error_to_alert (int err, int *level) | |||
163 | /* GNUTLS_A_DECRYPTION_FAILED is not sent, because | 163 | /* GNUTLS_A_DECRYPTION_FAILED is not sent, because |
164 | * it is not defined in SSL3. Note that we must | 164 | * it is not defined in SSL3. Note that we must |
165 | * not distinguish Decryption failures from mac | 165 | * not distinguish Decryption failures from mac |
166 | * check failures, due to the possibility of some | 166 | * check failures, due to the possibility of some |
167 | * attacks. | 167 | * attacks. |
168 | */ | 168 | */ |
169 | ret = GNUTLS_A_BAD_RECORD_MAC; | 169 | ret = GNUTLS_A_BAD_RECORD_MAC; |
diff --git a/src/daemon/https/tls/gnutls_algorithms.c b/src/daemon/https/tls/gnutls_algorithms.c index 56435345..1809afda 100644 --- a/src/daemon/https/tls/gnutls_algorithms.c +++ b/src/daemon/https/tls/gnutls_algorithms.c | |||
@@ -767,7 +767,7 @@ _gnutls_mac_priority (gnutls_session_t session, | |||
767 | gnutls_mac_algorithm_t algorithm) | 767 | gnutls_mac_algorithm_t algorithm) |
768 | { /* actually returns the priority */ | 768 | { /* actually returns the priority */ |
769 | unsigned int i; | 769 | unsigned int i; |
770 | for (i = 0; i < session->internals.priorities.mac.algorithms; i++) | 770 | for (i = 0; i < session->internals.priorities.mac.num_algorithms; i++) |
771 | { | 771 | { |
772 | if (session->internals.priorities.mac.priority[i] == algorithm) | 772 | if (session->internals.priorities.mac.priority[i] == algorithm) |
773 | return i; | 773 | return i; |
@@ -893,7 +893,7 @@ _gnutls_compression_priority (gnutls_session_t session, | |||
893 | gnutls_compression_method_t algorithm) | 893 | gnutls_compression_method_t algorithm) |
894 | { /* actually returns the priority */ | 894 | { /* actually returns the priority */ |
895 | unsigned int i; | 895 | unsigned int i; |
896 | for (i = 0; i < session->internals.priorities.compression.algorithms; i++) | 896 | for (i = 0; i < session->internals.priorities.compression.num_algorithms; i++) |
897 | { | 897 | { |
898 | if (session->internals.priorities.compression.priority[i] == algorithm) | 898 | if (session->internals.priorities.compression.priority[i] == algorithm) |
899 | return i; | 899 | return i; |
@@ -1040,7 +1040,7 @@ _gnutls_cipher_priority (gnutls_session_t session, | |||
1040 | gnutls_cipher_algorithm_t algorithm) | 1040 | gnutls_cipher_algorithm_t algorithm) |
1041 | { | 1041 | { |
1042 | unsigned int i; | 1042 | unsigned int i; |
1043 | for (i = 0; i < session->internals.priorities.cipher.algorithms; i++) | 1043 | for (i = 0; i < session->internals.priorities.cipher.num_algorithms; i++) |
1044 | { | 1044 | { |
1045 | if (session->internals.priorities.cipher.priority[i] == algorithm) | 1045 | if (session->internals.priorities.cipher.priority[i] == algorithm) |
1046 | return i; | 1046 | return i; |
@@ -1176,7 +1176,7 @@ _gnutls_kx_priority (gnutls_session_t session, | |||
1176 | gnutls_kx_algorithm_t algorithm) | 1176 | gnutls_kx_algorithm_t algorithm) |
1177 | { | 1177 | { |
1178 | unsigned int i; | 1178 | unsigned int i; |
1179 | for (i = 0; i < session->internals.priorities.kx.algorithms; i++) | 1179 | for (i = 0; i < session->internals.priorities.kx.num_algorithms; i++) |
1180 | { | 1180 | { |
1181 | if (session->internals.priorities.kx.priority[i] == algorithm) | 1181 | if (session->internals.priorities.kx.priority[i] == algorithm) |
1182 | return i; | 1182 | return i; |
@@ -1276,7 +1276,7 @@ _gnutls_version_priority (gnutls_session_t session, gnutls_protocol_t version) | |||
1276 | return -1; | 1276 | return -1; |
1277 | } | 1277 | } |
1278 | 1278 | ||
1279 | for (i = 0; i < session->internals.priorities.protocol.algorithms; i++) | 1279 | for (i = 0; i < session->internals.priorities.protocol.num_algorithms; i++) |
1280 | { | 1280 | { |
1281 | if (session->internals.priorities.protocol.priority[i] == version) | 1281 | if (session->internals.priorities.protocol.priority[i] == version) |
1282 | return i; | 1282 | return i; |
@@ -1294,7 +1294,7 @@ _gnutls_version_lowest (gnutls_session_t session) | |||
1294 | return MHD_GNUTLS_VERSION_UNKNOWN; | 1294 | return MHD_GNUTLS_VERSION_UNKNOWN; |
1295 | } | 1295 | } |
1296 | else | 1296 | else |
1297 | for (i = 0; i < session->internals.priorities.protocol.algorithms; i++) | 1297 | for (i = 0; i < session->internals.priorities.protocol.num_algorithms; i++) |
1298 | { | 1298 | { |
1299 | if (session->internals.priorities.protocol.priority[i] < min) | 1299 | if (session->internals.priorities.protocol.priority[i] < min) |
1300 | min = session->internals.priorities.protocol.priority[i]; | 1300 | min = session->internals.priorities.protocol.priority[i]; |
@@ -1316,7 +1316,7 @@ _gnutls_version_max (gnutls_session_t session) | |||
1316 | return MHD_GNUTLS_VERSION_UNKNOWN; | 1316 | return MHD_GNUTLS_VERSION_UNKNOWN; |
1317 | } | 1317 | } |
1318 | else | 1318 | else |
1319 | for (i = 0; i < session->internals.priorities.protocol.algorithms; i++) | 1319 | for (i = 0; i < session->internals.priorities.protocol.num_algorithms; i++) |
1320 | { | 1320 | { |
1321 | if (session->internals.priorities.protocol.priority[i] > max) | 1321 | if (session->internals.priorities.protocol.priority[i] > max) |
1322 | max = session->internals.priorities.protocol.priority[i]; | 1322 | max = session->internals.priorities.protocol.priority[i]; |
@@ -1886,7 +1886,7 @@ _gnutls_supported_ciphersuites (gnutls_session_t session, | |||
1886 | 1886 | ||
1887 | /* returns the TLS numbers of the compression methods we support | 1887 | /* returns the TLS numbers of the compression methods we support |
1888 | */ | 1888 | */ |
1889 | #define SUPPORTED_COMPRESSION_METHODS session->internals.priorities.compression.algorithms | 1889 | #define SUPPORTED_COMPRESSION_METHODS session->internals.priorities.compression.num_algorithms |
1890 | int | 1890 | int |
1891 | _gnutls_supported_compression_methods (gnutls_session_t session, | 1891 | _gnutls_supported_compression_methods (gnutls_session_t session, |
1892 | uint8_t ** comp) | 1892 | uint8_t ** comp) |
diff --git a/src/daemon/https/tls/gnutls_anon_cred.c b/src/daemon/https/tls/gnutls_anon_cred.c index 919315ef..fd0917f8 100644 --- a/src/daemon/https/tls/gnutls_anon_cred.c +++ b/src/daemon/https/tls/gnutls_anon_cred.c | |||
@@ -62,8 +62,9 @@ int | |||
62 | gnutls_anon_allocate_server_credentials (gnutls_anon_server_credentials_t * | 62 | gnutls_anon_allocate_server_credentials (gnutls_anon_server_credentials_t * |
63 | sc) | 63 | sc) |
64 | { | 64 | { |
65 | |||
66 | *sc = gnutls_calloc (1, sizeof (anon_server_credentials_st)); | 65 | *sc = gnutls_calloc (1, sizeof (anon_server_credentials_st)); |
66 | if (*sc == NULL) | ||
67 | return GNUTLS_E_MEMORY_ERROR; | ||
67 | 68 | ||
68 | return 0; | 69 | return 0; |
69 | } | 70 | } |
diff --git a/src/daemon/https/tls/gnutls_db.c b/src/daemon/https/tls/gnutls_db.c deleted file mode 100644 index 806961c1..00000000 --- a/src/daemon/https/tls/gnutls_db.c +++ /dev/null | |||
@@ -1,386 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2000, 2002, 2003, 2004, 2005 Free Software Foundation | ||
3 | * | ||
4 | * Author: Nikos Mavrogiannopoulos | ||
5 | * | ||
6 | * This file is part of GNUTLS. | ||
7 | * | ||
8 | * The GNUTLS library is free software; you can redistribute it and/or | ||
9 | * modify it under the terms of the GNU Lesser General Public License | ||
10 | * as published by the Free Software Foundation; either version 2.1 of | ||
11 | * the License, or (at your option) any later version. | ||
12 | * | ||
13 | * This library is distributed in the hope that it will be useful, but | ||
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
16 | * Lesser General Public License for more details. | ||
17 | * | ||
18 | * You should have received a copy of the GNU Lesser General Public | ||
19 | * License along with this library; if not, write to the Free Software | ||
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, | ||
21 | * USA | ||
22 | * | ||
23 | */ | ||
24 | |||
25 | /* This file contains functions that manipulate a database backend | ||
26 | * for resumed sessions. | ||
27 | */ | ||
28 | |||
29 | #include "gnutls_int.h" | ||
30 | #include "gnutls_errors.h" | ||
31 | // #include "gnutls_session.h" | ||
32 | #include <gnutls_db.h> | ||
33 | #include "debug.h" | ||
34 | #include <gnutls_session_pack.h> | ||
35 | #include <gnutls_datum.h> | ||
36 | |||
37 | /** | ||
38 | * gnutls_db_set_retrieve_function - Sets the function that will be used to get data | ||
39 | * @session: is a #gnutls_session_t structure. | ||
40 | * @retr_func: is the function. | ||
41 | * | ||
42 | * Sets the function that will be used to retrieve data from the resumed | ||
43 | * sessions database. This function must return a gnutls_datum_t containing the | ||
44 | * data on success, or a gnutls_datum_t containing null and 0 on failure. | ||
45 | * | ||
46 | * The datum's data must be allocated using the function | ||
47 | * gnutls_malloc(). | ||
48 | * | ||
49 | * The first argument to retr_func() will be null unless gnutls_db_set_ptr() | ||
50 | * has been called. | ||
51 | * | ||
52 | **/ | ||
53 | void | ||
54 | gnutls_db_set_retrieve_function (gnutls_session_t session, | ||
55 | gnutls_db_retr_func retr_func) | ||
56 | { | ||
57 | session->internals.db_retrieve_func = retr_func; | ||
58 | } | ||
59 | |||
60 | /** | ||
61 | * gnutls_db_set_remove_function - Sets the function that will be used to remove data | ||
62 | * @session: is a #gnutls_session_t structure. | ||
63 | * @rem_func: is the function. | ||
64 | * | ||
65 | * Sets the function that will be used to remove data from the resumed | ||
66 | * sessions database. This function must return 0 on success. | ||
67 | * | ||
68 | * The first argument to rem_func() will be null unless gnutls_db_set_ptr() | ||
69 | * has been called. | ||
70 | * | ||
71 | **/ | ||
72 | void | ||
73 | gnutls_db_set_remove_function (gnutls_session_t session, | ||
74 | gnutls_db_remove_func rem_func) | ||
75 | { | ||
76 | session->internals.db_remove_func = rem_func; | ||
77 | } | ||
78 | |||
79 | /** | ||
80 | * gnutls_db_set_store_function - Sets the function that will be used to put data | ||
81 | * @session: is a #gnutls_session_t structure. | ||
82 | * @store_func: is the function | ||
83 | * | ||
84 | * Sets the function that will be used to store data from the resumed | ||
85 | * sessions database. This function must remove 0 on success. | ||
86 | * | ||
87 | * The first argument to store_func() will be null unless gnutls_db_set_ptr() | ||
88 | * has been called. | ||
89 | * | ||
90 | **/ | ||
91 | void | ||
92 | gnutls_db_set_store_function (gnutls_session_t session, | ||
93 | gnutls_db_store_func store_func) | ||
94 | { | ||
95 | session->internals.db_store_func = store_func; | ||
96 | } | ||
97 | |||
98 | /** | ||
99 | * gnutls_db_set_ptr - Sets a pointer to be sent to db functions | ||
100 | * @session: is a #gnutls_session_t structure. | ||
101 | * @ptr: is the pointer | ||
102 | * | ||
103 | * Sets the pointer that will be provided to db store, retrieve and delete functions, as | ||
104 | * the first argument. | ||
105 | * | ||
106 | **/ | ||
107 | void | ||
108 | gnutls_db_set_ptr (gnutls_session_t session, void *ptr) | ||
109 | { | ||
110 | session->internals.db_ptr = ptr; | ||
111 | } | ||
112 | |||
113 | /** | ||
114 | * gnutls_db_get_ptr - Returns the pointer which is sent to db functions | ||
115 | * @session: is a #gnutls_session_t structure. | ||
116 | * | ||
117 | * Returns the pointer that will be sent to db store, retrieve and delete functions, as | ||
118 | * the first argument. | ||
119 | * | ||
120 | **/ | ||
121 | void * | ||
122 | gnutls_db_get_ptr (gnutls_session_t session) | ||
123 | { | ||
124 | return session->internals.db_ptr; | ||
125 | } | ||
126 | |||
127 | /** | ||
128 | * gnutls_db_set_cache_expiration - Sets the expiration time for resumed sessions. | ||
129 | * @session: is a #gnutls_session_t structure. | ||
130 | * @seconds: is the number of seconds. | ||
131 | * | ||
132 | * Sets the expiration time for resumed sessions. The default is 3600 (one hour) | ||
133 | * at the time writing this. | ||
134 | **/ | ||
135 | void | ||
136 | gnutls_db_set_cache_expiration (gnutls_session_t session, int seconds) | ||
137 | { | ||
138 | session->internals.expire_time = seconds; | ||
139 | } | ||
140 | |||
141 | /** | ||
142 | * gnutls_db_check_entry - checks if the given db entry has expired | ||
143 | * @session: is a #gnutls_session_t structure. | ||
144 | * @session_entry: is the session data (not key) | ||
145 | * | ||
146 | * This function returns GNUTLS_E_EXPIRED, if the database entry | ||
147 | * has expired or 0 otherwise. This function is to be used when | ||
148 | * you want to clear unnesessary session which occupy space in your | ||
149 | * backend. | ||
150 | * | ||
151 | **/ | ||
152 | int | ||
153 | gnutls_db_check_entry (gnutls_session_t session, gnutls_datum_t session_entry) | ||
154 | { | ||
155 | time_t timestamp; | ||
156 | |||
157 | timestamp = time (0); | ||
158 | |||
159 | if (session_entry.data != NULL) | ||
160 | if (timestamp - | ||
161 | ((security_parameters_st *) (session_entry.data))->timestamp <= | ||
162 | session->internals.expire_time | ||
163 | || ((security_parameters_st *) (session_entry.data))-> | ||
164 | timestamp > timestamp | ||
165 | || ((security_parameters_st *) (session_entry.data))->timestamp == 0) | ||
166 | return GNUTLS_E_EXPIRED; | ||
167 | |||
168 | return 0; | ||
169 | } | ||
170 | |||
171 | /* The format of storing data is: | ||
172 | * (forget it). Check gnutls_session_pack.c | ||
173 | */ | ||
174 | int | ||
175 | _gnutls_server_register_current_session (gnutls_session_t session) | ||
176 | { | ||
177 | gnutls_datum_t key; | ||
178 | gnutls_datum_t content; | ||
179 | int ret = 0; | ||
180 | |||
181 | key.data = session->security_parameters.session_id; | ||
182 | key.size = session->security_parameters.session_id_size; | ||
183 | |||
184 | if (session->internals.resumable == RESUME_FALSE) | ||
185 | { | ||
186 | gnutls_assert (); | ||
187 | return GNUTLS_E_INVALID_SESSION; | ||
188 | } | ||
189 | |||
190 | if (session->security_parameters.session_id == NULL | ||
191 | || session->security_parameters.session_id_size == 0) | ||
192 | { | ||
193 | gnutls_assert (); | ||
194 | return GNUTLS_E_INVALID_SESSION; | ||
195 | } | ||
196 | |||
197 | /* copy data */ | ||
198 | ret = _gnutls_session_pack (session, &content); | ||
199 | if (ret < 0) | ||
200 | { | ||
201 | gnutls_assert (); | ||
202 | return ret; | ||
203 | } | ||
204 | |||
205 | ret = _gnutls_store_session (session, key, content); | ||
206 | _gnutls_free_datum (&content); | ||
207 | |||
208 | return ret; | ||
209 | } | ||
210 | |||
211 | /* Checks if both db_store and db_retrieve functions have | ||
212 | * been set up. | ||
213 | */ | ||
214 | static int | ||
215 | _gnutls_db_func_is_ok (gnutls_session_t session) | ||
216 | { | ||
217 | if (session->internals.db_store_func != NULL && | ||
218 | session->internals.db_retrieve_func != NULL && | ||
219 | session->internals.db_remove_func != NULL) | ||
220 | return 0; | ||
221 | else | ||
222 | return GNUTLS_E_DB_ERROR; | ||
223 | } | ||
224 | |||
225 | |||
226 | int | ||
227 | _gnutls_server_restore_session (gnutls_session_t session, | ||
228 | uint8_t * session_id, int session_id_size) | ||
229 | { | ||
230 | gnutls_datum_t data; | ||
231 | gnutls_datum_t key; | ||
232 | int ret; | ||
233 | |||
234 | key.data = session_id; | ||
235 | key.size = session_id_size; | ||
236 | |||
237 | if (_gnutls_db_func_is_ok (session) != 0) | ||
238 | { | ||
239 | gnutls_assert (); | ||
240 | return GNUTLS_E_INVALID_SESSION; | ||
241 | } | ||
242 | |||
243 | data = _gnutls_retrieve_session (session, key); | ||
244 | |||
245 | if (data.data == NULL) | ||
246 | { | ||
247 | gnutls_assert (); | ||
248 | return GNUTLS_E_INVALID_SESSION; | ||
249 | } | ||
250 | |||
251 | /* expiration check is performed inside */ | ||
252 | ret = gnutls_session_set_data (session, data.data, data.size); | ||
253 | if (ret < 0) | ||
254 | { | ||
255 | gnutls_assert (); | ||
256 | return ret; | ||
257 | } | ||
258 | |||
259 | gnutls_free (data.data); | ||
260 | |||
261 | return 0; | ||
262 | } | ||
263 | |||
264 | int | ||
265 | _gnutls_db_remove_session (gnutls_session_t session, uint8_t * session_id, | ||
266 | int session_id_size) | ||
267 | { | ||
268 | gnutls_datum_t key; | ||
269 | |||
270 | key.data = session_id; | ||
271 | key.size = session_id_size; | ||
272 | |||
273 | return _gnutls_remove_session (session, key); | ||
274 | } | ||
275 | |||
276 | |||
277 | /* Stores session data to the db backend. | ||
278 | */ | ||
279 | int | ||
280 | _gnutls_store_session (gnutls_session_t session, | ||
281 | gnutls_datum_t session_id, gnutls_datum_t session_data) | ||
282 | { | ||
283 | int ret = 0; | ||
284 | |||
285 | if (session->internals.resumable == RESUME_FALSE) | ||
286 | { | ||
287 | gnutls_assert (); | ||
288 | return GNUTLS_E_INVALID_SESSION; | ||
289 | } | ||
290 | |||
291 | if (_gnutls_db_func_is_ok (session) != 0) | ||
292 | { | ||
293 | return GNUTLS_E_DB_ERROR; | ||
294 | } | ||
295 | |||
296 | if (session_id.data == NULL || session_id.size == 0) | ||
297 | { | ||
298 | gnutls_assert (); | ||
299 | return GNUTLS_E_INVALID_SESSION; | ||
300 | } | ||
301 | |||
302 | if (session_data.data == NULL || session_data.size == 0) | ||
303 | { | ||
304 | gnutls_assert (); | ||
305 | return GNUTLS_E_INVALID_SESSION; | ||
306 | } | ||
307 | /* if we can't read why bother writing? */ | ||
308 | |||
309 | if (session->internals.db_store_func != NULL) | ||
310 | ret = | ||
311 | session->internals.db_store_func (session->internals.db_ptr, | ||
312 | session_id, session_data); | ||
313 | |||
314 | return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); | ||
315 | |||
316 | } | ||
317 | |||
318 | /* Retrieves session data from the db backend. | ||
319 | */ | ||
320 | gnutls_datum_t | ||
321 | _gnutls_retrieve_session (gnutls_session_t session, gnutls_datum_t session_id) | ||
322 | { | ||
323 | gnutls_datum_t ret = { NULL, 0 }; | ||
324 | |||
325 | if (session_id.data == NULL || session_id.size == 0) | ||
326 | { | ||
327 | gnutls_assert (); | ||
328 | return ret; | ||
329 | } | ||
330 | |||
331 | if (session->internals.db_retrieve_func != NULL) | ||
332 | ret = | ||
333 | session->internals.db_retrieve_func (session->internals.db_ptr, | ||
334 | session_id); | ||
335 | |||
336 | return ret; | ||
337 | |||
338 | } | ||
339 | |||
340 | /* Removes session data from the db backend. | ||
341 | */ | ||
342 | int | ||
343 | _gnutls_remove_session (gnutls_session_t session, gnutls_datum_t session_id) | ||
344 | { | ||
345 | int ret = 0; | ||
346 | |||
347 | if (_gnutls_db_func_is_ok (session) != 0) | ||
348 | { | ||
349 | return GNUTLS_E_DB_ERROR; | ||
350 | } | ||
351 | |||
352 | if (session_id.data == NULL || session_id.size == 0) | ||
353 | return GNUTLS_E_INVALID_SESSION; | ||
354 | |||
355 | /* if we can't read why bother writing? */ | ||
356 | if (session->internals.db_remove_func != NULL) | ||
357 | ret = | ||
358 | session->internals.db_remove_func (session->internals.db_ptr, | ||
359 | session_id); | ||
360 | |||
361 | return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); | ||
362 | |||
363 | } | ||
364 | |||
365 | /** | ||
366 | * gnutls_db_remove_session - This function will remove the current session data from the database | ||
367 | * @session: is a #gnutls_session_t structure. | ||
368 | * | ||
369 | * This function will remove the current session data from the session | ||
370 | * database. This will prevent future handshakes reusing these session | ||
371 | * data. This function should be called if a session was terminated | ||
372 | * abnormally, and before gnutls_deinit() is called. | ||
373 | * | ||
374 | * Normally gnutls_deinit() will remove abnormally terminated sessions. | ||
375 | * | ||
376 | **/ | ||
377 | void | ||
378 | gnutls_db_remove_session (gnutls_session_t session) | ||
379 | { | ||
380 | /* if the session has failed abnormally it has | ||
381 | * to be removed from the db | ||
382 | */ | ||
383 | _gnutls_db_remove_session (session, | ||
384 | session->security_parameters.session_id, | ||
385 | session->security_parameters.session_id_size); | ||
386 | } | ||
diff --git a/src/daemon/https/tls/gnutls_db.h b/src/daemon/https/tls/gnutls_db.h deleted file mode 100644 index 9adece4e..00000000 --- a/src/daemon/https/tls/gnutls_db.h +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation | ||
3 | * | ||
4 | * Author: Nikos Mavrogiannopoulos | ||
5 | * | ||
6 | * This file is part of GNUTLS. | ||
7 | * | ||
8 | * The GNUTLS library is free software; you can redistribute it and/or | ||
9 | * modify it under the terms of the GNU Lesser General Public License | ||
10 | * as published by the Free Software Foundation; either version 2.1 of | ||
11 | * the License, or (at your option) any later version. | ||
12 | * | ||
13 | * This library is distributed in the hope that it will be useful, but | ||
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
16 | * Lesser General Public License for more details. | ||
17 | * | ||
18 | * You should have received a copy of the GNU Lesser General Public | ||
19 | * License along with this library; if not, write to the Free Software | ||
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, | ||
21 | * USA | ||
22 | * | ||
23 | */ | ||
24 | |||
25 | int _gnutls_server_register_current_session (gnutls_session_t session); | ||
26 | int _gnutls_server_restore_session (gnutls_session_t session, | ||
27 | uint8_t * session_id, | ||
28 | int session_id_size); | ||
29 | int _gnutls_db_remove_session (gnutls_session_t session, uint8_t * session_id, | ||
30 | int session_id_size); | ||
31 | int _gnutls_store_session (gnutls_session_t session, | ||
32 | gnutls_datum_t session_id, | ||
33 | gnutls_datum_t session_data); | ||
34 | gnutls_datum_t _gnutls_retrieve_session (gnutls_session_t session, | ||
35 | gnutls_datum_t session_id); | ||
36 | int _gnutls_remove_session (gnutls_session_t session, | ||
37 | gnutls_datum_t session_id); | ||
diff --git a/src/daemon/https/tls/gnutls_handshake.c b/src/daemon/https/tls/gnutls_handshake.c index b304bdcb..5f56822e 100644 --- a/src/daemon/https/tls/gnutls_handshake.c +++ b/src/daemon/https/tls/gnutls_handshake.c | |||
@@ -37,7 +37,6 @@ | |||
37 | #include "gnutls_handshake.h" | 37 | #include "gnutls_handshake.h" |
38 | #include "gnutls_num.h" | 38 | #include "gnutls_num.h" |
39 | #include "gnutls_hash_int.h" | 39 | #include "gnutls_hash_int.h" |
40 | #include "gnutls_db.h" | ||
41 | #include "gnutls_extensions.h" | 40 | #include "gnutls_extensions.h" |
42 | #include "gnutls_supplemental.h" | 41 | #include "gnutls_supplemental.h" |
43 | #include "gnutls_auth_int.h" | 42 | #include "gnutls_auth_int.h" |
@@ -338,7 +337,7 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data, | |||
338 | int datalen) | 337 | int datalen) |
339 | { | 338 | { |
340 | uint8_t session_id_len; | 339 | uint8_t session_id_len; |
341 | int pos = 0, ret; | 340 | int pos = 0, ret = 0; |
342 | uint16_t suite_size, comp_size; | 341 | uint16_t suite_size, comp_size; |
343 | gnutls_protocol_t adv_version; | 342 | gnutls_protocol_t adv_version; |
344 | int neg_version; | 343 | int neg_version; |
@@ -383,10 +382,10 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data, | |||
383 | } | 382 | } |
384 | DECR_LEN (len, session_id_len); | 383 | DECR_LEN (len, session_id_len); |
385 | 384 | ||
386 | ret = _gnutls_server_restore_session (session, &data[pos], session_id_len); | ||
387 | pos += session_id_len; | 385 | pos += session_id_len; |
388 | 386 | ||
389 | if (ret == 0) | 387 | /* TODO rm if support for resumed sessions won't be supported */ |
388 | if (0) | ||
390 | { /* resumed! */ | 389 | { /* resumed! */ |
391 | resume_copy_required_values (session); | 390 | resume_copy_required_values (session); |
392 | session->internals.resumed = RESUME_TRUE; | 391 | session->internals.resumed = RESUME_TRUE; |
@@ -2647,12 +2646,6 @@ _gnutls_handshake_common (gnutls_session_t session) | |||
2647 | IMED_RET ("recv handshake final 2", ret); | 2646 | IMED_RET ("recv handshake final 2", ret); |
2648 | } | 2647 | } |
2649 | 2648 | ||
2650 | if (session->security_parameters.entity == GNUTLS_SERVER) | ||
2651 | { | ||
2652 | /* in order to support session resuming */ | ||
2653 | _gnutls_server_register_current_session (session); | ||
2654 | } | ||
2655 | |||
2656 | /* clear handshake buffer */ | 2649 | /* clear handshake buffer */ |
2657 | _gnutls_handshake_hash_buffers_clear (session); | 2650 | _gnutls_handshake_hash_buffers_clear (session); |
2658 | return ret; | 2651 | return ret; |
diff --git a/src/daemon/https/tls/gnutls_int.h b/src/daemon/https/tls/gnutls_int.h index 5d30ac58..7791b554 100644 --- a/src/daemon/https/tls/gnutls_int.h +++ b/src/daemon/https/tls/gnutls_int.h | |||
@@ -380,7 +380,7 @@ typedef struct | |||
380 | typedef struct | 380 | typedef struct |
381 | { | 381 | { |
382 | unsigned int priority[MAX_ALGOS]; | 382 | unsigned int priority[MAX_ALGOS]; |
383 | unsigned int algorithms; | 383 | unsigned int num_algorithms; |
384 | } priority_st; | 384 | } priority_st; |
385 | 385 | ||
386 | /* For the external api */ | 386 | /* For the external api */ |
@@ -391,6 +391,8 @@ struct gnutls_priority_st | |||
391 | priority_st kx; | 391 | priority_st kx; |
392 | priority_st compression; | 392 | priority_st compression; |
393 | priority_st protocol; | 393 | priority_st protocol; |
394 | |||
395 | /* certificate type : x509, OpenPGP, etc. */ | ||
394 | priority_st cert_type; | 396 | priority_st cert_type; |
395 | 397 | ||
396 | /* to disable record padding */ | 398 | /* to disable record padding */ |
diff --git a/src/daemon/https/tls/gnutls_priority.c b/src/daemon/https/tls/gnutls_priority.c index 0dfb27e3..cea6446b 100644 --- a/src/daemon/https/tls/gnutls_priority.c +++ b/src/daemon/https/tls/gnutls_priority.c | |||
@@ -56,7 +56,7 @@ gnutls_cipher_set_priority (gnutls_session_t session, const int *list) | |||
56 | num++; | 56 | num++; |
57 | if (num > MAX_ALGOS) | 57 | if (num > MAX_ALGOS) |
58 | num = MAX_ALGOS; | 58 | num = MAX_ALGOS; |
59 | session->internals.priorities.cipher.algorithms = num; | 59 | session->internals.priorities.cipher.num_algorithms = num; |
60 | 60 | ||
61 | for (i = 0; i < num; i++) | 61 | for (i = 0; i < num; i++) |
62 | { | 62 | { |
@@ -75,7 +75,7 @@ _set_priority (priority_st * st, const int *list) | |||
75 | num++; | 75 | num++; |
76 | if (num > MAX_ALGOS) | 76 | if (num > MAX_ALGOS) |
77 | num = MAX_ALGOS; | 77 | num = MAX_ALGOS; |
78 | st->algorithms = num; | 78 | st->num_algorithms = num; |
79 | 79 | ||
80 | for (i = 0; i < num; i++) | 80 | for (i = 0; i < num; i++) |
81 | { | 81 | { |
diff --git a/src/daemon/https/tls/gnutls_record.c b/src/daemon/https/tls/gnutls_record.c index e52cf922..68c83330 100644 --- a/src/daemon/https/tls/gnutls_record.c +++ b/src/daemon/https/tls/gnutls_record.c | |||
@@ -35,7 +35,6 @@ | |||
35 | #include "gnutls_hash_int.h" | 35 | #include "gnutls_hash_int.h" |
36 | #include "gnutls_cipher_int.h" | 36 | #include "gnutls_cipher_int.h" |
37 | #include "gnutls_algorithms.h" | 37 | #include "gnutls_algorithms.h" |
38 | #include "gnutls_db.h" | ||
39 | #include "gnutls_auth_int.h" | 38 | #include "gnutls_auth_int.h" |
40 | #include "gnutls_num.h" | 39 | #include "gnutls_num.h" |
41 | #include "gnutls_record.h" | 40 | #include "gnutls_record.h" |
@@ -289,7 +288,7 @@ session_is_valid (gnutls_session_t session) | |||
289 | return 0; | 288 | return 0; |
290 | } | 289 | } |
291 | 290 | ||
292 | /* Copies the record version into the headers. The | 291 | /* Copies the record version into the headers. The |
293 | * version must have 2 bytes at least. | 292 | * version must have 2 bytes at least. |
294 | */ | 293 | */ |
295 | inline static void | 294 | inline static void |
@@ -316,7 +315,7 @@ copy_record_version (gnutls_session_t session, | |||
316 | /* This function behaves exactly like write(). The only difference is | 315 | /* This function behaves exactly like write(). The only difference is |
317 | * that it accepts, the gnutls_session_t and the content_type_t of data to | 316 | * that it accepts, the gnutls_session_t and the content_type_t of data to |
318 | * send (if called by the user the Content is specific) | 317 | * send (if called by the user the Content is specific) |
319 | * It is intended to transfer data, under the current session. | 318 | * It is intended to transfer data, under the current session. |
320 | * | 319 | * |
321 | * Oct 30 2001: Removed capability to send data more than MAX_RECORD_SIZE. | 320 | * Oct 30 2001: Removed capability to send data more than MAX_RECORD_SIZE. |
322 | * This makes the function much easier to read, and more error resistant | 321 | * This makes the function much easier to read, and more error resistant |
@@ -376,7 +375,7 @@ _gnutls_send_int (gnutls_session_t session, | |||
376 | else | 375 | else |
377 | data2send_size = sizeofdata; | 376 | data2send_size = sizeofdata; |
378 | 377 | ||
379 | /* Only encrypt if we don't have data to send | 378 | /* Only encrypt if we don't have data to send |
380 | * from the previous run. - probably interrupted. | 379 | * from the previous run. - probably interrupted. |
381 | */ | 380 | */ |
382 | if (session->internals.record_send_buffer.length > 0) | 381 | if (session->internals.record_send_buffer.length > 0) |
@@ -469,7 +468,7 @@ _gnutls_send_int (gnutls_session_t session, | |||
469 | return retval; | 468 | return retval; |
470 | } | 469 | } |
471 | 470 | ||
472 | /* This function is to be called if the handshake was successfully | 471 | /* This function is to be called if the handshake was successfully |
473 | * completed. This sends a Change Cipher Spec packet to the peer. | 472 | * completed. This sends a Change Cipher Spec packet to the peer. |
474 | */ | 473 | */ |
475 | ssize_t | 474 | ssize_t |
@@ -556,8 +555,8 @@ record_check_headers (gnutls_session_t session, | |||
556 | uint16_t * length, uint16_t * header_size) | 555 | uint16_t * length, uint16_t * header_size) |
557 | { | 556 | { |
558 | 557 | ||
559 | /* Read the first two bytes to determine if this is a | 558 | /* Read the first two bytes to determine if this is a |
560 | * version 2 message | 559 | * version 2 message |
561 | */ | 560 | */ |
562 | 561 | ||
563 | if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE | 562 | if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE |
@@ -565,7 +564,7 @@ record_check_headers (gnutls_session_t session, | |||
565 | { | 564 | { |
566 | 565 | ||
567 | /* if msb set and expecting handshake message | 566 | /* if msb set and expecting handshake message |
568 | * it should be SSL 2 hello | 567 | * it should be SSL 2 hello |
569 | */ | 568 | */ |
570 | version[0] = 3; /* assume SSL 3.0 */ | 569 | version[0] = 3; /* assume SSL 3.0 */ |
571 | version[1] = 0; | 570 | version[1] = 0; |
@@ -593,7 +592,7 @@ record_check_headers (gnutls_session_t session, | |||
593 | version[0] = headers[1]; | 592 | version[0] = headers[1]; |
594 | version[1] = headers[2]; | 593 | version[1] = headers[2]; |
595 | 594 | ||
596 | /* No DECR_LEN, since headers has enough size. | 595 | /* No DECR_LEN, since headers has enough size. |
597 | */ | 596 | */ |
598 | *length = _gnutls_read_uint16 (&headers[3]); | 597 | *length = _gnutls_read_uint16 (&headers[3]); |
599 | } | 598 | } |
@@ -676,7 +675,7 @@ record_check_type (gnutls_session_t session, | |||
676 | */ | 675 | */ |
677 | if (data[1] == GNUTLS_A_CLOSE_NOTIFY && data[0] != GNUTLS_AL_FATAL) | 676 | if (data[1] == GNUTLS_A_CLOSE_NOTIFY && data[0] != GNUTLS_AL_FATAL) |
678 | { | 677 | { |
679 | /* If we have been expecting for an alert do | 678 | /* If we have been expecting for an alert do |
680 | */ | 679 | */ |
681 | session->internals.read_eof = 1; | 680 | session->internals.read_eof = 1; |
682 | return GNUTLS_E_INT_RET_0; /* EOF */ | 681 | return GNUTLS_E_INT_RET_0; /* EOF */ |
@@ -911,7 +910,7 @@ begin: | |||
911 | } | 910 | } |
912 | 911 | ||
913 | /* Here we check if the Type of the received packet is | 912 | /* Here we check if the Type of the received packet is |
914 | * ok. | 913 | * ok. |
915 | */ | 914 | */ |
916 | if ((ret = check_recv_type (recv_type)) < 0) | 915 | if ((ret = check_recv_type (recv_type)) < 0) |
917 | { | 916 | { |
@@ -952,7 +951,7 @@ begin: | |||
952 | return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; | 951 | return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; |
953 | } | 952 | } |
954 | 953 | ||
955 | /* check if we have that data into buffer. | 954 | /* check if we have that data into buffer. |
956 | */ | 955 | */ |
957 | if ((ret = _gnutls_io_read_buffered (session, &recv_data, | 956 | if ((ret = _gnutls_io_read_buffered (session, &recv_data, |
958 | header_size + length, recv_type)) | 957 | header_size + length, recv_type)) |
@@ -1017,7 +1016,7 @@ begin: | |||
1017 | read_sequence_number), | 1016 | read_sequence_number), |
1018 | _gnutls_packet2str (recv_type), recv_type, decrypted_length); | 1017 | _gnutls_packet2str (recv_type), recv_type, decrypted_length); |
1019 | 1018 | ||
1020 | /* increase sequence number | 1019 | /* increase sequence number |
1021 | */ | 1020 | */ |
1022 | if (_gnutls_uint64pp (&session->connection_state.read_sequence_number) != 0) | 1021 | if (_gnutls_uint64pp (&session->connection_state.read_sequence_number) != 0) |
1023 | { | 1022 | { |
@@ -1037,7 +1036,7 @@ begin: | |||
1037 | return ret; | 1036 | return ret; |
1038 | } | 1037 | } |
1039 | 1038 | ||
1040 | /* Get Application data from buffer | 1039 | /* Get Application data from buffer |
1041 | */ | 1040 | */ |
1042 | if ((recv_type == type) && (type == GNUTLS_APPLICATION_DATA || type | 1041 | if ((recv_type == type) && (type == GNUTLS_APPLICATION_DATA || type |
1043 | == GNUTLS_HANDSHAKE | 1042 | == GNUTLS_HANDSHAKE |
@@ -1051,7 +1050,7 @@ begin: | |||
1051 | return ret; | 1050 | return ret; |
1052 | } | 1051 | } |
1053 | 1052 | ||
1054 | /* if the buffer just got empty | 1053 | /* if the buffer just got empty |
1055 | */ | 1054 | */ |
1056 | if (_gnutls_record_buffer_get_size (type, session) == 0) | 1055 | if (_gnutls_record_buffer_get_size (type, session) == 0) |
1057 | { | 1056 | { |
@@ -1066,11 +1065,11 @@ begin: | |||
1066 | { | 1065 | { |
1067 | gnutls_assert (); | 1066 | gnutls_assert (); |
1068 | return GNUTLS_E_UNEXPECTED_PACKET; | 1067 | return GNUTLS_E_UNEXPECTED_PACKET; |
1069 | /* we didn't get what we wanted to | 1068 | /* we didn't get what we wanted to |
1070 | */ | 1069 | */ |
1071 | } | 1070 | } |
1072 | 1071 | ||
1073 | /* (originally for) TLS 1.0 CBC protection. | 1072 | /* (originally for) TLS 1.0 CBC protection. |
1074 | * Actually this code is called if we just received | 1073 | * Actually this code is called if we just received |
1075 | * an empty packet. An empty TLS packet is usually | 1074 | * an empty packet. An empty TLS packet is usually |
1076 | * sent to protect some vulnerabilities in the CBC mode. | 1075 | * sent to protect some vulnerabilities in the CBC mode. |
diff --git a/src/daemon/https/tls/gnutls_session.c b/src/daemon/https/tls/gnutls_session.c index 541cc699..fb9b5e80 100644 --- a/src/daemon/https/tls/gnutls_session.c +++ b/src/daemon/https/tls/gnutls_session.c | |||
@@ -24,7 +24,7 @@ | |||
24 | #include "gnutls_int.h" | 24 | #include "gnutls_int.h" |
25 | #include "gnutls_errors.h" | 25 | #include "gnutls_errors.h" |
26 | #include "debug.h" | 26 | #include "debug.h" |
27 | #include <gnutls_session_pack.h> | 27 | #include "gnutls_session_pack.h" |
28 | #include <gnutls_datum.h> | 28 | #include <gnutls_datum.h> |
29 | 29 | ||
30 | /** | 30 | /** |
@@ -123,10 +123,10 @@ gnutls_session_get_data2 (gnutls_session_t session, gnutls_datum_t * data) | |||
123 | * | 123 | * |
124 | * Returns the current session id. This can be used if you want to check if | 124 | * Returns the current session id. This can be used if you want to check if |
125 | * the next session you tried to resume was actually resumed. | 125 | * the next session you tried to resume was actually resumed. |
126 | * This is because resumed sessions have the same sessionID with the | 126 | * This is because resumed sessions have the same sessionID with the |
127 | * original session. | 127 | * original session. |
128 | * | 128 | * |
129 | * Session id is some data set by the server, that identify the current session. | 129 | * Session id is some data set by the server, that identify the current session. |
130 | * In TLS 1.0 and SSL 3.0 session id is always less than 32 bytes. | 130 | * In TLS 1.0 and SSL 3.0 session id is always less than 32 bytes. |
131 | * | 131 | * |
132 | * Returns zero on success. | 132 | * Returns zero on success. |
diff --git a/src/daemon/https/tls/gnutls_session_pack.c b/src/daemon/https/tls/gnutls_session_pack.c index ed4945b6..3e549c4c 100644 --- a/src/daemon/https/tls/gnutls_session_pack.c +++ b/src/daemon/https/tls/gnutls_session_pack.c | |||
@@ -54,6 +54,169 @@ static int unpack_security_parameters (gnutls_session_t session, | |||
54 | static int pack_security_parameters (gnutls_session_t session, | 54 | static int pack_security_parameters (gnutls_session_t session, |
55 | gnutls_datum_t * packed_session); | 55 | gnutls_datum_t * packed_session); |
56 | 56 | ||
57 | /* Packs the ANON session authentication data. */ | ||
58 | #ifdef ENABLE_ANON | ||
59 | |||
60 | /* Format: | ||
61 | * 1 byte the credentials type | ||
62 | * 4 bytes the size of the whole structure | ||
63 | * 2 bytes the size of secret key in bits | ||
64 | * 4 bytes the size of the prime | ||
65 | * x bytes the prime | ||
66 | * 4 bytes the size of the generator | ||
67 | * x bytes the generator | ||
68 | * 4 bytes the size of the public key | ||
69 | * x bytes the public key | ||
70 | */ | ||
71 | static int | ||
72 | pack_anon_auth_info (gnutls_session_t session, gnutls_datum_t * packed_session) | ||
73 | { | ||
74 | anon_auth_info_t info = _gnutls_get_auth_info (session); | ||
75 | int pos = 0; | ||
76 | size_t pack_size; | ||
77 | |||
78 | if (info) | ||
79 | pack_size = 2 + 4 * 3 + info->dh.prime.size + | ||
80 | info->dh.generator.size + info->dh.public_key.size; | ||
81 | else | ||
82 | pack_size = 0; | ||
83 | |||
84 | packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof (uint32_t); | ||
85 | |||
86 | /* calculate the size and allocate the data. | ||
87 | */ | ||
88 | packed_session->data = | ||
89 | gnutls_malloc (packed_session->size + MAX_SEC_PARAMS); | ||
90 | |||
91 | if (packed_session->data == NULL) | ||
92 | { | ||
93 | gnutls_assert (); | ||
94 | return GNUTLS_E_MEMORY_ERROR; | ||
95 | } | ||
96 | |||
97 | packed_session->data[0] = MHD_GNUTLS_CRD_ANON; | ||
98 | _gnutls_write_uint32 (pack_size, &packed_session->data[PACK_HEADER_SIZE]); | ||
99 | pos += 4 + PACK_HEADER_SIZE; | ||
100 | |||
101 | if (pack_size > 0) | ||
102 | { | ||
103 | _gnutls_write_uint16 (info->dh.secret_bits, &packed_session->data[pos]); | ||
104 | pos += 2; | ||
105 | |||
106 | _gnutls_write_datum32 (&packed_session->data[pos], info->dh.prime); | ||
107 | pos += 4 + info->dh.prime.size; | ||
108 | _gnutls_write_datum32 (&packed_session->data[pos], info->dh.generator); | ||
109 | pos += 4 + info->dh.generator.size; | ||
110 | _gnutls_write_datum32 (&packed_session->data[pos], info->dh.public_key); | ||
111 | pos += 4 + info->dh.public_key.size; | ||
112 | |||
113 | } | ||
114 | |||
115 | return 0; | ||
116 | } | ||
117 | |||
118 | /* Format: | ||
119 | * 1 byte the credentials type | ||
120 | * 4 bytes the size of the whole structure | ||
121 | * 2 bytes the size of secret key in bits | ||
122 | * 4 bytes the size of the prime | ||
123 | * x bytes the prime | ||
124 | * 4 bytes the size of the generator | ||
125 | * x bytes the generator | ||
126 | * 4 bytes the size of the public key | ||
127 | * x bytes the public key | ||
128 | */ | ||
129 | static int | ||
130 | unpack_anon_auth_info (gnutls_session_t session, | ||
131 | const gnutls_datum_t * packed_session) | ||
132 | { | ||
133 | size_t pack_size; | ||
134 | int pos = 0, size, ret; | ||
135 | anon_auth_info_t info; | ||
136 | |||
137 | if (packed_session->data[0] != MHD_GNUTLS_CRD_ANON) | ||
138 | { | ||
139 | gnutls_assert (); | ||
140 | return GNUTLS_E_INVALID_REQUEST; | ||
141 | } | ||
142 | |||
143 | pack_size = _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]); | ||
144 | pos += PACK_HEADER_SIZE + 4; | ||
145 | |||
146 | |||
147 | if (pack_size == 0) | ||
148 | return 0; /* nothing to be done */ | ||
149 | |||
150 | /* a simple check for integrity */ | ||
151 | if (pack_size + PACK_HEADER_SIZE + 4 > packed_session->size) | ||
152 | { | ||
153 | gnutls_assert (); | ||
154 | return GNUTLS_E_INVALID_REQUEST; | ||
155 | } | ||
156 | |||
157 | /* client and serer have the same auth_info here | ||
158 | */ | ||
159 | ret = | ||
160 | _gnutls_auth_info_set (session, MHD_GNUTLS_CRD_ANON, | ||
161 | sizeof (anon_auth_info_st), 1); | ||
162 | if (ret < 0) | ||
163 | { | ||
164 | gnutls_assert (); | ||
165 | return ret; | ||
166 | } | ||
167 | |||
168 | info = _gnutls_get_auth_info (session); | ||
169 | if (info == NULL) | ||
170 | { | ||
171 | gnutls_assert (); | ||
172 | return GNUTLS_E_INTERNAL_ERROR; | ||
173 | } | ||
174 | |||
175 | info->dh.secret_bits = _gnutls_read_uint16 (&packed_session->data[pos]); | ||
176 | pos += 2; | ||
177 | |||
178 | size = _gnutls_read_uint32 (&packed_session->data[pos]); | ||
179 | pos += 4; | ||
180 | ret = _gnutls_set_datum (&info->dh.prime, &packed_session->data[pos], size); | ||
181 | if (ret < 0) | ||
182 | { | ||
183 | gnutls_assert (); | ||
184 | goto error; | ||
185 | } | ||
186 | pos += size; | ||
187 | |||
188 | size = _gnutls_read_uint32 (&packed_session->data[pos]); | ||
189 | pos += 4; | ||
190 | ret = | ||
191 | _gnutls_set_datum (&info->dh.generator, &packed_session->data[pos], size); | ||
192 | if (ret < 0) | ||
193 | { | ||
194 | gnutls_assert (); | ||
195 | goto error; | ||
196 | } | ||
197 | pos += size; | ||
198 | |||
199 | size = _gnutls_read_uint32 (&packed_session->data[pos]); | ||
200 | pos += 4; | ||
201 | ret = | ||
202 | _gnutls_set_datum (&info->dh.public_key, &packed_session->data[pos], | ||
203 | size); | ||
204 | if (ret < 0) | ||
205 | { | ||
206 | gnutls_assert (); | ||
207 | goto error; | ||
208 | } | ||
209 | pos += size; | ||
210 | |||
211 | return 0; | ||
212 | |||
213 | error: | ||
214 | _gnutls_free_datum (&info->dh.prime); | ||
215 | _gnutls_free_datum (&info->dh.generator); | ||
216 | _gnutls_free_datum (&info->dh.public_key); | ||
217 | return ret; | ||
218 | } | ||
219 | #endif /* ANON */ | ||
57 | 220 | ||
58 | /* Since auth_info structures contain malloced data, this function | 221 | /* Since auth_info structures contain malloced data, this function |
59 | * is required in order to pack these structures in a vector in | 222 | * is required in order to pack these structures in a vector in |
@@ -121,7 +284,7 @@ _gnutls_session_pack (gnutls_session_t session, | |||
121 | 284 | ||
122 | } | 285 | } |
123 | 286 | ||
124 | /* Auth_info structures copied. Now copy security_parameters_st. | 287 | /* Auth_info structures copied. Now copy security_parameters_st. |
125 | * packed_session must have allocated space for the security parameters. | 288 | * packed_session must have allocated space for the security parameters. |
126 | */ | 289 | */ |
127 | ret = pack_security_parameters (session, packed_session); | 290 | ret = pack_security_parameters (session, packed_session); |
@@ -201,7 +364,7 @@ _gnutls_session_unpack (gnutls_session_t session, | |||
201 | 364 | ||
202 | } | 365 | } |
203 | 366 | ||
204 | /* Auth_info structures copied. Now copy security_parameters_st. | 367 | /* Auth_info structures copied. Now copy security_parameters_st. |
205 | * packed_session must have allocated space for the security parameters. | 368 | * packed_session must have allocated space for the security parameters. |
206 | */ | 369 | */ |
207 | ret = unpack_security_parameters (session, packed_session); | 370 | ret = unpack_security_parameters (session, packed_session); |
@@ -477,7 +640,7 @@ error: | |||
477 | /* Packs the SRP session authentication data. | 640 | /* Packs the SRP session authentication data. |
478 | */ | 641 | */ |
479 | 642 | ||
480 | /* Format: | 643 | /* Format: |
481 | * 1 byte the credentials type | 644 | * 1 byte the credentials type |
482 | * 4 bytes the size of the SRP username (x) | 645 | * 4 bytes the size of the SRP username (x) |
483 | * x bytes the SRP username | 646 | * x bytes the SRP username |
@@ -569,167 +732,12 @@ unpack_srp_auth_info (gnutls_session_t session, | |||
569 | #endif | 732 | #endif |
570 | 733 | ||
571 | 734 | ||
572 | #ifdef ENABLE_ANON | ||
573 | /* Packs the ANON session authentication data. | ||
574 | */ | ||
575 | |||
576 | /* Format: | ||
577 | * 1 byte the credentials type | ||
578 | * 4 bytes the size of the whole structure | ||
579 | * 2 bytes the size of secret key in bits | ||
580 | * 4 bytes the size of the prime | ||
581 | * x bytes the prime | ||
582 | * 4 bytes the size of the generator | ||
583 | * x bytes the generator | ||
584 | * 4 bytes the size of the public key | ||
585 | * x bytes the public key | ||
586 | */ | ||
587 | static int | ||
588 | pack_anon_auth_info (gnutls_session_t session, | ||
589 | gnutls_datum_t * packed_session) | ||
590 | { | ||
591 | anon_auth_info_t info = _gnutls_get_auth_info (session); | ||
592 | int pos = 0; | ||
593 | size_t pack_size; | ||
594 | |||
595 | if (info) | ||
596 | pack_size = 2 + 4 * 3 + info->dh.prime.size + | ||
597 | info->dh.generator.size + info->dh.public_key.size; | ||
598 | else | ||
599 | pack_size = 0; | ||
600 | |||
601 | packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof (uint32_t); | ||
602 | |||
603 | /* calculate the size and allocate the data. | ||
604 | */ | ||
605 | packed_session->data = | ||
606 | gnutls_malloc (packed_session->size + MAX_SEC_PARAMS); | ||
607 | |||
608 | if (packed_session->data == NULL) | ||
609 | { | ||
610 | gnutls_assert (); | ||
611 | return GNUTLS_E_MEMORY_ERROR; | ||
612 | } | ||
613 | |||
614 | packed_session->data[0] = MHD_GNUTLS_CRD_ANON; | ||
615 | _gnutls_write_uint32 (pack_size, &packed_session->data[PACK_HEADER_SIZE]); | ||
616 | pos += 4 + PACK_HEADER_SIZE; | ||
617 | |||
618 | if (pack_size > 0) | ||
619 | { | ||
620 | _gnutls_write_uint16 (info->dh.secret_bits, &packed_session->data[pos]); | ||
621 | pos += 2; | ||
622 | |||
623 | _gnutls_write_datum32 (&packed_session->data[pos], info->dh.prime); | ||
624 | pos += 4 + info->dh.prime.size; | ||
625 | _gnutls_write_datum32 (&packed_session->data[pos], info->dh.generator); | ||
626 | pos += 4 + info->dh.generator.size; | ||
627 | _gnutls_write_datum32 (&packed_session->data[pos], info->dh.public_key); | ||
628 | pos += 4 + info->dh.public_key.size; | ||
629 | |||
630 | } | ||
631 | |||
632 | return 0; | ||
633 | } | ||
634 | |||
635 | |||
636 | static int | ||
637 | unpack_anon_auth_info (gnutls_session_t session, | ||
638 | const gnutls_datum_t * packed_session) | ||
639 | { | ||
640 | size_t pack_size; | ||
641 | int pos = 0, size, ret; | ||
642 | anon_auth_info_t info; | ||
643 | |||
644 | if (packed_session->data[0] != MHD_GNUTLS_CRD_ANON) | ||
645 | { | ||
646 | gnutls_assert (); | ||
647 | return GNUTLS_E_INVALID_REQUEST; | ||
648 | } | ||
649 | |||
650 | pack_size = _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]); | ||
651 | pos += PACK_HEADER_SIZE + 4; | ||
652 | |||
653 | |||
654 | if (pack_size == 0) | ||
655 | return 0; /* nothing to be done */ | ||
656 | |||
657 | /* a simple check for integrity */ | ||
658 | if (pack_size + PACK_HEADER_SIZE + 4 > packed_session->size) | ||
659 | { | ||
660 | gnutls_assert (); | ||
661 | return GNUTLS_E_INVALID_REQUEST; | ||
662 | } | ||
663 | |||
664 | /* client and serer have the same auth_info here | ||
665 | */ | ||
666 | ret = | ||
667 | _gnutls_auth_info_set (session, MHD_GNUTLS_CRD_ANON, | ||
668 | sizeof (anon_auth_info_st), 1); | ||
669 | if (ret < 0) | ||
670 | { | ||
671 | gnutls_assert (); | ||
672 | return ret; | ||
673 | } | ||
674 | |||
675 | info = _gnutls_get_auth_info (session); | ||
676 | if (info == NULL) | ||
677 | { | ||
678 | gnutls_assert (); | ||
679 | return GNUTLS_E_INTERNAL_ERROR; | ||
680 | } | ||
681 | |||
682 | info->dh.secret_bits = _gnutls_read_uint16 (&packed_session->data[pos]); | ||
683 | pos += 2; | ||
684 | |||
685 | size = _gnutls_read_uint32 (&packed_session->data[pos]); | ||
686 | pos += 4; | ||
687 | ret = _gnutls_set_datum (&info->dh.prime, &packed_session->data[pos], size); | ||
688 | if (ret < 0) | ||
689 | { | ||
690 | gnutls_assert (); | ||
691 | goto error; | ||
692 | } | ||
693 | pos += size; | ||
694 | |||
695 | size = _gnutls_read_uint32 (&packed_session->data[pos]); | ||
696 | pos += 4; | ||
697 | ret = | ||
698 | _gnutls_set_datum (&info->dh.generator, &packed_session->data[pos], size); | ||
699 | if (ret < 0) | ||
700 | { | ||
701 | gnutls_assert (); | ||
702 | goto error; | ||
703 | } | ||
704 | pos += size; | ||
705 | |||
706 | size = _gnutls_read_uint32 (&packed_session->data[pos]); | ||
707 | pos += 4; | ||
708 | ret = | ||
709 | _gnutls_set_datum (&info->dh.public_key, &packed_session->data[pos], | ||
710 | size); | ||
711 | if (ret < 0) | ||
712 | { | ||
713 | gnutls_assert (); | ||
714 | goto error; | ||
715 | } | ||
716 | pos += size; | ||
717 | |||
718 | return 0; | ||
719 | |||
720 | error: | ||
721 | _gnutls_free_datum (&info->dh.prime); | ||
722 | _gnutls_free_datum (&info->dh.generator); | ||
723 | _gnutls_free_datum (&info->dh.public_key); | ||
724 | return ret; | ||
725 | } | ||
726 | #endif /* ANON */ | ||
727 | 735 | ||
728 | #ifdef ENABLE_PSK | 736 | #ifdef ENABLE_PSK |
729 | /* Packs the PSK session authentication data. | 737 | /* Packs the PSK session authentication data. |
730 | */ | 738 | */ |
731 | 739 | ||
732 | /* Format: | 740 | /* Format: |
733 | * 1 byte the credentials type | 741 | * 1 byte the credentials type |
734 | * 4 bytes the size of the whole structure | 742 | * 4 bytes the size of the whole structure |
735 | * 4 bytes the size of the PSK username (x) | 743 | * 4 bytes the size of the PSK username (x) |
@@ -909,7 +917,7 @@ error: | |||
909 | /* Packs the security parameters. | 917 | /* Packs the security parameters. |
910 | */ | 918 | */ |
911 | 919 | ||
912 | /* Format: | 920 | /* Format: |
913 | * 4 bytes the total security data size | 921 | * 4 bytes the total security data size |
914 | * 1 byte the entity type (client/server) | 922 | * 1 byte the entity type (client/server) |
915 | * 1 byte the key exchange algorithm used | 923 | * 1 byte the key exchange algorithm used |
@@ -947,7 +955,7 @@ error: | |||
947 | * | 955 | * |
948 | * 2 bytes the number of server name extensions (up to MAX_SERVER_NAME_EXTENSIONS) | 956 | * 2 bytes the number of server name extensions (up to MAX_SERVER_NAME_EXTENSIONS) |
949 | * 1 byte the first name type | 957 | * 1 byte the first name type |
950 | * 2 bytes the size of the first name | 958 | * 2 bytes the size of the first name |
951 | * x bytes the first name (MAX_SERVER_NAME_SIZE) | 959 | * x bytes the first name (MAX_SERVER_NAME_SIZE) |
952 | * and so on... | 960 | * and so on... |
953 | * | 961 | * |
diff --git a/src/daemon/https/tls/gnutls_state.c b/src/daemon/https/tls/gnutls_state.c index 3fde3db4..3931b393 100644 --- a/src/daemon/https/tls/gnutls_state.c +++ b/src/daemon/https/tls/gnutls_state.c | |||
@@ -32,7 +32,6 @@ | |||
32 | #include <gnutls_auth_int.h> | 32 | #include <gnutls_auth_int.h> |
33 | #include <gnutls_num.h> | 33 | #include <gnutls_num.h> |
34 | #include <gnutls_datum.h> | 34 | #include <gnutls_datum.h> |
35 | #include <gnutls_db.h> | ||
36 | #include <gnutls_record.h> | 35 | #include <gnutls_record.h> |
37 | #include <gnutls_handshake.h> | 36 | #include <gnutls_handshake.h> |
38 | #include <gnutls_dh.h> | 37 | #include <gnutls_dh.h> |
@@ -154,11 +153,11 @@ _gnutls_session_cert_type_supported (gnutls_session_t session, | |||
154 | } | 153 | } |
155 | } | 154 | } |
156 | 155 | ||
157 | if (session->internals.priorities.cert_type.algorithms == 0 && cert_type | 156 | if (session->internals.priorities.cert_type.num_algorithms == 0 && cert_type |
158 | == DEFAULT_CERT_TYPE) | 157 | == DEFAULT_CERT_TYPE) |
159 | return 0; | 158 | return 0; |
160 | 159 | ||
161 | for (i = 0; i < session->internals.priorities.cert_type.algorithms; i++) | 160 | for (i = 0; i < session->internals.priorities.cert_type.num_algorithms; i++) |
162 | { | 161 | { |
163 | if (session->internals.priorities.cert_type.priority[i] == cert_type) | 162 | if (session->internals.priorities.cert_type.priority[i] == cert_type) |
164 | { | 163 | { |
diff --git a/src/daemon/https/tls/gnutls_x509.c b/src/daemon/https/tls/gnutls_x509.c index 7c84fa0a..a9b6829d 100644 --- a/src/daemon/https/tls/gnutls_x509.c +++ b/src/daemon/https/tls/gnutls_x509.c | |||
@@ -93,9 +93,9 @@ check_bits (gnutls_x509_crt_t crt, unsigned int max_bits) | |||
93 | * _gnutls_x509_cert_verify_peers - This function returns the peer's certificate status | 93 | * _gnutls_x509_cert_verify_peers - This function returns the peer's certificate status |
94 | * @session: is a gnutls session | 94 | * @session: is a gnutls session |
95 | * | 95 | * |
96 | * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.). | 96 | * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.). |
97 | * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements. | 97 | * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements. |
98 | * However you must also check the peer's name in order to check if the verified certificate belongs to the | 98 | * However you must also check the peer's name in order to check if the verified certificate belongs to the |
99 | * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. | 99 | * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. |
100 | * | 100 | * |
101 | -*/ | 101 | -*/ |
@@ -178,7 +178,7 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session, | |||
178 | 178 | ||
179 | } | 179 | } |
180 | 180 | ||
181 | /* Verify certificate | 181 | /* Verify certificate |
182 | */ | 182 | */ |
183 | ret = | 183 | ret = |
184 | gnutls_x509_crt_list_verify (peer_certificate_list, | 184 | gnutls_x509_crt_list_verify (peer_certificate_list, |
@@ -522,7 +522,7 @@ parse_pem_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts, | |||
522 | } | 522 | } |
523 | _gnutls_free_datum (&tmp); /* free ptr2 */ | 523 | _gnutls_free_datum (&tmp); /* free ptr2 */ |
524 | 524 | ||
525 | /* now we move ptr after the pem header | 525 | /* now we move ptr after the pem header |
526 | */ | 526 | */ |
527 | ptr++; | 527 | ptr++; |
528 | /* find the next certificate (if any) | 528 | /* find the next certificate (if any) |
@@ -794,18 +794,18 @@ read_key_file (gnutls_certificate_credentials_t res, | |||
794 | * @key: is the private key, or %NULL | 794 | * @key: is the private key, or %NULL |
795 | * @type: is PEM or DER | 795 | * @type: is PEM or DER |
796 | * | 796 | * |
797 | * This function sets a certificate/private key pair in the | 797 | * This function sets a certificate/private key pair in the |
798 | * gnutls_certificate_credentials_t structure. This function may be called | 798 | * gnutls_certificate_credentials_t structure. This function may be called |
799 | * more than once (in case multiple keys/certificates exist for the | 799 | * more than once (in case multiple keys/certificates exist for the |
800 | * server). | 800 | * server). |
801 | * | 801 | * |
802 | * Currently are supported: RSA PKCS-1 encoded private keys, | 802 | * Currently are supported: RSA PKCS-1 encoded private keys, |
803 | * DSA private keys. | 803 | * DSA private keys. |
804 | * | 804 | * |
805 | * DSA private keys are encoded the OpenSSL way, which is an ASN.1 | 805 | * DSA private keys are encoded the OpenSSL way, which is an ASN.1 |
806 | * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv. | 806 | * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv. |
807 | * | 807 | * |
808 | * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates | 808 | * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates |
809 | * is supported. This means that certificates intended for signing cannot | 809 | * is supported. This means that certificates intended for signing cannot |
810 | * be used for ciphersuites that require encryption. | 810 | * be used for ciphersuites that require encryption. |
811 | * | 811 | * |
@@ -825,7 +825,7 @@ gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t | |||
825 | { | 825 | { |
826 | int ret; | 826 | int ret; |
827 | 827 | ||
828 | /* this should be first | 828 | /* this should be first |
829 | */ | 829 | */ |
830 | if ((ret = read_key_mem (res, key ? key->data : NULL, | 830 | if ((ret = read_key_mem (res, key ? key->data : NULL, |
831 | key ? key->size : 0, type)) < 0) | 831 | key ? key->size : 0, type)) < 0) |
@@ -867,7 +867,7 @@ gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res, | |||
867 | { | 867 | { |
868 | int ret, i; | 868 | int ret, i; |
869 | 869 | ||
870 | /* this should be first | 870 | /* this should be first |
871 | */ | 871 | */ |
872 | 872 | ||
873 | res->pkey = | 873 | res->pkey = |
@@ -956,7 +956,7 @@ gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t | |||
956 | { | 956 | { |
957 | int ret; | 957 | int ret; |
958 | 958 | ||
959 | /* this should be first | 959 | /* this should be first |
960 | */ | 960 | */ |
961 | if ((ret = read_key_file (res, KEYFILE, type)) < 0) | 961 | if ((ret = read_key_file (res, KEYFILE, type)) < 0) |
962 | return ret; | 962 | return ret; |
@@ -983,7 +983,7 @@ generate_rdn_seq (gnutls_certificate_credentials_t res) | |||
983 | unsigned size, i; | 983 | unsigned size, i; |
984 | opaque *pdata; | 984 | opaque *pdata; |
985 | 985 | ||
986 | /* Generate the RDN sequence | 986 | /* Generate the RDN sequence |
987 | * This will be sent to clients when a certificate | 987 | * This will be sent to clients when a certificate |
988 | * request message is sent. | 988 | * request message is sent. |
989 | */ | 989 | */ |
@@ -1036,11 +1036,8 @@ generate_rdn_seq (gnutls_certificate_credentials_t res) | |||
1036 | return 0; | 1036 | return 0; |
1037 | } | 1037 | } |
1038 | 1038 | ||
1039 | 1039 | /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this | |
1040 | 1040 | * certificate (uses the KeyUsage field). | |
1041 | |||
1042 | /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this | ||
1043 | * certificate (uses the KeyUsage field). | ||
1044 | */ | 1041 | */ |
1045 | int | 1042 | int |
1046 | _gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg) | 1043 | _gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg) |
@@ -1158,7 +1155,7 @@ parse_pem_ca_mem (gnutls_x509_crt_t ** cert_list, unsigned *ncerts, | |||
1158 | return ret; | 1155 | return ret; |
1159 | } | 1156 | } |
1160 | 1157 | ||
1161 | /* now we move ptr after the pem header | 1158 | /* now we move ptr after the pem header |
1162 | */ | 1159 | */ |
1163 | ptr++; | 1160 | ptr++; |
1164 | size--; | 1161 | size--; |
@@ -1452,7 +1449,7 @@ parse_pem_crl_mem (gnutls_x509_crl_t ** crl_list, unsigned *ncrls, | |||
1452 | return ret; | 1449 | return ret; |
1453 | } | 1450 | } |
1454 | 1451 | ||
1455 | /* now we move ptr after the pem header | 1452 | /* now we move ptr after the pem header |
1456 | */ | 1453 | */ |
1457 | ptr++; | 1454 | ptr++; |
1458 | /* find the next certificate (if any) | 1455 | /* find the next certificate (if any) |
diff --git a/src/daemon/https/x509/pkcs12.h b/src/daemon/https/x509/pkcs12.h index 41878ff2..3c75dff5 100644 --- a/src/daemon/https/x509/pkcs12.h +++ b/src/daemon/https/x509/pkcs12.h | |||
@@ -23,7 +23,6 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | /* TODO clean */ | 25 | /* TODO clean */ |
26 | |||
27 | #ifndef GNUTLS_PKCS12_H | 26 | #ifndef GNUTLS_PKCS12_H |
28 | #define GNUTLS_PKCS12_H | 27 | #define GNUTLS_PKCS12_H |
29 | 28 | ||
diff --git a/src/daemon/internal.h b/src/daemon/internal.h index 612b18da..796e5ad1 100644 --- a/src/daemon/internal.h +++ b/src/daemon/internal.h | |||
@@ -627,8 +627,13 @@ struct MHD_Daemon | |||
627 | unsigned short port; | 627 | unsigned short port; |
628 | 628 | ||
629 | #if HTTPS_SUPPORT | 629 | #if HTTPS_SUPPORT |
630 | /* server credintials */ | 630 | gnutls_credentials_type_t cred_type; |
631 | gnutls_certificate_credentials_t x509_cret; | 631 | |
632 | /* server x509 credintials */ | ||
633 | gnutls_certificate_credentials_t x509_cred; | ||
634 | |||
635 | /* credentials used for anonymous authentication */ | ||
636 | gnutls_anon_server_credentials_t anon_cred; | ||
632 | 637 | ||
633 | /* cipher priority cache */ | 638 | /* cipher priority cache */ |
634 | gnutls_priority_t priority_cache; | 639 | gnutls_priority_t priority_cache; |