diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/daemon/connection.c | 4 | ||||
-rw-r--r-- | src/daemon/connection_https.c | 18 | ||||
-rw-r--r-- | src/daemon/daemon.c | 96 | ||||
-rw-r--r-- | src/daemon/https/openpgp/gnutls_openpgp.c | 17 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_int.h | 2 | ||||
-rw-r--r-- | src/daemon/https/tls/gnutls_state.c | 6 | ||||
-rw-r--r-- | src/daemon/https/tls/pkix_asn1_tab.c | 2 | ||||
-rw-r--r-- | src/daemon/internal.c | 2 | ||||
-rw-r--r-- | src/daemon/internal.h | 1 | ||||
-rw-r--r-- | src/examples/https_server_example.c | 4 | ||||
-rw-r--r-- | src/testcurl/https/mhds_get_test.c | 71 | ||||
-rw-r--r-- | src/testcurl/https/mhds_multi_daemon_test.c | 6 | ||||
-rw-r--r-- | src/testcurl/https/mhds_session_info_test.c | 5 |
13 files changed, 153 insertions, 81 deletions
diff --git a/src/daemon/connection.c b/src/daemon/connection.c index d0e09307..fdc7647a 100644 --- a/src/daemon/connection.c +++ b/src/daemon/connection.c | |||
@@ -31,7 +31,7 @@ | |||
31 | #include "response.h" | 31 | #include "response.h" |
32 | #include "reason_phrase.h" | 32 | #include "reason_phrase.h" |
33 | 33 | ||
34 | // get opaque type | 34 | /* get opaque type */ |
35 | #include "gnutls_int.h" | 35 | #include "gnutls_int.h" |
36 | 36 | ||
37 | #ifndef LINUX | 37 | #ifndef LINUX |
@@ -1593,7 +1593,7 @@ MHD_connection_handle_write (struct MHD_Connection *connection) | |||
1593 | connection->state = MHD_CONNECTION_NORMAL_BODY_UNREADY; | 1593 | connection->state = MHD_CONNECTION_NORMAL_BODY_UNREADY; |
1594 | break; | 1594 | break; |
1595 | } | 1595 | } |
1596 | // TODO clean - missing MSG_NOSIGNAL on gnutls record send call | 1596 | /* TODO clean - missing MSG_NOSIGNAL on gnutls record send call */ |
1597 | if (connection->daemon->options & MHD_USE_SSL) | 1597 | if (connection->daemon->options & MHD_USE_SSL) |
1598 | { | 1598 | { |
1599 | ret = gnutls_record_send (connection->tls_session, | 1599 | ret = gnutls_record_send (connection->tls_session, |
diff --git a/src/daemon/connection_https.c b/src/daemon/connection_https.c index 7c5fe4cf..1a64c091 100644 --- a/src/daemon/connection_https.c +++ b/src/daemon/connection_https.c | |||
@@ -36,12 +36,15 @@ | |||
36 | /* get opaque type */ | 36 | /* get opaque type */ |
37 | #include "gnutls_int.h" | 37 | #include "gnutls_int.h" |
38 | 38 | ||
39 | /* TODO rm */ | ||
40 | #include "gnutls_errors.h" | ||
41 | |||
39 | /* forward declarations used when setting secure connection callbacks */ | 42 | /* forward declarations used when setting secure connection callbacks */ |
40 | int MHD_connection_handle_read (struct MHD_Connection *connection); | 43 | int MHD_connection_handle_read (struct MHD_Connection *connection); |
41 | int MHD_connection_handle_write (struct MHD_Connection *connection); | 44 | int MHD_connection_handle_write (struct MHD_Connection *connection); |
42 | int MHD_connection_handle_idle (struct MHD_Connection *connection); | 45 | int MHD_connection_handle_idle (struct MHD_Connection *connection); |
43 | 46 | ||
44 | // TODO rm - appears in a switch default clause | 47 | /* TODO rm - appears in a switch default clause */ |
45 | static void | 48 | static void |
46 | connection_close_error (struct MHD_Connection *connection) | 49 | connection_close_error (struct MHD_Connection *connection) |
47 | { | 50 | { |
@@ -106,6 +109,8 @@ int | |||
106 | MHDS_connection_handle_idle (struct MHD_Connection *connection) | 109 | MHDS_connection_handle_idle (struct MHD_Connection *connection) |
107 | { | 110 | { |
108 | unsigned int timeout; | 111 | unsigned int timeout; |
112 | |||
113 | /* TODO rm gnutls_assert (); */ | ||
109 | while (1) | 114 | while (1) |
110 | { | 115 | { |
111 | #if HAVE_MESSAGES | 116 | #if HAVE_MESSAGES |
@@ -213,7 +218,7 @@ MHDS_connection_handle_read (struct MHD_Connection *connection) | |||
213 | { | 218 | { |
214 | #if HAVE_MESSAGES | 219 | #if HAVE_MESSAGES |
215 | MHD_DLOG (connection->daemon, | 220 | MHD_DLOG (connection->daemon, |
216 | "Received unrecognized alert: %s\n", | 221 | "Received unrecognized alert: %d\n", |
217 | connection->tls_session->internals.last_alert); | 222 | connection->tls_session->internals.last_alert); |
218 | #endif | 223 | #endif |
219 | return MHD_NO; | 224 | return MHD_NO; |
@@ -236,14 +241,13 @@ MHDS_connection_handle_read (struct MHD_Connection *connection) | |||
236 | { | 241 | { |
237 | #if HAVE_MESSAGES | 242 | #if HAVE_MESSAGES |
238 | MHD_DLOG (connection->daemon, | 243 | MHD_DLOG (connection->daemon, |
239 | "Error: Handshake has failed (%s)\n", ret); | 244 | "Error: Handshake has failed (%d)\n", ret); |
240 | #endif | 245 | #endif |
241 | connection->s_state = MHDS_HANDSHAKE_FAILED; | 246 | connection->s_state = MHDS_HANDSHAKE_FAILED; |
242 | gnutls_bye (connection->tls_session, GNUTLS_SHUT_WR); | 247 | gnutls_bye (connection->tls_session, GNUTLS_SHUT_WR); |
243 | gnutls_deinit (connection->tls_session); | 248 | gnutls_deinit (connection->tls_session); |
244 | connection->socket_fd = -1; | 249 | connection_close_error(connection); |
245 | return MHD_NO; | 250 | return MHD_NO; |
246 | |||
247 | } | 251 | } |
248 | break; | 252 | break; |
249 | case GNUTLS_INNER_APPLICATION: | 253 | case GNUTLS_INNER_APPLICATION: |
@@ -257,6 +261,8 @@ int | |||
257 | MHDS_connection_handle_write (struct MHD_Connection *connection) | 261 | MHDS_connection_handle_write (struct MHD_Connection *connection) |
258 | { | 262 | { |
259 | connection->last_activity = time (NULL); | 263 | connection->last_activity = time (NULL); |
264 | /* TODO rm */ | ||
265 | gnutls_assert (); | ||
260 | while (1) | 266 | while (1) |
261 | { | 267 | { |
262 | #if HAVE_MESSAGES | 268 | #if HAVE_MESSAGES |
@@ -269,7 +275,7 @@ MHDS_connection_handle_write (struct MHD_Connection *connection) | |||
269 | /* these cases shouldn't occur */ | 275 | /* these cases shouldn't occur */ |
270 | case MHDS_HANDSHAKE_COMPLETE: | 276 | case MHDS_HANDSHAKE_COMPLETE: |
271 | case MHDS_CONNECTION_INIT: | 277 | case MHDS_CONNECTION_INIT: |
272 | // TODO do we have to write back a responce ? | 278 | /* TODO do we have to write back a responce ? */ |
273 | case MHDS_HANDSHAKE_FAILED: | 279 | case MHDS_HANDSHAKE_FAILED: |
274 | /* we should first exit MHDS_REPLY_SENDING */ | 280 | /* we should first exit MHDS_REPLY_SENDING */ |
275 | 281 | ||
diff --git a/src/daemon/daemon.c b/src/daemon/daemon.c index 5fd55c22..c0ac95e3 100644 --- a/src/daemon/daemon.c +++ b/src/daemon/daemon.c | |||
@@ -59,24 +59,18 @@ | |||
59 | /* initialize security aspects of the HTTPS daemon */ | 59 | /* initialize security aspects of the HTTPS daemon */ |
60 | static int | 60 | static int |
61 | MHDS_init (struct MHD_Daemon *daemon){ | 61 | MHDS_init (struct MHD_Daemon *daemon){ |
62 | |||
63 | int i; | ||
64 | priority_st st; | ||
65 | |||
62 | gnutls_global_set_log_function (MHD_tls_log_func); | 66 | gnutls_global_set_log_function (MHD_tls_log_func); |
63 | /* TODO let user access log level */ | ||
64 | 67 | ||
65 | /* setup server certificate */ | 68 | /* setup server certificate */ |
66 | gnutls_certificate_allocate_credentials (&daemon->x509_cret); | 69 | gnutls_certificate_allocate_credentials (&daemon->x509_cret); |
67 | 70 | ||
68 | /* Generate Diffie Hellman parameters - for use with DHE kx algorithms. */ | 71 | /* TODO remove if unused |
69 | // TODO should we be initializing RSA params or DH params ? | 72 | gnutls_certificate_set_x509_trust_file(x509_cret, CAFILE,GNUTLS_X509_FMT_PEM); |
70 | 73 | gnutls_certificate_set_x509_crl_file(x509_cret, CRLFILE, GNUTLS_X509_FMT_PEM); */ | |
71 | gnutls_dh_params_init (&daemon->dh_params); | ||
72 | gnutls_dh_params_generate2 (daemon->dh_params, 1024); | ||
73 | |||
74 | // TODO remove if unused | ||
75 | /* add trusted CAs to certificate */ | ||
76 | // gnutls_certificate_set_x509_trust_file(x509_cret, CAFILE,GNUTLS_X509_FMT_PEM); | ||
77 | |||
78 | /* add Certificate revocation list to certificate */ | ||
79 | //gnutls_certificate_set_x509_crl_file(x509_cret, CRLFILE, GNUTLS_X509_FMT_PEM); | ||
80 | 74 | ||
81 | /* sets a certificate private key pair */ | 75 | /* sets a certificate private key pair */ |
82 | if (daemon->https_cert_path && daemon->https_key_path) | 76 | if (daemon->https_cert_path && daemon->https_key_path) |
@@ -129,11 +123,46 @@ MHDS_init (struct MHD_Daemon *daemon){ | |||
129 | return MHD_NO; | 123 | return MHD_NO; |
130 | } | 124 | } |
131 | 125 | ||
126 | /* generate DH parameters if necessary */ | ||
127 | st = daemon->priority_cache->kx; | ||
128 | for (i = 0; i < st.algorithms; i++) | ||
129 | { | ||
130 | /* initialize Diffie Hellman parameters if necessary */ | ||
131 | /* TODO add other cipher suits */ | ||
132 | if (st.priority[i] == GNUTLS_KX_DHE_RSA ){ | ||
133 | gnutls_dh_params_init (&daemon->dh_params); | ||
134 | gnutls_dh_params_generate2 (daemon->dh_params, 1024); | ||
135 | break; | ||
136 | } | ||
137 | } | ||
138 | |||
132 | gnutls_certificate_set_dh_params (daemon->x509_cret, daemon->dh_params); | 139 | gnutls_certificate_set_dh_params (daemon->x509_cret, daemon->dh_params); |
133 | 140 | ||
134 | // TODO address error case return value | 141 | /* TODO address error case return value */ |
135 | return MHD_YES; | 142 | return MHD_YES; |
136 | } | 143 | } |
144 | |||
145 | /* TODO unite with code in gnutls_priority.c */ | ||
146 | /* this is used to set HTTPS related daemon priorities */ | ||
147 | inline static int | ||
148 | _set_priority (priority_st * st, const int *list) | ||
149 | { | ||
150 | int num = 0, i; | ||
151 | |||
152 | while (list[num] != 0) | ||
153 | num++; | ||
154 | if (num > MAX_ALGOS) | ||
155 | num = MAX_ALGOS; | ||
156 | st->algorithms = num; | ||
157 | |||
158 | for (i = 0; i < num; i++) | ||
159 | { | ||
160 | st->priority[i] = list[i]; | ||
161 | } | ||
162 | |||
163 | return 0; | ||
164 | } | ||
165 | |||
137 | #endif | 166 | #endif |
138 | 167 | ||
139 | /** | 168 | /** |
@@ -297,9 +326,10 @@ MHDS_handle_connection (void *data) | |||
297 | gnutls_credentials_set (tls_session, GNUTLS_CRD_CERTIFICATE, | 326 | gnutls_credentials_set (tls_session, GNUTLS_CRD_CERTIFICATE, |
298 | con->daemon->x509_cret); | 327 | con->daemon->x509_cret); |
299 | 328 | ||
300 | /* avoid gnutls blocking recv / write calls */ | 329 | /* TODO avoid gnutls blocking recv / write calls |
301 | // gnutls_transport_set_pull_function(tls_session, &recv); | 330 | gnutls_transport_set_pull_function(tls_session, &recv); |
302 | // gnutls_transport_set_push_function(tls_session, &send); | 331 | gnutls_transport_set_push_function(tls_session, &send); |
332 | */ | ||
303 | 333 | ||
304 | gnutls_transport_set_ptr (tls_session, con->socket_fd); | 334 | gnutls_transport_set_ptr (tls_session, con->socket_fd); |
305 | 335 | ||
@@ -524,7 +554,7 @@ MHD_cleanup_connections (struct MHD_Daemon *daemon) | |||
524 | free (pos->addr); | 554 | free (pos->addr); |
525 | free (pos); | 555 | free (pos); |
526 | daemon->max_connections++; | 556 | daemon->max_connections++; |
527 | // TODO add tls con cleanup | 557 | /* TODO add tls con cleanup */ |
528 | if (prev == NULL) | 558 | if (prev == NULL) |
529 | pos = daemon->connections; | 559 | pos = daemon->connections; |
530 | else | 560 | else |
@@ -722,27 +752,6 @@ MHD_select_thread (void *cls) | |||
722 | return NULL; | 752 | return NULL; |
723 | } | 753 | } |
724 | 754 | ||
725 | /* TODO unite with code in gnutls_priority.c */ | ||
726 | /* this is used to set HTTPS related daemon priorities */ | ||
727 | inline static int | ||
728 | _set_priority (priority_st * st, const int *list) | ||
729 | { | ||
730 | int num = 0, i; | ||
731 | |||
732 | while (list[num] != 0) | ||
733 | num++; | ||
734 | if (num > MAX_ALGOS) | ||
735 | num = MAX_ALGOS; | ||
736 | st->algorithms = num; | ||
737 | |||
738 | for (i = 0; i < num; i++) | ||
739 | { | ||
740 | st->priority[i] = list[i]; | ||
741 | } | ||
742 | |||
743 | return 0; | ||
744 | } | ||
745 | |||
746 | /** | 755 | /** |
747 | * Start a webserver on the given port. | 756 | * Start a webserver on the given port. |
748 | * | 757 | * |
@@ -861,6 +870,7 @@ MHD_start_daemon (unsigned int options, | |||
861 | pthread_mutex_lock (&gnutls_init_mutex); | 870 | pthread_mutex_lock (&gnutls_init_mutex); |
862 | gnutls_global_init (); | 871 | gnutls_global_init (); |
863 | pthread_mutex_unlock (&gnutls_init_mutex); | 872 | pthread_mutex_unlock (&gnutls_init_mutex); |
873 | /* set default priorities */ | ||
864 | gnutls_priority_init (&retVal->priority_cache, | 874 | gnutls_priority_init (&retVal->priority_cache, |
865 | "NONE:+AES-256-CBC:+RSA:+SHA1:+COMP-NULL", NULL); | 875 | "NONE:+AES-256-CBC:+RSA:+SHA1:+COMP-NULL", NULL); |
866 | } | 876 | } |
@@ -891,6 +901,7 @@ MHD_start_daemon (unsigned int options, | |||
891 | case MHD_OPTION_PER_IP_CONNECTION_LIMIT: | 901 | case MHD_OPTION_PER_IP_CONNECTION_LIMIT: |
892 | retVal->per_ip_connection_limit = va_arg (ap, unsigned int); | 902 | retVal->per_ip_connection_limit = va_arg (ap, unsigned int); |
893 | break; | 903 | break; |
904 | #if HTTPS_SUPPORT | ||
894 | case MHD_OPTION_HTTPS_KEY_PATH: | 905 | case MHD_OPTION_HTTPS_KEY_PATH: |
895 | retVal->https_key_path = va_arg (ap, const char *); | 906 | retVal->https_key_path = va_arg (ap, const char *); |
896 | break; | 907 | break; |
@@ -904,13 +915,12 @@ MHD_start_daemon (unsigned int options, | |||
904 | retVal->https_mem_cert = va_arg (ap, const char *); | 915 | retVal->https_mem_cert = va_arg (ap, const char *); |
905 | break; | 916 | break; |
906 | case MHDS_KX_PRIORITY: | 917 | case MHDS_KX_PRIORITY: |
907 | _set_priority (&retVal->priority_cache->kx, | 918 | _set_priority (&retVal->priority_cache->cipher, va_arg (ap, const int *)); |
908 | va_arg (ap, const int *)); | ||
909 | break; | 919 | break; |
910 | case MHDS_CIPHER_ALGORITHM: | 920 | case MHDS_CIPHER_ALGORITHM: |
911 | _set_priority (&retVal->priority_cache->cipher, | 921 | _set_priority (&retVal->priority_cache->cipher, va_arg (ap, const int *)); |
912 | va_arg (ap, const int *)); | ||
913 | break; | 922 | break; |
923 | #endif | ||
914 | default: | 924 | default: |
915 | #if HAVE_MESSAGES | 925 | #if HAVE_MESSAGES |
916 | if (opt > MHD_HTTPS_OPTION_START && opt < MHD_HTTPS_OPTION_END) { | 926 | if (opt > MHD_HTTPS_OPTION_START && opt < MHD_HTTPS_OPTION_END) { |
diff --git a/src/daemon/https/openpgp/gnutls_openpgp.c b/src/daemon/https/openpgp/gnutls_openpgp.c index 02469463..af798bcd 100644 --- a/src/daemon/https/openpgp/gnutls_openpgp.c +++ b/src/daemon/https/openpgp/gnutls_openpgp.c | |||
@@ -9,12 +9,12 @@ | |||
9 | * it under the terms of the GNU General Public License as published by | 9 | * it under the terms of the GNU General Public License as published by |
10 | * the Free Software Foundation, either version 3 of the License, or | 10 | * the Free Software Foundation, either version 3 of the License, or |
11 | * (at your option) any later version. | 11 | * (at your option) any later version. |
12 | * | 12 | * |
13 | * GNUTLS-EXTRA is distributed in the hope that it will be useful, | 13 | * GNUTLS-EXTRA is distributed in the hope that it will be useful, |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | * GNU General Public License for more details. | 16 | * GNU General Public License for more details. |
17 | * | 17 | * |
18 | * You should have received a copy of the GNU General Public License | 18 | * You should have received a copy of the GNU General Public License |
19 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | 19 | * along with this program. If not, see <http://www.gnu.org/licenses/>. |
20 | */ | 20 | */ |
@@ -38,8 +38,6 @@ | |||
38 | 38 | ||
39 | #define datum_append(x, y, z) _gnutls_datum_append_m (x, y, z, gnutls_realloc) | 39 | #define datum_append(x, y, z) _gnutls_datum_append_m (x, y, z, gnutls_realloc) |
40 | 40 | ||
41 | |||
42 | |||
43 | static void | 41 | static void |
44 | release_mpi_array (mpi_t * arr, size_t n) | 42 | release_mpi_array (mpi_t * arr, size_t n) |
45 | { | 43 | { |
@@ -256,7 +254,6 @@ leave: | |||
256 | return rc; | 254 | return rc; |
257 | } | 255 | } |
258 | 256 | ||
259 | |||
260 | /*- | 257 | /*- |
261 | * _gnutls_openpgp_raw_key_to_gcert - Converts raw OpenPGP data to GnuTLS certs | 258 | * _gnutls_openpgp_raw_key_to_gcert - Converts raw OpenPGP data to GnuTLS certs |
262 | * @cert: the certificate to store the data. | 259 | * @cert: the certificate to store the data. |
@@ -306,7 +303,7 @@ _gnutls_openpgp_raw_key_to_gcert (gnutls_cert * cert, | |||
306 | * @key: contains an openpgp public key | 303 | * @key: contains an openpgp public key |
307 | * @pkey: is an openpgp private key | 304 | * @pkey: is an openpgp private key |
308 | * | 305 | * |
309 | * This function sets a certificate/private key pair in the | 306 | * This function sets a certificate/private key pair in the |
310 | * gnutls_certificate_credentials_t structure. This function may be called | 307 | * gnutls_certificate_credentials_t structure. This function may be called |
311 | * more than once (in case multiple keys/certificates exist for the | 308 | * more than once (in case multiple keys/certificates exist for the |
312 | * server). | 309 | * server). |
@@ -486,7 +483,7 @@ stream_to_datum (cdk_stream_t inp, gnutls_datum_t * raw) | |||
486 | * @cert: the datum that contains the public key. | 483 | * @cert: the datum that contains the public key. |
487 | * @key: the datum that contains the secret key. | 484 | * @key: the datum that contains the secret key. |
488 | * | 485 | * |
489 | * This funtion is used to load OpenPGP keys into the GnuTLS credential | 486 | * This funtion is used to load OpenPGP keys into the GnuTLS credential |
490 | * structure. | 487 | * structure. |
491 | * It doesn't matter whether the keys are armored or not, but the files | 488 | * It doesn't matter whether the keys are armored or not, but the files |
492 | * should only contain one key which should not be encrypted. | 489 | * should only contain one key which should not be encrypted. |
@@ -734,12 +731,8 @@ gnutls_certificate_set_openpgp_keyring_mem (gnutls_certificate_credentials_t | |||
734 | gnutls_openpgp_keyring_deinit (c->keyring); | 731 | gnutls_openpgp_keyring_deinit (c->keyring); |
735 | return rc; | 732 | return rc; |
736 | } | 733 | } |
737 | |||
738 | return 0; | ||
739 | #else | 734 | #else |
740 | |||
741 | c->keyring_format = format; | 735 | c->keyring_format = format; |
742 | |||
743 | c->keyring.data = gnutls_malloc (dlen + 1); | 736 | c->keyring.data = gnutls_malloc (dlen + 1); |
744 | if (c->keyring.data == NULL) | 737 | if (c->keyring.data == NULL) |
745 | { | 738 | { |
@@ -749,8 +742,8 @@ gnutls_certificate_set_openpgp_keyring_mem (gnutls_certificate_credentials_t | |||
749 | memcpy (c->keyring.data, data, dlen); | 742 | memcpy (c->keyring.data, data, dlen); |
750 | c->keyring.data[dlen] = 0; | 743 | c->keyring.data[dlen] = 0; |
751 | c->keyring.size = dlen; | 744 | c->keyring.size = dlen; |
752 | |||
753 | #endif | 745 | #endif |
746 | return 0; | ||
754 | } | 747 | } |
755 | 748 | ||
756 | /*- | 749 | /*- |
diff --git a/src/daemon/https/tls/gnutls_int.h b/src/daemon/https/tls/gnutls_int.h index 1bd6205d..0c2133fb 100644 --- a/src/daemon/https/tls/gnutls_int.h +++ b/src/daemon/https/tls/gnutls_int.h | |||
@@ -99,7 +99,7 @@ | |||
99 | 99 | ||
100 | #define HASH2MAC(x) ((gnutls_mac_algorithm_t)x) | 100 | #define HASH2MAC(x) ((gnutls_mac_algorithm_t)x) |
101 | 101 | ||
102 | // TODO rm | 102 | /* TODO rm */ |
103 | /* Additional cast to bring void* to a type castable to int. */ | 103 | /* Additional cast to bring void* to a type castable to int. */ |
104 | #define GNUTLS_POINTER_TO_INT_CAST (long) | 104 | #define GNUTLS_POINTER_TO_INT_CAST (long) |
105 | 105 | ||
diff --git a/src/daemon/https/tls/gnutls_state.c b/src/daemon/https/tls/gnutls_state.c index ccc865a1..6c361261 100644 --- a/src/daemon/https/tls/gnutls_state.c +++ b/src/daemon/https/tls/gnutls_state.c | |||
@@ -233,7 +233,7 @@ _gnutls_handshake_internal_state_clear (gnutls_session_t session) | |||
233 | * Returns: %GNUTLS_E_SUCCESS on success, or an error code. | 233 | * Returns: %GNUTLS_E_SUCCESS on success, or an error code. |
234 | **/ | 234 | **/ |
235 | 235 | ||
236 | // TODO rm redundent pointer ref | 236 | /* TODO rm redundent pointer ref */ |
237 | int | 237 | int |
238 | gnutls_init (gnutls_session_t * session, gnutls_connection_end_t con_end) | 238 | gnutls_init (gnutls_session_t * session, gnutls_connection_end_t con_end) |
239 | { | 239 | { |
@@ -290,7 +290,7 @@ gnutls_init (gnutls_session_t * session, gnutls_connection_end_t con_end) | |||
290 | gnutls_handshake_set_max_packet_length ((*session), | 290 | gnutls_handshake_set_max_packet_length ((*session), |
291 | MAX_HANDSHAKE_PACKET_SIZE); | 291 | MAX_HANDSHAKE_PACKET_SIZE); |
292 | 292 | ||
293 | /* Allocate a minimum size for recv_data | 293 | /* Allocate a minimum size for recv_data |
294 | * This is allocated in order to avoid small messages, making | 294 | * This is allocated in order to avoid small messages, making |
295 | * the receive procedure slow. | 295 | * the receive procedure slow. |
296 | */ | 296 | */ |
@@ -796,7 +796,7 @@ _gnutls_xor (opaque * o1, opaque * o2, int length) | |||
796 | 796 | ||
797 | #define MAX_PRF_BYTES 200 | 797 | #define MAX_PRF_BYTES 200 |
798 | 798 | ||
799 | /* The PRF function expands a given secret | 799 | /* The PRF function expands a given secret |
800 | * needed by the TLS specification. ret must have a least total_bytes | 800 | * needed by the TLS specification. ret must have a least total_bytes |
801 | * available. | 801 | * available. |
802 | */ | 802 | */ |
diff --git a/src/daemon/https/tls/pkix_asn1_tab.c b/src/daemon/https/tls/pkix_asn1_tab.c index 3370bb46..eec32f9b 100644 --- a/src/daemon/https/tls/pkix_asn1_tab.c +++ b/src/daemon/https/tls/pkix_asn1_tab.c | |||
@@ -4,7 +4,7 @@ | |||
4 | 4 | ||
5 | #include <libtasn1.h> | 5 | #include <libtasn1.h> |
6 | 6 | ||
7 | extern const ASN1_ARRAY_TYPE pkix_asn1_tab[] = { | 7 | const ASN1_ARRAY_TYPE pkix_asn1_tab[] = { |
8 | {"PKIX1", 536875024, 0}, | 8 | {"PKIX1", 536875024, 0}, |
9 | {0, 1073741836, 0}, | 9 | {0, 1073741836, 0}, |
10 | {"id-ce", 1879048204, 0}, | 10 | {"id-ce", 1879048204, 0}, |
diff --git a/src/daemon/internal.c b/src/daemon/internal.c index 3a060063..7ecf0d0a 100644 --- a/src/daemon/internal.c +++ b/src/daemon/internal.c | |||
@@ -46,7 +46,9 @@ MHD_DLOG (const struct MHD_Daemon *daemon, const char *format, ...) | |||
46 | void | 46 | void |
47 | MHD_tls_log_func (int level, const char *str) | 47 | MHD_tls_log_func (int level, const char *str) |
48 | { | 48 | { |
49 | #ifdef DEBUG | ||
49 | fprintf (stdout, "|<%d>| %s", level, str); | 50 | fprintf (stdout, "|<%d>| %s", level, str); |
51 | #endif | ||
50 | } | 52 | } |
51 | 53 | ||
52 | 54 | ||
diff --git a/src/daemon/internal.h b/src/daemon/internal.h index a9b19d6b..186468fa 100644 --- a/src/daemon/internal.h +++ b/src/daemon/internal.h | |||
@@ -49,7 +49,6 @@ | |||
49 | 49 | ||
50 | #include <pthread.h> | 50 | #include <pthread.h> |
51 | 51 | ||
52 | // TODO unify with other dec | ||
53 | #define MHD_MAX(a,b) ((a)<(b)) ? (b) : (a) | 52 | #define MHD_MAX(a,b) ((a)<(b)) ? (b) : (a) |
54 | #define MHD_MIN(a,b) ((a)<(b)) ? (a) : (b) | 53 | #define MHD_MIN(a,b) ((a)<(b)) ? (a) : (b) |
55 | 54 | ||
diff --git a/src/examples/https_server_example.c b/src/examples/https_server_example.c index 5455d3c3..ce9ff9d7 100644 --- a/src/examples/https_server_example.c +++ b/src/examples/https_server_example.c | |||
@@ -172,8 +172,8 @@ main (int argc, char *const *argv) | |||
172 | return 1; | 172 | return 1; |
173 | } | 173 | } |
174 | 174 | ||
175 | // TODO check if this is truly necessary - disallow usage of the blocking /dev/random */ | 175 | /* TODO check if this is truly necessary - disallow usage of the blocking /dev/random */ |
176 | // gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); | 176 | /* gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); */ |
177 | 177 | ||
178 | TLS_daemon = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_DEBUG | 178 | TLS_daemon = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_DEBUG |
179 | | MHD_USE_SSL, atoi (argv[3]), | 179 | | MHD_USE_SSL, atoi (argv[3]), |
diff --git a/src/testcurl/https/mhds_get_test.c b/src/testcurl/https/mhds_get_test.c index 80877da8..d9c52d56 100644 --- a/src/testcurl/https/mhds_get_test.c +++ b/src/testcurl/https/mhds_get_test.c | |||
@@ -26,7 +26,7 @@ | |||
26 | 26 | ||
27 | #include "config.h" | 27 | #include "config.h" |
28 | #include "plibc.h" | 28 | #include "plibc.h" |
29 | #include "microhttpd.h" | 29 | #include "microhttpsd.h" |
30 | #include <errno.h> | 30 | #include <errno.h> |
31 | 31 | ||
32 | #include <curl/curl.h> | 32 | #include <curl/curl.h> |
@@ -218,7 +218,9 @@ test_daemon_get (FILE * test_fd, char *cipher_suite, int proto_version) | |||
218 | doc_path, test_file_name); | 218 | doc_path, test_file_name); |
219 | 219 | ||
220 | c = curl_easy_init (); | 220 | c = curl_easy_init (); |
221 | /* curl_easy_setopt (c, CURLOPT_VERBOSE, 1); */ | 221 | #ifdef DEBUG |
222 | curl_easy_setopt (c, CURLOPT_VERBOSE, 1); | ||
223 | #endif | ||
222 | curl_easy_setopt (c, CURLOPT_URL, url); | 224 | curl_easy_setopt (c, CURLOPT_URL, url); |
223 | curl_easy_setopt (c, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); | 225 | curl_easy_setopt (c, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); |
224 | curl_easy_setopt (c, CURLOPT_TIMEOUT, 10L); | 226 | curl_easy_setopt (c, CURLOPT_TIMEOUT, 10L); |
@@ -228,9 +230,9 @@ test_daemon_get (FILE * test_fd, char *cipher_suite, int proto_version) | |||
228 | 230 | ||
229 | /* TLS options */ | 231 | /* TLS options */ |
230 | curl_easy_setopt (c, CURLOPT_SSLVERSION, proto_version); | 232 | curl_easy_setopt (c, CURLOPT_SSLVERSION, proto_version); |
231 | curl_easy_setopt (c, CURLOPT_SSL_CIPHER_LIST, cipher_suite); | 233 | //curl_easy_setopt (c, CURLOPT_SSL_CIPHER_LIST, cipher_suite); |
232 | 234 | ||
233 | // TODO rm : currently skip any peer authentication */ | 235 | /* currently skip any peer authentication */ |
234 | curl_easy_setopt (c, CURLOPT_SSL_VERIFYPEER, 0); | 236 | curl_easy_setopt (c, CURLOPT_SSL_VERIFYPEER, 0); |
235 | curl_easy_setopt (c, CURLOPT_SSL_VERIFYHOST, 0); | 237 | curl_easy_setopt (c, CURLOPT_SSL_VERIFYHOST, 0); |
236 | 238 | ||
@@ -332,6 +334,59 @@ test_file_certificates (FILE * test_fd, char *cipher_suite, int proto_version) | |||
332 | return ret; | 334 | return ret; |
333 | } | 335 | } |
334 | 336 | ||
337 | int | ||
338 | test_cipher_option (FILE * test_fd, char *cipher_suite, int proto_version) | ||
339 | { | ||
340 | |||
341 | int ret; | ||
342 | int ciper[] = { GNUTLS_CIPHER_3DES_CBC, 0 }; | ||
343 | struct MHD_Daemon *d; | ||
344 | d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | | ||
345 | MHD_USE_DEBUG, 42433, | ||
346 | NULL, NULL, &http_ahc, NULL, | ||
347 | MHD_OPTION_HTTPS_MEM_KEY, key_pem, | ||
348 | MHD_OPTION_HTTPS_MEM_CERT, cert_pem, | ||
349 | MHDS_CIPHER_ALGORITHM, ciper, MHD_OPTION_END); | ||
350 | |||
351 | if (d == NULL) | ||
352 | { | ||
353 | fprintf (stderr, MHD_E_SERVER_INIT); | ||
354 | return -1; | ||
355 | } | ||
356 | |||
357 | ret = test_daemon_get (test_fd, cipher_suite, proto_version); | ||
358 | |||
359 | MHD_stop_daemon (d); | ||
360 | return ret; | ||
361 | } | ||
362 | |||
363 | int | ||
364 | test_kx_option (FILE * test_fd, char *cipher_suite, int proto_version) | ||
365 | { | ||
366 | |||
367 | int ret; | ||
368 | int kx[] = { GNUTLS_KX_DHE_RSA, 0 }; | ||
369 | struct MHD_Daemon *d; | ||
370 | |||
371 | d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | | ||
372 | MHD_USE_DEBUG, 42433, | ||
373 | NULL, NULL, &http_ahc, NULL, | ||
374 | MHD_OPTION_HTTPS_MEM_KEY, key_pem, | ||
375 | MHD_OPTION_HTTPS_MEM_CERT, cert_pem, | ||
376 | MHDS_KX_PRIORITY, kx, MHD_OPTION_END); | ||
377 | |||
378 | if (d == NULL) | ||
379 | { | ||
380 | fprintf (stderr, MHD_E_SERVER_INIT); | ||
381 | return -1; | ||
382 | } | ||
383 | |||
384 | ret = test_daemon_get (test_fd, cipher_suite, proto_version); | ||
385 | |||
386 | MHD_stop_daemon (d); | ||
387 | return ret; | ||
388 | } | ||
389 | |||
335 | /* setup a temporary transfer test file */ | 390 | /* setup a temporary transfer test file */ |
336 | FILE * | 391 | FILE * |
337 | setupTestFile () | 392 | setupTestFile () |
@@ -367,8 +422,6 @@ main (int argc, char *const *argv) | |||
367 | FILE *test_fd; | 422 | FILE *test_fd; |
368 | unsigned int errorCount = 0; | 423 | unsigned int errorCount = 0; |
369 | 424 | ||
370 | gnutls_global_set_log_level (0); | ||
371 | |||
372 | if ((test_fd = setupTestFile ()) == NULL) | 425 | if ((test_fd = setupTestFile ()) == NULL) |
373 | { | 426 | { |
374 | fprintf (stderr, MHD_E_TEST_FILE_CREAT); | 427 | fprintf (stderr, MHD_E_TEST_FILE_CREAT); |
@@ -388,6 +441,12 @@ main (int argc, char *const *argv) | |||
388 | errorCount += | 441 | errorCount += |
389 | test_file_certificates (test_fd, "AES256-SHA", CURL_SSLVERSION_TLSv1); | 442 | test_file_certificates (test_fd, "AES256-SHA", CURL_SSLVERSION_TLSv1); |
390 | 443 | ||
444 | /* TODO resolve cipher setting issue when compiling against GNU TLS */ | ||
445 | errorCount += | ||
446 | test_cipher_option (test_fd, "DES-CBC3-SHA", CURL_SSLVERSION_SSLv3); | ||
447 | errorCount += | ||
448 | test_kx_option (test_fd, "EDH-RSA-DES-CBC3-SHA", CURL_SSLVERSION_SSLv3); | ||
449 | |||
391 | if (errorCount != 0) | 450 | if (errorCount != 0) |
392 | fprintf (stderr, "Error (code: %u)\n", errorCount); | 451 | fprintf (stderr, "Error (code: %u)\n", errorCount); |
393 | 452 | ||
diff --git a/src/testcurl/https/mhds_multi_daemon_test.c b/src/testcurl/https/mhds_multi_daemon_test.c index d7733776..a732a5f0 100644 --- a/src/testcurl/https/mhds_multi_daemon_test.c +++ b/src/testcurl/https/mhds_multi_daemon_test.c | |||
@@ -216,7 +216,9 @@ test_daemon_get (FILE * test_fd, char *cipher_suite, int proto_version, | |||
216 | test_file_name); | 216 | test_file_name); |
217 | 217 | ||
218 | c = curl_easy_init (); | 218 | c = curl_easy_init (); |
219 | /* curl_easy_setopt (c, CURLOPT_VERBOSE, 1); */ | 219 | #ifdef DEBUG |
220 | curl_easy_setopt (c, CURLOPT_VERBOSE, 1); | ||
221 | #endif | ||
220 | curl_easy_setopt (c, CURLOPT_URL, url); | 222 | curl_easy_setopt (c, CURLOPT_URL, url); |
221 | curl_easy_setopt (c, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); | 223 | curl_easy_setopt (c, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); |
222 | curl_easy_setopt (c, CURLOPT_TIMEOUT, 10L); | 224 | curl_easy_setopt (c, CURLOPT_TIMEOUT, 10L); |
@@ -228,7 +230,7 @@ test_daemon_get (FILE * test_fd, char *cipher_suite, int proto_version, | |||
228 | curl_easy_setopt (c, CURLOPT_SSLVERSION, proto_version); | 230 | curl_easy_setopt (c, CURLOPT_SSLVERSION, proto_version); |
229 | curl_easy_setopt (c, CURLOPT_SSL_CIPHER_LIST, cipher_suite); | 231 | curl_easy_setopt (c, CURLOPT_SSL_CIPHER_LIST, cipher_suite); |
230 | 232 | ||
231 | // TODO rm : currently skip any peer authentication */ | 233 | /* currently skip any peer authentication */ |
232 | curl_easy_setopt (c, CURLOPT_SSL_VERIFYPEER, 0); | 234 | curl_easy_setopt (c, CURLOPT_SSL_VERIFYPEER, 0); |
233 | curl_easy_setopt (c, CURLOPT_SSL_VERIFYHOST, 0); | 235 | curl_easy_setopt (c, CURLOPT_SSL_VERIFYHOST, 0); |
234 | 236 | ||
diff --git a/src/testcurl/https/mhds_session_info_test.c b/src/testcurl/https/mhds_session_info_test.c index 00ba949f..6064093c 100644 --- a/src/testcurl/https/mhds_session_info_test.c +++ b/src/testcurl/https/mhds_session_info_test.c | |||
@@ -128,7 +128,6 @@ query_session_ahc (void *cls, struct MHD_Connection *connection, | |||
128 | return -1; | 128 | return -1; |
129 | } | 129 | } |
130 | 130 | ||
131 | // TODO should these be hard coded into the server ? | ||
132 | if (MHDS_get_session_mac (connection) != GNUTLS_MAC_SHA1) | 131 | if (MHDS_get_session_mac (connection) != GNUTLS_MAC_SHA1) |
133 | { | 132 | { |
134 | fprintf (stderr, "Error: requested mac algorithm mismatch. %s\n", | 133 | fprintf (stderr, "Error: requested mac algorithm mismatch. %s\n", |
@@ -184,7 +183,9 @@ test_query_session () | |||
184 | return 2; | 183 | return 2; |
185 | 184 | ||
186 | c = curl_easy_init (); | 185 | c = curl_easy_init (); |
187 | //curl_easy_setopt (c, CURLOPT_VERBOSE, 1); | 186 | #ifdef DEBUG |
187 | curl_easy_setopt (c, CURLOPT_VERBOSE, 1); | ||
188 | #endif | ||
188 | curl_easy_setopt (c, CURLOPT_URL, url); | 189 | curl_easy_setopt (c, CURLOPT_URL, url); |
189 | curl_easy_setopt (c, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1); | 190 | curl_easy_setopt (c, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1); |
190 | curl_easy_setopt (c, CURLOPT_TIMEOUT, 10L); | 191 | curl_easy_setopt (c, CURLOPT_TIMEOUT, 10L); |