"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/tls_gnutls.c" between
ircd-hybrid-8.2.27.tgz and ircd-hybrid-8.2.28.tgz

About: IRCD-Hybrid is a Internet Relay Chat server.

tls_gnutls.c  (ircd-hybrid-8.2.27.tgz):tls_gnutls.c  (ircd-hybrid-8.2.28.tgz)
skipping to change at line 26 skipping to change at line 26
* GNU General Public License for more details. * GNU General Public License for more details.
* *
* You should have received a copy of the GNU General Public License * You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software * along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
* USA * USA
*/ */
/*! \file tls_gnutls.c /*! \file tls_gnutls.c
* \brief Includes all GnuTLS-specific TLS functions * \brief Includes all GnuTLS-specific TLS functions
* \version $Id: tls_gnutls.c 9164 2020-01-18 13:01:17Z michael $ * \version $Id: tls_gnutls.c 9223 2020-01-26 11:35:22Z michael $
*/ */
#include "stdinc.h" #include "stdinc.h"
#include "tls.h" #include "tls.h"
#include "conf.h" #include "conf.h"
#include "log.h" #include "log.h"
#include "misc.h" #include "misc.h"
#include "memory.h" #include "memory.h"
#ifdef HAVE_TLS_GNUTLS #ifdef HAVE_TLS_GNUTLS
skipping to change at line 61 skipping to change at line 61
{ {
return TLS_initialized; return TLS_initialized;
} }
void void
tls_init(void) tls_init(void)
{ {
} }
static void static void
tls_free_cred(tls_context_t cred) tls_free_credentials(tls_context_t cred)
{ {
gnutls_priority_deinit(cred->priorities); gnutls_priority_deinit(cred->priorities);
gnutls_dh_params_deinit(cred->dh_params); gnutls_dh_params_deinit(cred->dh_params);
gnutls_certificate_free_credentials(cred->x509_cred); gnutls_certificate_free_credentials(cred->x509_cred);
gnutls_global_deinit(); gnutls_global_deinit();
xfree(cred); xfree(cred);
} }
bool bool
tls_new_cred(void) tls_new_credentials(void)
{ {
int ret;
struct gnutls_context *context; struct gnutls_context *context;
TLS_initialized = false; TLS_initialized = false;
if (!ConfigServerInfo.tls_certificate_file || !ConfigServerInfo.rsa_private_ke y_file) if (ConfigServerInfo.tls_certificate_file == NULL || ConfigServerInfo.rsa_priv ate_key_file == NULL)
return true; return true;
context = xcalloc(sizeof(*context)); context = xcalloc(sizeof(*context));
gnutls_global_init(); int ret = gnutls_global_init();
if (ret != GNUTLS_E_SUCCESS)
{
ilog(LOG_TYPE_IRCD, "ERROR: Could not initialize GnuTLS library -- %s", gnut
ls_strerror(ret));
xfree(context);
return false;
}
ret = gnutls_certificate_allocate_credentials(&context->x509_cred); ret = gnutls_certificate_allocate_credentials(&context->x509_cred);
if (ret != GNUTLS_E_SUCCESS) if (ret != GNUTLS_E_SUCCESS)
{ {
ilog(LOG_TYPE_IRCD, "ERROR: Could not initialize the TLS credentials -- %s", gnutls_strerror(ret)); ilog(LOG_TYPE_IRCD, "ERROR: Could not initialize the TLS credentials -- %s", gnutls_strerror(ret));
xfree(context); xfree(context);
return false; return false;
} }
/* TBD: set ciphers based on serverinfo::tls_cipher_list */ /* TBD: set ciphers based on serverinfo::tls_cipher_list */
skipping to change at line 152 skipping to change at line 157
ConfigServerInfo.message_digest_algorithm = gnutls_digest_get_id(ConfigServe rInfo.tls_message_digest_algorithm); ConfigServerInfo.message_digest_algorithm = gnutls_digest_get_id(ConfigServe rInfo.tls_message_digest_algorithm);
if (ConfigServerInfo.message_digest_algorithm == GNUTLS_DIG_UNKNOWN) if (ConfigServerInfo.message_digest_algorithm == GNUTLS_DIG_UNKNOWN)
{ {
ConfigServerInfo.message_digest_algorithm = GNUTLS_DIG_SHA256; ConfigServerInfo.message_digest_algorithm = GNUTLS_DIG_SHA256;
ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_message_digest_algorithm -- unknown message digest algorithm"); ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::tls_message_digest_algorithm -- unknown message digest algorithm");
} }
} }
if (ConfigServerInfo.tls_ctx && --ConfigServerInfo.tls_ctx->refs == 0) if (ConfigServerInfo.tls_ctx && --ConfigServerInfo.tls_ctx->refs == 0)
tls_free_cred(ConfigServerInfo.tls_ctx); tls_free_credentials(ConfigServerInfo.tls_ctx);
ConfigServerInfo.tls_ctx = context; ConfigServerInfo.tls_ctx = context;
++context->refs; ++context->refs;
TLS_initialized = true; TLS_initialized = true;
return true; return true;
} }
const char * const char *
tls_get_cipher(const tls_data_t *tls_data) tls_get_cipher(const tls_data_t *tls_data)
skipping to change at line 247 skipping to change at line 252
return length; return length;
} }
void void
tls_shutdown(tls_data_t *tls_data) tls_shutdown(tls_data_t *tls_data)
{ {
gnutls_bye(tls_data->session, GNUTLS_SHUT_WR); gnutls_bye(tls_data->session, GNUTLS_SHUT_WR);
if (--tls_data->context->refs == 0) if (--tls_data->context->refs == 0)
tls_free_cred(tls_data->context); tls_free_credentials(tls_data->context);
} }
bool bool
tls_new(tls_data_t *tls_data, int fd, tls_role_t role) tls_new(tls_data_t *tls_data, int fd, tls_role_t role)
{ {
if (TLS_initialized == false) if (TLS_initialized == false)
return false; return false;
gnutls_init(&tls_data->session, role == TLS_ROLE_SERVER ? GNUTLS_SERVER : GNUT LS_CLIENT); gnutls_init(&tls_data->session, role == TLS_ROLE_SERVER ? GNUTLS_SERVER : GNUT LS_CLIENT);
skipping to change at line 276 skipping to change at line 281
if (role == TLS_ROLE_SERVER) if (role == TLS_ROLE_SERVER)
/* Request client certificate if any. */ /* Request client certificate if any. */
gnutls_certificate_server_set_request(tls_data->session, GNUTLS_CERT_REQUEST ); gnutls_certificate_server_set_request(tls_data->session, GNUTLS_CERT_REQUEST );
return true; return true;
} }
bool bool
tls_set_ciphers(tls_data_t *tls_data, const char *cipher_list) tls_set_ciphers(tls_data_t *tls_data, const char *cipher_list)
{ {
int ret;
const char *prioerror; const char *prioerror;
gnutls_priority_deinit(tls_data->context->priorities); gnutls_priority_deinit(tls_data->context->priorities);
ret = gnutls_priority_init(&tls_data->context->priorities, cipher_list, &prioe rror); int ret = gnutls_priority_init(&tls_data->context->priorities, cipher_list, &p rioerror);
if (ret != GNUTLS_E_SUCCESS) if (ret != GNUTLS_E_SUCCESS)
{ {
/* GnuTLS did not understand the user supplied string, log and fall back to the default priorities */ /* GnuTLS did not understand the user supplied string, log and fall back to the default priorities */
ilog(LOG_TYPE_IRCD, "Failed to set GnuTLS priorities to \"%s\": %s Syntax er ror at position %u, falling back to default %", ilog(LOG_TYPE_IRCD, "Failed to set GnuTLS priorities to \"%s\": %s Syntax er ror at position %u, falling back to default %",
cipher_list, gnutls_strerror(ret), (unsigned int)(prioerror - cipher_li st), tls_default_priority_string); cipher_list, gnutls_strerror(ret), (unsigned int)(prioerror - cipher_li st), tls_default_priority_string);
gnutls_priority_init(&tls_data->context->priorities, tls_default_priority_st ring, NULL); gnutls_priority_init(&tls_data->context->priorities, tls_default_priority_st ring, NULL);
return false; return false;
} }
return true; return true;
skipping to change at line 325 skipping to change at line 329
const char *error = gnutls_strerror(ret); const char *error = gnutls_strerror(ret);
if (errstr) if (errstr)
*errstr = error; *errstr = error;
return TLS_HANDSHAKE_ERROR; return TLS_HANDSHAKE_ERROR;
} }
} }
bool bool
tls_verify_cert(tls_data_t *tls_data, tls_md_t digest, char **fingerprint) tls_verify_certificate(tls_data_t *tls_data, tls_md_t digest, char **fingerprint )
{ {
int ret;
gnutls_x509_crt_t cert; gnutls_x509_crt_t cert;
const gnutls_datum_t *cert_list;
unsigned char digestbuf[TLS_GNUTLS_MAX_HASH_SIZE]; unsigned char digestbuf[TLS_GNUTLS_MAX_HASH_SIZE];
size_t digest_size = sizeof(digestbuf); size_t digest_size = sizeof(digestbuf);
char buf[TLS_GNUTLS_MAX_HASH_SIZE * 2 + 1]; char buf[TLS_GNUTLS_MAX_HASH_SIZE * 2 + 1];
cert_list = gnutls_certificate_get_peers(tls_data->session, NULL); const gnutls_datum_t *cert_list = gnutls_certificate_get_peers(tls_data->sessi on, NULL);
if (cert_list == NULL) if (cert_list == NULL)
return true; /* No certificate */ return true; /* No certificate */
ret = gnutls_x509_crt_init(&cert); int ret = gnutls_x509_crt_init(&cert);
if (ret != GNUTLS_E_SUCCESS) if (ret != GNUTLS_E_SUCCESS)
return true; return true;
ret = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER); ret = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER);
if (ret != GNUTLS_E_SUCCESS) if (ret != GNUTLS_E_SUCCESS)
goto info_done_dealloc; goto info_done_dealloc;
ret = gnutls_x509_crt_get_fingerprint(cert, digest, digestbuf, &digest_size); ret = gnutls_x509_crt_get_fingerprint(cert, digest, digestbuf, &digest_size);
if (ret != GNUTLS_E_SUCCESS) if (ret != GNUTLS_E_SUCCESS)
goto info_done_dealloc; goto info_done_dealloc;
 End of changes. 15 change blocks. 
15 lines changed or deleted 18 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)