X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd-alex.git;a=blobdiff_plain;f=src%2Fngircd%2Fconn-ssl.c;h=a97896758cc30c2f63724ab5396e797e064763da;hp=4156fb192a0b990c644f014c30848ab5d433db75;hb=51231ac8d45bf329f4724a145e6bc7a3ea118570;hpb=a919e02ba1670277fd5a501e8c112b7c5e9771ac diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c index 4156fb19..a9789675 100644 --- a/src/ngircd/conn-ssl.c +++ b/src/ngircd/conn-ssl.c @@ -61,7 +61,7 @@ static gnutls_dh_params_t dh_params; static bool ConnSSL_LoadServerKey_gnutls PARAMS(( void )); #endif -#define CERTFP_LEN (20 * 2 + 1) +#define SHA1_STRING_LEN (20 * 2 + 1) static bool ConnSSL_Init_SSL PARAMS(( CONNECTION *c )); static int ConnectAccept PARAMS(( CONNECTION *c, bool connect )); @@ -285,8 +285,10 @@ ConnSSL_InitLibrary( void ) if (!RAND_status()) { Log(LOG_ERR, "OpenSSL PRNG not seeded: /dev/urandom missing?"); /* - * it is probably best to fail and let the user install EGD or a similar program if no kernel random device is available. - * According to OpenSSL RAND_egd(3): "The automatic query of /var/run/egd-pool et al was added in OpenSSL 0.9.7"; + * it is probably best to fail and let the user install EGD or + * a similar program if no kernel random device is available. + * According to OpenSSL RAND_egd(3): "The automatic query of + * /var/run/egd-pool et al was added in OpenSSL 0.9.7"; * so it makes little sense to deal with PRNGD seeding ourselves. */ array_free(&Conf_SSLOptions.ListenPorts); @@ -303,9 +305,23 @@ ConnSSL_InitLibrary( void ) if (!ConnSSL_LoadServerKey_openssl(newctx)) goto out; + if(Conf_SSLOptions.CipherList && *Conf_SSLOptions.CipherList) { + if(SSL_CTX_set_cipher_list(newctx, Conf_SSLOptions.CipherList) == 0 ) { + Log(LOG_ERR, + "Failed to apply SSL cipher list \"%s\"!", + Conf_SSLOptions.CipherList); + goto out; + } else { + Log(LOG_INFO, + "Successfully applied SSL cipher list: \"%s\".", + Conf_SSLOptions.CipherList); + } + } + SSL_CTX_set_options(newctx, SSL_OP_SINGLE_DH_USE|SSL_OP_NO_SSLv2); SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE); - SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, Verify_openssl); + SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, + Verify_openssl); SSL_CTX_free(ssl_ctx); ssl_ctx = newctx; Log(LOG_INFO, "%s initialized.", SSLeay_version(SSLEAY_VERSION)); @@ -318,12 +334,25 @@ out: #ifdef HAVE_LIBGNUTLS int err; static bool initialized; - if (initialized) /* TODO: cannot reload gnutls keys: can't simply free x509 context -- it may still be in use */ + + if (initialized) { + /* TODO: cannot reload gnutls keys: can't simply free x509 + * context -- it may still be in use */ return false; + } + + if(Conf_SSLOptions.CipherList != NULL) { + Log(LOG_ERR, + "Failed to apply SSL cipher list \"%s\": Not implemented for GnuTLS!", + Conf_SSLOptions.CipherList); + array_free(&Conf_SSLOptions.ListenPorts); + return false; + } err = gnutls_global_init(); if (err) { - Log(LOG_ERR, "Failed to initialize GnuTLS: %s", gnutls_strerror(err)); + Log(LOG_ERR, "Failed to initialize GnuTLS: %s", + gnutls_strerror(err)); array_free(&Conf_SSLOptions.ListenPorts); return false; } @@ -331,6 +360,7 @@ out: array_free(&Conf_SSLOptions.ListenPorts); return false; } + Log(LOG_INFO, "GnuTLS %s initialized.", gnutls_check_version(NULL)); initialized = true; return true; @@ -360,7 +390,7 @@ ConnSSL_LoadServerKey_gnutls(void) if (array_bytes(&Conf_SSLOptions.KeyFilePassword)) Log(LOG_WARNING, - "Ignoring KeyFilePassword: Not supported by GnuTLS."); + "Ignoring SSL \"KeyFilePassword\": Not supported by GnuTLS."); if (!Load_DH_params()) return false; @@ -430,7 +460,10 @@ static bool ConnSSL_Init_SSL(CONNECTION *c) { int ret; + + LogDebug("Initializing SSL ..."); assert(c != NULL); + #ifdef HAVE_LIBSSL if (!ssl_ctx) { Log(LOG_ERR, @@ -445,6 +478,7 @@ ConnSSL_Init_SSL(CONNECTION *c) LogOpenSSLError("Failed to create SSL structure", NULL); return false; } + Conn_OPTION_ADD(c, CONN_SSL); ret = SSL_set_fd(c->ssl_state.ssl, c->sock); if (ret != 1) { @@ -454,8 +488,9 @@ ConnSSL_Init_SSL(CONNECTION *c) } #endif #ifdef HAVE_LIBGNUTLS + Conn_OPTION_ADD(c, CONN_SSL); ret = gnutls_set_default_priority(c->ssl_state.gnutls_session); - if (ret < 0) { + if (ret != 0) { Log(LOG_ERR, "Failed to set GnuTLS default priority: %s", gnutls_strerror(ret)); ConnSSL_Free(c); @@ -467,17 +502,20 @@ ConnSSL_Init_SSL(CONNECTION *c) * There doesn't seem to be an alternate GNUTLS API we could use instead, see e.g. * http://www.mail-archive.com/help-gnutls@gnu.org/msg00286.html */ - gnutls_transport_set_ptr(c->ssl_state.gnutls_session, (gnutls_transport_ptr_t) (long) c->sock); - gnutls_certificate_server_set_request(c->ssl_state.gnutls_session, GNUTLS_CERT_REQUEST); - ret = gnutls_credentials_set(c->ssl_state.gnutls_session, GNUTLS_CRD_CERTIFICATE, x509_cred); - if (ret < 0) { - Log(LOG_ERR, "Failed to set SSL credentials: %s", gnutls_strerror(ret)); + gnutls_transport_set_ptr(c->ssl_state.gnutls_session, + (gnutls_transport_ptr_t) (long) c->sock); + gnutls_certificate_server_set_request(c->ssl_state.gnutls_session, + GNUTLS_CERT_REQUEST); + ret = gnutls_credentials_set(c->ssl_state.gnutls_session, + GNUTLS_CRD_CERTIFICATE, x509_cred); + if (ret != 0) { + Log(LOG_ERR, "Failed to set SSL credentials: %s", + gnutls_strerror(ret)); ConnSSL_Free(c); return false; } gnutls_dh_set_prime_bits(c->ssl_state.gnutls_session, DH_BITS_MIN); #endif - Conn_OPTION_ADD(c, CONN_SSL); return true; } @@ -645,7 +683,6 @@ ConnSSL_Accept( CONNECTION *c ) return false; } #endif - LogDebug("Initializing SSL data ..."); if (!ConnSSL_Init_SSL(c)) return -1; } @@ -723,7 +760,7 @@ ConnSSL_InitCertFp( CONNECTION *c ) assert(c->ssl_state.fingerprint == NULL); - c->ssl_state.fingerprint = malloc(CERTFP_LEN); + c->ssl_state.fingerprint = malloc(SHA1_STRING_LEN); if (!c->ssl_state.fingerprint) return 0; @@ -858,7 +895,7 @@ bool ConnSSL_SetCertFp(CONNECTION *c, const char *fingerprint) { assert (c != NULL); - c->ssl_state.fingerprint = strdup(fingerprint); + c->ssl_state.fingerprint = strndup(fingerprint, SHA1_STRING_LEN - 1); return c->ssl_state.fingerprint != NULL; } #else