X-Git-Url: http://git.code-monkey.de/?a=blobdiff_plain;f=src%2Fssl.c;h=1f2ef6a01deff74fee8871670a9b45384fc0c69d;hb=18d8a6a0b45e622bf18af3be30f1c60c2e1022e8;hp=4224c1de08f152d93922dc4eda09c8b03480f98e;hpb=2c6c929ab58c137bdf09f8372cb36c0632ecd2ed;p=umurmur.git

diff --git a/src/ssl.c b/src/ssl.c
index 4224c1d..1f2ef6a 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -1,5 +1,5 @@
-/* Copyright (C) 2009-2010, Martin Johansson <martin@fatbob.nu>
-   Copyright (C) 2005-2010, Thorvald Natvig <thorvald@natvig.com>
+/* Copyright (C) 2009-2011, Martin Johansson <martin@fatbob.nu>
+   Copyright (C) 2005-2011, Thorvald Natvig <thorvald@natvig.com>
 
    All rights reserved.
 
@@ -46,8 +46,6 @@
 #include <polarssl/ssl.h>
 #include <polarssl/net.h>
 
-#define CA_CRT_FILENAME "ca.crt"
-
 int ciphers[] =
 {
     SSL_EDH_RSA_AES_256_SHA,
@@ -87,10 +85,6 @@ static void initTestCert()
 					   strlen(test_srv_crt));	
 	if (rc != 0)
 		Log_fatal("Could not parse built-in test certificate");
-	rc = x509parse_crt(&certificate, (unsigned char *)test_ca_crt,
-					   strlen(test_ca_crt));
-	if (rc != 0)
-		Log_fatal("Could not parse built-in test CA certificate");
 }
 
 static void initTestKey()
@@ -104,6 +98,7 @@ static void initTestKey()
 }
 
 /*
+ * How to generate a self-signed cert with openssl:
  * openssl genrsa 1024 > host.key
  * openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
  */
@@ -111,7 +106,6 @@ static void initCert()
 {
 	int rc;
 	char *crtfile = (char *)getStrConf(CERTIFICATE);
-	char *ca_file, *p;
 	
 	if (crtfile == NULL) {
 		Log_warn("No certificate file specified");
@@ -124,31 +118,6 @@ static void initCert()
 		initTestCert();
 		return;
 	}
-	
-	/* Look for CA certificate file in same dir */
-	ca_file = malloc(strlen(crtfile) + strlen(CA_CRT_FILENAME) + 1);
-	strcpy(ca_file, crtfile);
-	p = strrchr(ca_file, '/');
-	if (p != NULL)
-		strcpy(p + 1, CA_CRT_FILENAME);
-	else
-		strcpy(ca_file, CA_CRT_FILENAME);
-	
-	rc = x509parse_crtfile(&certificate, ca_file);
-	if (rc != 0) { /* No CA certifiacte found. Assume self-signed. */
-		Log_info("CA certificate file %s not found. Assuming self-signed certificate.", ca_file);
-	}
-	
-	/*
-	 * PolarSSL 0.11 - 0.12,1 has a bug; it ignores the last certificate in the chain.
-	 * Read the certificate again so that it gets last in chain. Later releases like 0.14.0 works
-	 * fine with the extra certificate, so I don't see any harm in doing so.
-	 */
-	rc = x509parse_crtfile(&certificate, crtfile);
-	if (rc != 0)
-		Log_fatal("Could not read certificate file %s", crtfile);
-	
-	free(ca_file);
 }
 
 static void initKey()
@@ -172,6 +141,8 @@ static void pssl_debug(void *ctx, int level, const char *str)
 
 void SSLi_init(void)
 {
+	char verstring[12];
+	
 	initCert();
 	if (builtInTestCertificate) {
 		Log_warn("*** Using built-in test certificate and RSA key ***");
@@ -181,7 +152,13 @@ void SSLi_init(void)
 	else
 		initKey();
     havege_init(&hs);
+    
+#ifdef POLARSSL_VERSION_MAJOR
+    version_get_string(verstring);
+    Log_info("PolarSSL library version %s initialized", verstring);
+#else
 	Log_info("PolarSSL library initialized");
+#endif
 }
 
 void SSLi_deinit(void)
@@ -208,18 +185,21 @@ SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready)
 		Log_fatal("Failed to initalize: %d", rc);
 	
 	ssl_set_endpoint(ssl, SSL_IS_SERVER);	
-    ssl_set_authmode(ssl, SSL_VERIFY_OPTIONAL);
+	ssl_set_authmode(ssl, SSL_VERIFY_NONE);
 
-    ssl_set_rng(ssl, havege_rand, &hs);
-    ssl_set_dbg(ssl, pssl_debug, NULL);
-    ssl_set_bio(ssl, net_recv, fd, net_send, fd);
+	ssl_set_rng(ssl, HAVEGE_RAND, &hs);
+	ssl_set_dbg(ssl, pssl_debug, NULL);
+	ssl_set_bio(ssl, net_recv, fd, net_send, fd);
 
-    ssl_set_ciphers(ssl, ciphers);
+#ifdef POLARSSL_API_V1
+	ssl_set_ciphersuites(ssl, ciphers);
+#else
+	ssl_set_ciphers(ssl, ciphers);
+#endif
     ssl_set_session(ssl, 0, 0, ssn);
 
-    ssl_set_ca_chain(ssl, certificate.next, NULL, NULL);
-    ssl_set_own_cert(ssl, &certificate, &key);
-    ssl_set_dh_param(ssl, my_dhm_P, my_dhm_G);
+	ssl_set_own_cert(ssl, &certificate, &key);
+	ssl_set_dh_param(ssl, my_dhm_P, my_dhm_G);
 
 	return ssl;
 }
@@ -230,7 +210,11 @@ int SSLi_nonblockaccept(SSL_handle_t *ssl, bool_t *SSLready)
 	
 	rc = ssl_handshake(ssl);
 	if (rc != 0) {
+#ifdef POLARSSL_API_V1		
+		if (rc == POLARSSL_ERR_NET_WANT_READ || rc == POLARSSL_ERR_NET_WANT_WRITE) {
+#else
 		if (rc == POLARSSL_ERR_NET_TRY_AGAIN) {
+#endif
 			return 0;
 		} else {
 			Log_warn("SSL handshake failed: %d", rc);
@@ -244,8 +228,13 @@ int SSLi_nonblockaccept(SSL_handle_t *ssl, bool_t *SSLready)
 int SSLi_read(SSL_handle_t *ssl, uint8_t *buf, int len)
 {
 	int rc;
+
 	rc = ssl_read(ssl, buf, len);
+#ifdef POLARSSL_API_V1		
+	if (rc == POLARSSL_ERR_NET_WANT_READ)
+#else
 	if (rc == POLARSSL_ERR_NET_TRY_AGAIN)
+#endif
 		return SSLI_ERROR_WANT_READ;
 	return rc;
 }
@@ -253,8 +242,13 @@ int SSLi_read(SSL_handle_t *ssl, uint8_t *buf, int len)
 int SSLi_write(SSL_handle_t *ssl, uint8_t *buf, int len)
 {
 	int rc;
+	
 	rc = ssl_write(ssl, buf, len);
+#ifdef POLARSSL_API_V1		
+	if (rc == POLARSSL_ERR_NET_WANT_WRITE)
+#else
 	if (rc == POLARSSL_ERR_NET_TRY_AGAIN)
+#endif
 		return SSLI_ERROR_WANT_WRITE;
 	return rc;
 }