X-Git-Url: http://git.code-monkey.de/?a=blobdiff_plain;f=src%2Fssl.c;h=354af85098f95c0ea60fedd1907c48090b6dbf18;hb=e834c977cc3dd0ffaf4433b0f267f3436151a82b;hp=9d82cac4fbb097bdd8ece12af9ace8d8eedc0d39;hpb=d604770cd57a7ad1ce7a49e2784ab5838847c2e0;p=umurmur.git

diff --git a/src/ssl.c b/src/ssl.c
index 9d82cac..354af85 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -1,5 +1,5 @@
-/* Copyright (C) 2009-2010, Martin Johansson <martin@fatbob.nu>
-   Copyright (C) 2005-2010, Thorvald Natvig <thorvald@natvig.com>
+/* Copyright (C) 2009-2011, Martin Johansson <martin@fatbob.nu>
+   Copyright (C) 2005-2011, Thorvald Natvig <thorvald@natvig.com>
 
    All rights reserved.
 
@@ -64,6 +64,8 @@ int ciphers[] =
 };
 static x509_cert certificate;
 static rsa_context key;
+bool_t builtInTestCertificate;
+
 havege_state hs; /* exported to crypt.c */
 
 /* DH prime */
@@ -77,17 +79,51 @@ char *my_dhm_P =
 	"DEF409C08E8AC24D1732A6128D2220DC53";
 char *my_dhm_G = "4";
 
+static void initTestCert()
+{
+	int rc;
+	builtInTestCertificate = true;
+	rc = x509parse_crt(&certificate, (unsigned char *)test_srv_crt,
+					   strlen(test_srv_crt));	
+	if (rc != 0)
+		Log_fatal("Could not parse built-in test certificate");
+	rc = x509parse_crt(&certificate, (unsigned char *)test_ca_crt,
+					   strlen(test_ca_crt));
+	if (rc != 0)
+		Log_fatal("Could not parse built-in test CA certificate");
+}
+
+static void initTestKey()
+{
+	int rc;
+	
+	rc = x509parse_key(&key, (unsigned char *)test_srv_key,
+					   strlen(test_srv_key), NULL, 0);
+	if (rc != 0)
+		Log_fatal("Could not parse built-in test RSA key");
+}
+
+/*
+ * openssl genrsa 1024 > host.key
+ * openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
+ */
 static void initCert()
 {
 	int rc;
 	char *crtfile = (char *)getStrConf(CERTIFICATE);
 	char *ca_file, *p;
 	
-	if (crtfile == NULL)
-		Log_fatal("No certificate file specified"); 
+	if (crtfile == NULL) {
+		Log_warn("No certificate file specified");
+		initTestCert();
+		return;
+	}
 	rc = x509parse_crtfile(&certificate, crtfile);
-	if (rc != 0)
-		Log_fatal("Could not read certificate file %s", crtfile);
+	if (rc != 0) {
+		Log_warn("Could not read certificate file %s", crtfile);
+		initTestCert();
+		return;
+	}
 	
 	/* Look for CA certificate file in same dir */
 	ca_file = malloc(strlen(crtfile) + strlen(CA_CRT_FILENAME) + 1);
@@ -101,14 +137,17 @@ static void initCert()
 	rc = x509parse_crtfile(&certificate, ca_file);
 	if (rc != 0) { /* No CA certifiacte found. Assume self-signed. */
 		Log_info("CA certificate file %s not found. Assuming self-signed certificate.", ca_file);
-		/*
-		 * Apparently PolarSSL needs to read something more into certificate chain.
-		 * Doesn't seem to matter what. Read own certificate again.
-		 */
-		rc = x509parse_crtfile(&certificate, crtfile);
-		if (rc != 0)
-			Log_fatal("Could not read certificate file %s", crtfile);
 	}
+	
+	/*
+	 * PolarSSL 0.11 - 0.12,1 has a bug; it ignores the last certificate in the chain.
+	 * Read the certificate again so that it gets last in chain. Later releases like 0.14.0 works
+	 * fine with the extra certificate, so I don't see any harm in doing so.
+	 */
+	rc = x509parse_crtfile(&certificate, crtfile);
+	if (rc != 0)
+		Log_fatal("Could not read certificate file %s", crtfile);
+	
 	free(ca_file);
 }
 
@@ -116,7 +155,7 @@ static void initKey()
 {
 	int rc;
 	char *keyfile = (char *)getStrConf(KEY);
-	
+
 	if (keyfile == NULL)
 		Log_fatal("No key file specified"); 
 	rc = x509parse_keyfile(&key, keyfile, NULL);
@@ -125,7 +164,7 @@ static void initKey()
 }
 
 #define DEBUG_LEVEL 0
-static void pssl_debug(void *ctx, int level, char *str)
+static void pssl_debug(void *ctx, int level, const char *str)
 {
     if (level <= DEBUG_LEVEL)
 		Log_debug("PolarSSL [level %d]: %s", level, str);
@@ -134,7 +173,13 @@ static void pssl_debug(void *ctx, int level, char *str)
 void SSLi_init(void)
 {
 	initCert();
-	initKey();
+	if (builtInTestCertificate) {
+		Log_warn("*** Using built-in test certificate and RSA key ***");
+		Log_warn("*** This is not secure! Please use a CA-signed certificate or create a self-signed certificate ***");
+		initTestKey();
+	}
+	else
+		initKey();
     havege_init(&hs);
 	Log_info("PolarSSL library initialized");
 }
@@ -169,7 +214,7 @@ SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready)
     ssl_set_dbg(ssl, pssl_debug, NULL);
     ssl_set_bio(ssl, net_recv, fd, net_send, fd);
 
-    ssl_set_ciphers(ssl, ciphers);
+    ssl_set_ciphersuites(ssl, ciphers);
     ssl_set_session(ssl, 0, 0, ssn);
 
     ssl_set_ca_chain(ssl, certificate.next, NULL, NULL);
@@ -185,7 +230,7 @@ int SSLi_nonblockaccept(SSL_handle_t *ssl, bool_t *SSLready)
 	
 	rc = ssl_handshake(ssl);
 	if (rc != 0) {
-		if (rc == POLARSSL_ERR_NET_TRY_AGAIN) {
+		if (rc == POLARSSL_ERR_NET_WANT_READ || rc == POLARSSL_ERR_NET_WANT_WRITE) {
 			return 0;
 		} else {
 			Log_warn("SSL handshake failed: %d", rc);
@@ -200,7 +245,7 @@ int SSLi_read(SSL_handle_t *ssl, uint8_t *buf, int len)
 {
 	int rc;
 	rc = ssl_read(ssl, buf, len);
-	if (rc == POLARSSL_ERR_NET_TRY_AGAIN)
+	if (rc == POLARSSL_ERR_NET_WANT_READ)
 		return SSLI_ERROR_WANT_READ;
 	return rc;
 }
@@ -209,7 +254,7 @@ int SSLi_write(SSL_handle_t *ssl, uint8_t *buf, int len)
 {
 	int rc;
 	rc = ssl_write(ssl, buf, len);
-	if (rc == POLARSSL_ERR_NET_TRY_AGAIN)
+	if (rc == POLARSSL_ERR_NET_WANT_WRITE)
 		return SSLI_ERROR_WANT_WRITE;
 	return rc;
 }