X-Git-Url: http://git.code-monkey.de/?a=blobdiff_plain;f=src%2Fssl.c;h=4224c1de08f152d93922dc4eda09c8b03480f98e;hb=454ad122eb158b4391e2690fe6a7e127d24c525b;hp=9d82cac4fbb097bdd8ece12af9ace8d8eedc0d39;hpb=d604770cd57a7ad1ce7a49e2784ab5838847c2e0;p=umurmur.git diff --git a/src/ssl.c b/src/ssl.c index 9d82cac..4224c1d 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -64,6 +64,8 @@ int ciphers[] = }; static x509_cert certificate; static rsa_context key; +bool_t builtInTestCertificate; + havege_state hs; /* exported to crypt.c */ /* DH prime */ @@ -77,17 +79,51 @@ char *my_dhm_P = "DEF409C08E8AC24D1732A6128D2220DC53"; char *my_dhm_G = "4"; +static void initTestCert() +{ + int rc; + builtInTestCertificate = true; + rc = x509parse_crt(&certificate, (unsigned char *)test_srv_crt, + strlen(test_srv_crt)); + if (rc != 0) + Log_fatal("Could not parse built-in test certificate"); + rc = x509parse_crt(&certificate, (unsigned char *)test_ca_crt, + strlen(test_ca_crt)); + if (rc != 0) + Log_fatal("Could not parse built-in test CA certificate"); +} + +static void initTestKey() +{ + int rc; + + rc = x509parse_key(&key, (unsigned char *)test_srv_key, + strlen(test_srv_key), NULL, 0); + if (rc != 0) + Log_fatal("Could not parse built-in test RSA key"); +} + +/* + * openssl genrsa 1024 > host.key + * openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert + */ static void initCert() { int rc; char *crtfile = (char *)getStrConf(CERTIFICATE); char *ca_file, *p; - if (crtfile == NULL) - Log_fatal("No certificate file specified"); + if (crtfile == NULL) { + Log_warn("No certificate file specified"); + initTestCert(); + return; + } rc = x509parse_crtfile(&certificate, crtfile); - if (rc != 0) - Log_fatal("Could not read certificate file %s", crtfile); + if (rc != 0) { + Log_warn("Could not read certificate file %s", crtfile); + initTestCert(); + return; + } /* Look for CA certificate file in same dir */ ca_file = malloc(strlen(crtfile) + strlen(CA_CRT_FILENAME) + 1); @@ -101,14 +137,17 @@ static void initCert() rc = x509parse_crtfile(&certificate, ca_file); if (rc != 0) { /* No CA certifiacte found. Assume self-signed. */ Log_info("CA certificate file %s not found. Assuming self-signed certificate.", ca_file); - /* - * Apparently PolarSSL needs to read something more into certificate chain. - * Doesn't seem to matter what. Read own certificate again. - */ - rc = x509parse_crtfile(&certificate, crtfile); - if (rc != 0) - Log_fatal("Could not read certificate file %s", crtfile); } + + /* + * PolarSSL 0.11 - 0.12,1 has a bug; it ignores the last certificate in the chain. + * Read the certificate again so that it gets last in chain. Later releases like 0.14.0 works + * fine with the extra certificate, so I don't see any harm in doing so. + */ + rc = x509parse_crtfile(&certificate, crtfile); + if (rc != 0) + Log_fatal("Could not read certificate file %s", crtfile); + free(ca_file); } @@ -116,7 +155,7 @@ static void initKey() { int rc; char *keyfile = (char *)getStrConf(KEY); - + if (keyfile == NULL) Log_fatal("No key file specified"); rc = x509parse_keyfile(&key, keyfile, NULL); @@ -125,7 +164,7 @@ static void initKey() } #define DEBUG_LEVEL 0 -static void pssl_debug(void *ctx, int level, char *str) +static void pssl_debug(void *ctx, int level, const char *str) { if (level <= DEBUG_LEVEL) Log_debug("PolarSSL [level %d]: %s", level, str); @@ -134,7 +173,13 @@ static void pssl_debug(void *ctx, int level, char *str) void SSLi_init(void) { initCert(); - initKey(); + if (builtInTestCertificate) { + Log_warn("*** Using built-in test certificate and RSA key ***"); + Log_warn("*** This is not secure! Please use a CA-signed certificate or create a self-signed certificate ***"); + initTestKey(); + } + else + initKey(); havege_init(&hs); Log_info("PolarSSL library initialized"); }