X-Git-Url: http://git.code-monkey.de/?a=blobdiff_plain;f=src%2Fssl.c;h=9c5236ec6815dff9d70f16890e1d5c973b436b7f;hb=b95d77db3f58c300c5e0a9c11862a4ba529ce82b;hp=e7a53a21d55810354c48d814a52ed58472033a10;hpb=fc3918dc9bc7153ba7ec938aad57a6060ce33e5c;p=umurmur.git diff --git a/src/ssl.c b/src/ssl.c index e7a53a2..9c5236e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -30,6 +30,7 @@ */ #include #include +#include #include "conf.h" #include "log.h" @@ -67,7 +68,11 @@ static x509_cert certificate; static rsa_context key; bool_t builtInTestCertificate; -havege_state hs; /* exported to crypt.c */ +#ifdef USE_POLARSSL_HAVEGE +havege_state hs; +#else +int urandom_fd; +#endif /* DH prime */ char *my_dhm_P = @@ -80,6 +85,7 @@ char *my_dhm_P = "DEF409C08E8AC24D1732A6128D2220DC53"; char *my_dhm_G = "4"; +#ifdef USE_POLARSSL_TESTCERT static void initTestCert() { int rc; @@ -99,6 +105,7 @@ static void initTestKey() if (rc != 0) Log_fatal("Could not parse built-in test RSA key"); } +#endif /* * How to generate a self-signed cert with openssl: @@ -111,14 +118,22 @@ static void initCert() char *crtfile = (char *)getStrConf(CERTIFICATE); if (crtfile == NULL) { - Log_warn("No certificate file specified"); +#ifdef USE_POLARSSL_TESTCERT + Log_warn("No certificate file specified. Falling back to test certificate."); initTestCert(); +#else + Log_fatal("No certificate file specified"); +#endif return; } rc = x509parse_crtfile(&certificate, crtfile); if (rc != 0) { - Log_warn("Could not read certificate file %s", crtfile); +#ifdef USE_POLARSSL_TESTCERT + Log_warn("Could not read certificate file '%s'. Falling back to test certificate.", crtfile); initTestCert(); +#else + Log_fatal("Could not read certificate file '%s'", crtfile); +#endif return; } } @@ -135,6 +150,20 @@ static void initKey() Log_fatal("Could not read RSA key file %s", keyfile); } +#ifndef USE_POLARSSL_HAVEGE +int urandom_bytes(void *ctx, unsigned char *dest, size_t len) +{ + int cur; + + while (len) { + cur = read(urandom_fd, dest, len); + if (cur < 0) + continue; + len -= cur; + } +} +#endif + #define DEBUG_LEVEL 0 static void pssl_debug(void *ctx, int level, const char *str) { @@ -147,14 +176,27 @@ void SSLi_init(void) char verstring[12]; initCert(); +#ifdef USE_POLARSSL_TESTCERT if (builtInTestCertificate) { Log_warn("*** Using built-in test certificate and RSA key ***"); - Log_warn("*** This is not secure! Please use a CA-signed certificate or create a self-signed certificate ***"); + Log_warn("*** This is not secure! Please use a CA-signed certificate or create a key and self-signed certificate ***"); initTestKey(); } else initKey(); +#else + initKey(); +#endif + + /* Initialize random number generator */ +#ifdef USE_POLARSSL_HAVEGE havege_init(&hs); +#else + urandom_fd = open("/dev/urandom", O_RDONLY); + if (urandom_fd < 0) + Log_fatal("Cannot open /dev/urandom"); + Log_info("Using random number generator /dev/urandom"); +#endif #ifdef POLARSSL_VERSION_MAJOR version_get_string(verstring); @@ -173,7 +215,7 @@ void SSLi_deinit(void) /* Create SHA1 of last certificate in the peer's chain. */ bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash) { - x509_cert *cert; + x509_cert const *cert; #ifdef POLARSSL_API_V1_2 cert = ssl_get_peer_cert(ssl); #else @@ -201,12 +243,17 @@ SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready) rc = ssl_init(ssl); if (rc != 0 ) - Log_fatal("Failed to initalize: %d", rc); + Log_fatal("Failed to initialize: %d", rc); ssl_set_endpoint(ssl, SSL_IS_SERVER); ssl_set_authmode(ssl, SSL_VERIFY_OPTIONAL); - + +#ifdef USE_POLARSSL_HAVEGE ssl_set_rng(ssl, HAVEGE_RAND, &hs); +#else + ssl_set_rng(ssl, urandom_bytes, NULL); +#endif + ssl_set_dbg(ssl, pssl_debug, NULL); ssl_set_bio(ssl, net_recv, fd, net_send, fd);